Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
17/01/2025, 15:11
250117-sk4kzssrhv 1017/01/2025, 15:09
250117-sjgd3asrbs 1017/01/2025, 15:07
250117-shlbmasqgv 1017/01/2025, 14:27
250117-rsndas1pgx 1016/01/2025, 17:37
250116-v7e71s1ncy 1016/01/2025, 17:30
250116-v27eba1lew 1016/01/2025, 17:29
250116-v232ws1let 316/01/2025, 17:29
250116-v21lrs1ldz 316/01/2025, 17:27
250116-v1g32a1qfk 1016/01/2025, 09:47
250116-lsajjsvrgn 10Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
17/01/2025, 14:27
Static task
static1
Behavioral task
behavioral1
Sample
4363463463464363463463463.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
4363463463464363463463463.exe
Resource
win10v2004-20241007-en
General
-
Target
4363463463464363463463463.exe
-
Size
10KB
-
MD5
2a94f3960c58c6e70826495f76d00b85
-
SHA1
e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
-
SHA256
2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
-
SHA512
fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
-
SSDEEP
192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K
Malware Config
Extracted
lumma
https://covvercilverow.shop/api
https://surroundeocw.shop/api
https://abortinoiwiam.shop/api
https://pumpkinkwquo.shop/api
https://priooozekw.shop/api
https://deallyharvenw.shop/api
https://defenddsouneuw.shop/api
https://racedsuitreow.shop/api
https://roaddrermncomplai.shop/api
Extracted
xworm
193.222.96.100:5555
163.5.215.245:9049
-
Install_directory
%Temp%
-
install_file
requirements.exe
Extracted
quasar
1.4.0
Office04
192.168.31.99:4782
2001:4bc9:1f98:a4e::676:4782
255.255.255.0:4782
fe80::cabf:4cff:fe84:9572%17:4782
1f65a787-81b8-4955-95e4-b7751e10cd50
-
encryption_key
A0B82A50BBC49EC084E3E53A9E34DF58BD7050B9
-
install_name
Java Updater.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Java Updater
-
subdirectory
SubDir
Extracted
redline
@glowfy0
91.214.78.86:1912
Extracted
quasar
1.4.1
powerstealer
192.168.56.1:4782
6760d0e9-9df9-4aba-89be-4e5ce3e92cc8
-
encryption_key
057FCAF700E62ACFECC7338C474084AF9B47ABEB
-
install_name
powerstealer.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
quasar
1.1.0.0
User
erbaevbann3.ddns.net:4444
xTSR_MUTEX_tDOmSpZY0vhNMbdmkR
-
encryption_key
Uz3u2uI4Ld2N91oq93Eb
-
install_name
systemware.exe
-
log_directory
logs
-
reconnect_delay
3000
-
startup_key
System Ware
-
subdirectory
system
Signatures
-
Detect Xworm Payload 4 IoCs
resource yara_rule behavioral3/files/0x0028000000046144-41.dat family_xworm behavioral3/memory/4660-52-0x0000000000880000-0x0000000000898000-memory.dmp family_xworm behavioral3/files/0x002b000000046168-260.dat family_xworm behavioral3/memory/4116-270-0x00000000004E0000-0x00000000004F6000-memory.dmp family_xworm -
Lumma family
-
Quasar family
-
Quasar payload 6 IoCs
resource yara_rule behavioral3/files/0x002900000004615e-124.dat family_quasar behavioral3/memory/3580-134-0x0000000000DA0000-0x0000000000E24000-memory.dmp family_quasar behavioral3/files/0x0029000000046167-242.dat family_quasar behavioral3/memory/2452-252-0x00000000005F0000-0x000000000091A000-memory.dmp family_quasar behavioral3/files/0x002800000004616c-273.dat family_quasar behavioral3/memory/3932-285-0x00000000007E0000-0x000000000083E000-memory.dmp family_quasar -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral3/files/0x0028000000046161-185.dat family_redline behavioral3/memory/3208-195-0x0000000000B40000-0x0000000000B92000-memory.dmp family_redline -
Redline family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wefhrf.exe -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2020 powershell.exe 1768 powershell.exe 4560 powershell.exe 1176 powershell.exe 1632 powershell.exe 1112 powershell.exe -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation 4363463463464363463463463.exe Key value queried \REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation requirements.exe Key value queried \REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation wefhrf.exe Key value queried \REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation build6_unencrypted.exe Key value queried \REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation systemware.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\requirements.lnk requirements.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\requirements.lnk requirements.exe -
Executes dropped EXE 17 IoCs
pid Process 3784 ExtremeInjector.exe 4660 requirements.exe 872 requirements.exe 3656 loader.exe 3580 spectrum.exe 2844 wefhrf.exe 1000 steamerx.exe 5068 Java Updater.exe 3208 toolwin.exe 4592 requirements.exe 2452 Discord.exe 4492 powerstealer.exe 4116 build6_unencrypted.exe 3932 intro.avi.exe 2496 systemware.exe 2148 systemware.exe 4052 requirements.exe -
Loads dropped DLL 1 IoCs
pid Process 3784 ExtremeInjector.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\requirements = "C:\\Users\\Admin\\AppData\\Local\\Temp\\requirements.exe" requirements.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wefhrf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wefhrf.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 10 raw.githubusercontent.com 9 raw.githubusercontent.com -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 29 ip-api.com 80 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3656 loader.exe 3656 loader.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3784 set thread context of 4332 3784 ExtremeInjector.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
pid pid_target Process procid_target 2456 2496 WerFault.exe 134 4964 2148 WerFault.exe 145 -
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wefhrf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language steamerx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language toolwin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language chcp.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aspnet_regiis.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language systemware.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language systemware.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4363463463464363463463463.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ExtremeInjector.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language intro.avi.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4044 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4044 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4904 schtasks.exe 4052 schtasks.exe 2792 schtasks.exe 4568 schtasks.exe 4000 schtasks.exe 3604 schtasks.exe 2632 schtasks.exe 4512 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4116 build6_unencrypted.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 2020 powershell.exe 2020 powershell.exe 1768 powershell.exe 1768 powershell.exe 4560 powershell.exe 4560 powershell.exe 1176 powershell.exe 1176 powershell.exe 3656 loader.exe 3656 loader.exe 2844 wefhrf.exe 1632 powershell.exe 1632 powershell.exe 1112 powershell.exe 1112 powershell.exe 1112 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 828 4363463463464363463463463.exe Token: SeDebugPrivilege 4660 requirements.exe Token: SeDebugPrivilege 2020 powershell.exe Token: SeIncreaseQuotaPrivilege 2020 powershell.exe Token: SeSecurityPrivilege 2020 powershell.exe Token: SeTakeOwnershipPrivilege 2020 powershell.exe Token: SeLoadDriverPrivilege 2020 powershell.exe Token: SeSystemProfilePrivilege 2020 powershell.exe Token: SeSystemtimePrivilege 2020 powershell.exe Token: SeProfSingleProcessPrivilege 2020 powershell.exe Token: SeIncBasePriorityPrivilege 2020 powershell.exe Token: SeCreatePagefilePrivilege 2020 powershell.exe Token: SeBackupPrivilege 2020 powershell.exe Token: SeRestorePrivilege 2020 powershell.exe Token: SeShutdownPrivilege 2020 powershell.exe Token: SeDebugPrivilege 2020 powershell.exe Token: SeSystemEnvironmentPrivilege 2020 powershell.exe Token: SeRemoteShutdownPrivilege 2020 powershell.exe Token: SeUndockPrivilege 2020 powershell.exe Token: SeManageVolumePrivilege 2020 powershell.exe Token: 33 2020 powershell.exe Token: 34 2020 powershell.exe Token: 35 2020 powershell.exe Token: 36 2020 powershell.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeIncreaseQuotaPrivilege 1768 powershell.exe Token: SeSecurityPrivilege 1768 powershell.exe Token: SeTakeOwnershipPrivilege 1768 powershell.exe Token: SeLoadDriverPrivilege 1768 powershell.exe Token: SeSystemProfilePrivilege 1768 powershell.exe Token: SeSystemtimePrivilege 1768 powershell.exe Token: SeProfSingleProcessPrivilege 1768 powershell.exe Token: SeIncBasePriorityPrivilege 1768 powershell.exe Token: SeCreatePagefilePrivilege 1768 powershell.exe Token: SeBackupPrivilege 1768 powershell.exe Token: SeRestorePrivilege 1768 powershell.exe Token: SeShutdownPrivilege 1768 powershell.exe Token: SeDebugPrivilege 1768 powershell.exe Token: SeSystemEnvironmentPrivilege 1768 powershell.exe Token: SeRemoteShutdownPrivilege 1768 powershell.exe Token: SeUndockPrivilege 1768 powershell.exe Token: SeManageVolumePrivilege 1768 powershell.exe Token: 33 1768 powershell.exe Token: 34 1768 powershell.exe Token: 35 1768 powershell.exe Token: 36 1768 powershell.exe Token: SeDebugPrivilege 4560 powershell.exe Token: SeIncreaseQuotaPrivilege 4560 powershell.exe Token: SeSecurityPrivilege 4560 powershell.exe Token: SeTakeOwnershipPrivilege 4560 powershell.exe Token: SeLoadDriverPrivilege 4560 powershell.exe Token: SeSystemProfilePrivilege 4560 powershell.exe Token: SeSystemtimePrivilege 4560 powershell.exe Token: SeProfSingleProcessPrivilege 4560 powershell.exe Token: SeIncBasePriorityPrivilege 4560 powershell.exe Token: SeCreatePagefilePrivilege 4560 powershell.exe Token: SeBackupPrivilege 4560 powershell.exe Token: SeRestorePrivilege 4560 powershell.exe Token: SeShutdownPrivilege 4560 powershell.exe Token: SeDebugPrivilege 4560 powershell.exe Token: SeSystemEnvironmentPrivilege 4560 powershell.exe Token: SeRemoteShutdownPrivilege 4560 powershell.exe Token: SeUndockPrivilege 4560 powershell.exe Token: SeManageVolumePrivilege 4560 powershell.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 5068 Java Updater.exe 4492 powerstealer.exe 2496 systemware.exe 2148 systemware.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 828 wrote to memory of 3784 828 4363463463464363463463463.exe 85 PID 828 wrote to memory of 3784 828 4363463463464363463463463.exe 85 PID 828 wrote to memory of 3784 828 4363463463464363463463463.exe 85 PID 3784 wrote to memory of 4332 3784 ExtremeInjector.exe 87 PID 3784 wrote to memory of 4332 3784 ExtremeInjector.exe 87 PID 3784 wrote to memory of 4332 3784 ExtremeInjector.exe 87 PID 3784 wrote to memory of 4332 3784 ExtremeInjector.exe 87 PID 3784 wrote to memory of 4332 3784 ExtremeInjector.exe 87 PID 3784 wrote to memory of 4332 3784 ExtremeInjector.exe 87 PID 3784 wrote to memory of 4332 3784 ExtremeInjector.exe 87 PID 3784 wrote to memory of 4332 3784 ExtremeInjector.exe 87 PID 3784 wrote to memory of 4332 3784 ExtremeInjector.exe 87 PID 828 wrote to memory of 4660 828 4363463463464363463463463.exe 88 PID 828 wrote to memory of 4660 828 4363463463464363463463463.exe 88 PID 4660 wrote to memory of 2020 4660 requirements.exe 90 PID 4660 wrote to memory of 2020 4660 requirements.exe 90 PID 4660 wrote to memory of 1768 4660 requirements.exe 93 PID 4660 wrote to memory of 1768 4660 requirements.exe 93 PID 4660 wrote to memory of 4560 4660 requirements.exe 95 PID 4660 wrote to memory of 4560 4660 requirements.exe 95 PID 4660 wrote to memory of 1176 4660 requirements.exe 97 PID 4660 wrote to memory of 1176 4660 requirements.exe 97 PID 4660 wrote to memory of 3604 4660 requirements.exe 99 PID 4660 wrote to memory of 3604 4660 requirements.exe 99 PID 828 wrote to memory of 3656 828 4363463463464363463463463.exe 104 PID 828 wrote to memory of 3656 828 4363463463464363463463463.exe 104 PID 828 wrote to memory of 3580 828 4363463463464363463463463.exe 106 PID 828 wrote to memory of 3580 828 4363463463464363463463463.exe 106 PID 828 wrote to memory of 2844 828 4363463463464363463463463.exe 107 PID 828 wrote to memory of 2844 828 4363463463464363463463463.exe 107 PID 828 wrote to memory of 2844 828 4363463463464363463463463.exe 107 PID 828 wrote to memory of 1000 828 4363463463464363463463463.exe 108 PID 828 wrote to memory of 1000 828 4363463463464363463463463.exe 108 PID 828 wrote to memory of 1000 828 4363463463464363463463463.exe 108 PID 3580 wrote to memory of 2632 3580 spectrum.exe 110 PID 3580 wrote to memory of 2632 3580 spectrum.exe 110 PID 3580 wrote to memory of 5068 3580 spectrum.exe 112 PID 3580 wrote to memory of 5068 3580 spectrum.exe 112 PID 5068 wrote to memory of 4512 5068 Java Updater.exe 114 PID 5068 wrote to memory of 4512 5068 Java Updater.exe 114 PID 828 wrote to memory of 3208 828 4363463463464363463463463.exe 116 PID 828 wrote to memory of 3208 828 4363463463464363463463463.exe 116 PID 828 wrote to memory of 3208 828 4363463463464363463463463.exe 116 PID 2844 wrote to memory of 1632 2844 wefhrf.exe 117 PID 2844 wrote to memory of 1632 2844 wefhrf.exe 117 PID 2844 wrote to memory of 1632 2844 wefhrf.exe 117 PID 3656 wrote to memory of 4676 3656 loader.exe 118 PID 3656 wrote to memory of 4676 3656 loader.exe 118 PID 828 wrote to memory of 2452 828 4363463463464363463463463.exe 121 PID 828 wrote to memory of 2452 828 4363463463464363463463463.exe 121 PID 2452 wrote to memory of 4904 2452 Discord.exe 122 PID 2452 wrote to memory of 4904 2452 Discord.exe 122 PID 2452 wrote to memory of 4492 2452 Discord.exe 124 PID 2452 wrote to memory of 4492 2452 Discord.exe 124 PID 4492 wrote to memory of 4052 4492 powerstealer.exe 125 PID 4492 wrote to memory of 4052 4492 powerstealer.exe 125 PID 828 wrote to memory of 4116 828 4363463463464363463463463.exe 127 PID 828 wrote to memory of 4116 828 4363463463464363463463463.exe 127 PID 828 wrote to memory of 3932 828 4363463463464363463463463.exe 128 PID 828 wrote to memory of 3932 828 4363463463464363463463463.exe 128 PID 828 wrote to memory of 3932 828 4363463463464363463463463.exe 128 PID 4116 wrote to memory of 1112 4116 build6_unencrypted.exe 129 PID 4116 wrote to memory of 1112 4116 build6_unencrypted.exe 129 PID 3932 wrote to memory of 2792 3932 intro.avi.exe 132 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wefhrf.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Users\Admin\AppData\Local\Temp\Files\ExtremeInjector.exe"C:\Users\Admin\AppData\Local\Temp\Files\ExtremeInjector.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"3⤵
- System Location Discovery: System Language Discovery
PID:4332
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\requirements.exe"C:\Users\Admin\AppData\Local\Temp\Files\requirements.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\requirements.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'requirements.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\requirements.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'requirements.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1176
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "requirements" /tr "C:\Users\Admin\AppData\Local\Temp\requirements.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:3604
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\loader.exe"C:\Users\Admin\AppData\Local\Temp\Files\loader.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:4676
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\spectrum.exe"C:\Users\Admin\AppData\Local\Temp\Files\spectrum.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\spectrum.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2632
-
-
C:\Users\Admin\AppData\Roaming\SubDir\Java Updater.exe"C:\Users\Admin\AppData\Roaming\SubDir\Java Updater.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Java Updater.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:4512
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe"C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe"2⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2844 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe'; Add-MpPreference -ExclusionProcess 'wefhrf'; Add-MpPreference -ExclusionPath 'C:\Users\Admin'"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1632
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\steamerx.exe"C:\Users\Admin\AppData\Local\Temp\Files\steamerx.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1000
-
-
C:\Users\Admin\AppData\Local\Temp\Files\toolwin.exe"C:\Users\Admin\AppData\Local\Temp\Files\toolwin.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3208
-
-
C:\Users\Admin\AppData\Local\Temp\Files\Discord.exe"C:\Users\Admin\AppData\Local\Temp\Files\Discord.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:4904
-
-
C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe"C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SYSTEM32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:4052
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe"C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'build6_unencrypted.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1112
-
-
-
C:\Users\Admin\AppData\Local\Temp\Files\intro.avi.exe"C:\Users\Admin\AppData\Local\Temp\Files\intro.avi.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\intro.avi.exe" /rl HIGHEST /f3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2792
-
-
C:\Users\Admin\AppData\Roaming\system\systemware.exe"C:\Users\Admin\AppData\Roaming\system\systemware.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2496 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4568
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2PpkWBSbItk4.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:4572 -
C:\Windows\SysWOW64\chcp.comchcp 650015⤵
- System Location Discovery: System Language Discovery
PID:4856
-
-
C:\Windows\SysWOW64\PING.EXEping -n 10 localhost5⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4044
-
-
C:\Users\Admin\AppData\Roaming\system\systemware.exe"C:\Users\Admin\AppData\Roaming\system\systemware.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2148 -
C:\Windows\SysWOW64\schtasks.exe"schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4000
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOPizziafrtW.bat" "6⤵PID:3668
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 22166⤵
- Program crash
PID:4964
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 17004⤵
- Program crash
PID:2456
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\requirements.exe"C:\Users\Admin\AppData\Local\Temp\requirements.exe"1⤵
- Executes dropped EXE
PID:872
-
C:\Users\Admin\AppData\Local\Temp\requirements.exe"C:\Users\Admin\AppData\Local\Temp\requirements.exe"1⤵
- Executes dropped EXE
PID:4592
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2496 -ip 24961⤵PID:3036
-
C:\Users\Admin\AppData\Local\Temp\requirements.exe"C:\Users\Admin\AppData\Local\Temp\requirements.exe"1⤵
- Executes dropped EXE
PID:4052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2148 -ip 21481⤵PID:3676
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
654B
MD511c6e74f0561678d2cf7fc075a6cc00c
SHA1535ee79ba978554abcb98c566235805e7ea18490
SHA256d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63
SHA51232c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0
-
Filesize
53KB
MD5096498ff2314245f6a4ca58f63881808
SHA1537d9c09121d194c6fe9c10fd40c999fbf508e38
SHA256839cc80f53ba38c3f6a9eb181850574fbdbc192e48f27fc453cee23a027ab1cb
SHA512411243bb29e81b5d84b687bc1683e577d138f0cd15cd23fd3e7ae3851c701ce50238be22858376c9fae5da30b8187294b77ed277160aa5de2d7a2c37bff0802e
-
Filesize
1KB
MD56f7eb405e2879fb008dc3a533e6357d3
SHA10d99c40ebc8cc86ca4bda593097837a92dc06f57
SHA256b08ac14c18515a078ceeb317fffbb7be08c0d5825dde712eb9ad285194b203d2
SHA512470f3547656ba63513a8cc4ec7e4a5cc765312e394fc7759ca0eadf244ffd23c5491fa39669f2f5d82845a6884936caba6420e4480375af0daf678bad21c9e32
-
Filesize
1KB
MD560b3262c3163ee3d466199160b9ed07d
SHA1994ece4ea4e61de0be2fdd580f87e3415f9e1ff6
SHA256e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb
SHA512081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af
-
Filesize
1KB
MD5eecb060cc9f344bbd30f0315cc36ac02
SHA15a974e5276aaa47bddf94ca78b5147c7e055b0f9
SHA25677e1497f014e0c74113d8be3d4382265c4df0ef5ae985bda271b24bc3620b408
SHA512bebcca158418e6df2643c76f01f5633919d287c7f9fe1f1a6927418d4bc77f90a0d83695e983df83dd87cc2a36b992c3e8fd7d5ab28713c9d15dc14e2ba27cdb
-
Filesize
1KB
MD58df996000e2ac28611eb19f3d4d1de29
SHA103bf11ff339a228cf0d1b72088fc28ee7ff8d516
SHA256e2d1871af8a24a649f43153a7e65fd9df399ea0b6a69bb82979347981cc6050e
SHA51210902514f9e8e0b620d332afb446382b37b2c5857bff272ce830140b23d0d7126320b1c5ccccfd77247e63a05a9693675372eedf48fa730bd376a1205a1180af
-
Filesize
211B
MD556d28395f834839047305a979a55ce85
SHA14df785ab2f834b4062410397c8e25dd11cf8795c
SHA256960c7aaba76981740b1aeb1ac8fd3518ea51d0cd0f352423646ec641918e557f
SHA512cd5181dc7cfdbbb43730bacecbe6701e6debd0a90b6b37376118209dd5bb1b654b0a80219f783e201067bedd33fd575736f4aec2bb2467a218fcd49650de3c42
-
Filesize
3.1MB
MD5bedd5e5f44b78c79f93e29dc184cfa3d
SHA111e7e692b9a6b475f8561f283b2dd59c3cd19bfd
SHA256e423c72ea1a279e367f4f0a3dc7d703c67f6d09009ed9d58f9c73dac35d0a85c
SHA5123a7924196830b52d4525b897f45feb52ec2aca6cd20437b38437f171424450fd25692bd4c67ccde2cf147f0ed6efcef395ea0e13b24f0cf606214b58cf8284de
-
Filesize
550KB
MD5ee6be1648866b63fd7f860fa0114f368
SHA142cab62fff29eb98851b33986b637514fc904f4b
SHA256e17bf83e09457d8cecd1f3e903fa4c9770e17e823731650a453bc479591ac511
SHA512d6492d3b3c1d94d6c87b77a9a248e8c46b889d2e23938ddb8a8e242caccb23e8cd1a1fbeffee6b140cf6fd3ea7e8da89190286a912032ce4a671257bd8e3e28a
-
Filesize
65KB
MD53b5926b1dca859fa1a51a103ab0fd068
SHA19b41d9e1810454b00e12cc386e8e31fc1bd29ef6
SHA256e1f3e0bc705e2917d285f9a9ab49cc6444ff9267b46cbf1be3b97f9a716e6d08
SHA5126f924f3b1a7bcce36cea2ef0f73dfcf837b2ec03da44e0a12d6afcd2af1a92d20af251d04fd3970beedad082d646fc84ae7107b4111f43abc12b5a1e3d03a794
-
Filesize
348KB
MD5d219d94cabaa00e5abffc599bdeef75d
SHA1123e511de20beab7bfa2bea5c2206422bc5e8241
SHA2563cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4
SHA51282dbb2484e3e42fcd6c3914da4ebfc540e135b8b57bf240a28a3e9fceb6409d8a9b1f9ca9b4bf545d05a10fd9b1672a2a6a05d963aaa33f4905e74cc1c068734
-
Filesize
10.6MB
MD5f2bb0e58b960c3d8a6b4c2441562d9f9
SHA10931d714a92164618ca024702d17a34f71bfb6ab
SHA2566d046c393bba7f177ddd0ae5d3771a17c99ffed2ec0e558b760cc5bd8cd4740b
SHA512eb8ad56848ba89cf0f431bd0c57d3200f8ec158cc338499d2142d57c0f4bcf4eab65c0b45b2660062bfd5f1baf50cd55f68955914aa7b42e8482cd9cdf04c7d5
-
Filesize
67KB
MD500bcef19c1d757d272439bb4a427e2c2
SHA1dddc90e904c33c20898f69dd1529a106c65ad2fa
SHA2568cbdf129e7d0a40ce86513be5dd5d0dcffdd140383bbbfca1d2ac7eebeb10691
SHA5124d4f57af0b5d0157d9151bb7985516faf78b4a55886c7e793144e6662a1b70cc22d0cb4c9e530f832010bd256d0b3bb27117b852a2846ea69cb4abc8e401f081
-
Filesize
502KB
MD51441905fc4082ee6055ea39f5875a6c5
SHA178f91f9f9ffe47e5f47e9844bd026d150146744e
SHA2561b05c4d74e0d17a983f9b91aa706a7a60f37ec270b7e2433d6798afa1c7be766
SHA51270e9ab0e49b4bf89505f16c499538daebc1e8da72488cd63ff60747d15a1d486ba38802b0622c9240d10ff68ab32e6bb36a0b809e7cd0e2ec4945d023ce86c5c
-
Filesize
8KB
MD5695e9d580533372fb131ed51f8321c06
SHA1c63aa86d1fe306f38d94621247b578819a951860
SHA256cfbcae5f183d4f254603b0c2fcb66a9da2d8db663c92d9203e525f41704f4c89
SHA5127185e34d3ab5b30e9a6c20f995fb4e90c0a0a0fc60c0febf2ab1c97e90803b428d88f6011b38918d782f4d5a15d4b6e53c359435aa25ea56bc1468fc1848680f
-
Filesize
300KB
MD55c544cd5437d21e63c9990e42e92ffbf
SHA115981a0f2a6078e1c65285f2ff3114b1e2158a64
SHA2568f33fcc42396a72e93bc42947d8fc659ff691ea154f76babe06626f666aa3926
SHA512a8e9c15e3db54ae69ca18e07acc14c27298fa4162b6d9e40f87895d1a74267b2797b0137d9fb80c3a8a65f83b0ea071eb7a22d31e7bb99022f712ef8287f0f1c
-
Filesize
15KB
MD52ca4bd5f5fece4e6def53720f2a7a9bb
SHA104b49bb6f0b9600782d091eaa5d54963ff6d7e10
SHA256ab55d9b53f755a232a7968d7b5fcb6ca56fc0f59e72b1e60ab8624a0ee6be8c1
SHA5123e9e5c9793b4880990fbc8ab38f8a28b38a7493adb3ee1727e5ce0f8377348142705533f672356152a895694800c82517c71f2070c0dff08b73555214a165481
-
Filesize
211B
MD59914e676dbb245bf038df850e743a6b7
SHA1207cc3cfb53dff09fa90466e336e5e3157e678a6
SHA256d78cf64d85db5b9e7fd28699a3d9720d470485275401df05a369bc3a1142544f
SHA51267f3d0cb1f0ed071b5b191cf59cc283ac2525232ad44cd2d0b2f80e3e50f2f9b6cfc83e102b590ca7cf87cfd12c44d8a6e9c046107b7f68ce8c59eb64ee2ebd0
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
224B
MD57d787143413d1085ff96f38c07d0afad
SHA1ff7f0291452fb3fe7dd2217e8f4eea7b5c515a73
SHA256c29fe71286a29fdfb96fc8279a7972669fc266e54fbfee52809dd438699e0f13
SHA512fddee3e139728a857f40544c64f7639c7e0c95e4b59a4c34daac9812e2d3c014239670cc929bd390e0450d0eb408a455152ff32f2a11a750a382a543d18fdfc7
-
Filesize
642KB
MD59bc424be13dca227268ab018dca9ef0c
SHA1f6f42e926f511d57ef298613634f3a186ec25ddc
SHA25659d3999d0989c9c91dae93c26499f5a14b837a0fe56e6fc29f57456f54a1f8a2
SHA51270a1abb35bd95efc40af6653d5db2e155fab9a8575b7ae5b69ab3fbcd60925c66a675dac6cba57564a430e9b92f1a2ea9e912c4d7f356b82696ed77e92b52715