Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

17/01/2025, 15:11

250117-sk4kzssrhv 10

17/01/2025, 15:09

250117-sjgd3asrbs 10

17/01/2025, 15:07

250117-shlbmasqgv 10

17/01/2025, 14:27

250117-rsndas1pgx 10

16/01/2025, 17:37

250116-v7e71s1ncy 10

16/01/2025, 17:30

250116-v27eba1lew 10

16/01/2025, 17:29

250116-v232ws1let 3

16/01/2025, 17:29

250116-v21lrs1ldz 3

16/01/2025, 17:27

250116-v1g32a1qfk 10

16/01/2025, 09:47

250116-lsajjsvrgn 10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    17/01/2025, 14:27

General

  • Target

    4363463463464363463463463.exe

  • Size

    10KB

  • MD5

    2a94f3960c58c6e70826495f76d00b85

  • SHA1

    e2a1a5641295f5ebf01a37ac1c170ac0814bb71a

  • SHA256

    2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce

  • SHA512

    fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

  • SSDEEP

    192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

lumma

C2

https://covvercilverow.shop/api

https://surroundeocw.shop/api

https://abortinoiwiam.shop/api

https://pumpkinkwquo.shop/api

https://priooozekw.shop/api

https://deallyharvenw.shop/api

https://defenddsouneuw.shop/api

https://racedsuitreow.shop/api

https://roaddrermncomplai.shop/api

Extracted

Family

xworm

C2

193.222.96.100:5555

163.5.215.245:9049

Attributes
  • Install_directory

    %Temp%

  • install_file

    requirements.exe

aes.plain

Extracted

Family

quasar

Version

1.4.0

Botnet

Office04

C2

192.168.31.99:4782

2001:4bc9:1f98:a4e::676:4782

255.255.255.0:4782

fe80::cabf:4cff:fe84:9572%17:4782

Mutex

1f65a787-81b8-4955-95e4-b7751e10cd50

Attributes
  • encryption_key

    A0B82A50BBC49EC084E3E53A9E34DF58BD7050B9

  • install_name

    Java Updater.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Java Updater

  • subdirectory

    SubDir

Extracted

Family

redline

Botnet

@glowfy0

C2

91.214.78.86:1912

Extracted

Family

quasar

Version

1.4.1

Botnet

powerstealer

C2

192.168.56.1:4782

Mutex

6760d0e9-9df9-4aba-89be-4e5ce3e92cc8

Attributes
  • encryption_key

    057FCAF700E62ACFECC7338C474084AF9B47ABEB

  • install_name

    powerstealer.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Quasar Client Startup

  • subdirectory

    SubDir

Extracted

Family

quasar

Version

1.1.0.0

Botnet

User

C2

erbaevbann3.ddns.net:4444

Mutex

xTSR_MUTEX_tDOmSpZY0vhNMbdmkR

Attributes
  • encryption_key

    Uz3u2uI4Ld2N91oq93Eb

  • install_name

    systemware.exe

  • log_directory

    logs

  • reconnect_delay

    3000

  • startup_key

    System Ware

  • subdirectory

    system

Signatures

  • Detect Xworm Payload 4 IoCs
  • Lumma Stealer, LummaC

    Lumma or LummaC is an infostealer written in C++ first seen in August 2022.

  • Lumma family
  • Quasar RAT

    Quasar is an open source Remote Access Tool.

  • Quasar family
  • Quasar payload 6 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • UAC bypass 3 TTPs 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 17 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
    "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:828
    • C:\Users\Admin\AppData\Local\Temp\Files\ExtremeInjector.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\ExtremeInjector.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3784
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4332
    • C:\Users\Admin\AppData\Local\Temp\Files\requirements.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\requirements.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4660
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\requirements.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2020
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'requirements.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1768
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\requirements.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4560
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'requirements.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:1176
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "requirements" /tr "C:\Users\Admin\AppData\Local\Temp\requirements.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:3604
    • C:\Users\Admin\AppData\Local\Temp\Files\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\Files\loader.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3656
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c cls
        3⤵
          PID:4676
      • C:\Users\Admin\AppData\Local\Temp\Files\spectrum.exe
        "C:\Users\Admin\AppData\Local\Temp\Files\spectrum.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3580
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\spectrum.exe" /rl HIGHEST /f
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2632
        • C:\Users\Admin\AppData\Roaming\SubDir\Java Updater.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\Java Updater.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:5068
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "Java Updater" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Java Updater.exe" /rl HIGHEST /f
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:4512
      • C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe
        "C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe"
        2⤵
        • UAC bypass
        • Checks computer location settings
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2844
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe'; Add-MpPreference -ExclusionProcess 'wefhrf'; Add-MpPreference -ExclusionPath 'C:\Users\Admin'"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:1632
      • C:\Users\Admin\AppData\Local\Temp\Files\steamerx.exe
        "C:\Users\Admin\AppData\Local\Temp\Files\steamerx.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1000
      • C:\Users\Admin\AppData\Local\Temp\Files\toolwin.exe
        "C:\Users\Admin\AppData\Local\Temp\Files\toolwin.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3208
      • C:\Users\Admin\AppData\Local\Temp\Files\Discord.exe
        "C:\Users\Admin\AppData\Local\Temp\Files\Discord.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2452
        • C:\Windows\SYSTEM32\schtasks.exe
          "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
          3⤵
          • Scheduled Task/Job: Scheduled Task
          PID:4904
        • C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe
          "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4492
          • C:\Windows\SYSTEM32\schtasks.exe
            "schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f
            4⤵
            • Scheduled Task/Job: Scheduled Task
            PID:4052
      • C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe
        "C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of WriteProcessMemory
        PID:4116
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'build6_unencrypted.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:1112
      • C:\Users\Admin\AppData\Local\Temp\Files\intro.avi.exe
        "C:\Users\Admin\AppData\Local\Temp\Files\intro.avi.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3932
        • C:\Windows\SysWOW64\schtasks.exe
          "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Local\Temp\Files\intro.avi.exe" /rl HIGHEST /f
          3⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2792
        • C:\Users\Admin\AppData\Roaming\system\systemware.exe
          "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2496
          • C:\Windows\SysWOW64\schtasks.exe
            "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
            4⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:4568
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2PpkWBSbItk4.bat" "
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4572
            • C:\Windows\SysWOW64\chcp.com
              chcp 65001
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4856
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 10 localhost
              5⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4044
            • C:\Users\Admin\AppData\Roaming\system\systemware.exe
              "C:\Users\Admin\AppData\Roaming\system\systemware.exe"
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2148
              • C:\Windows\SysWOW64\schtasks.exe
                "schtasks" /create /tn "System Ware" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\system\systemware.exe" /rl HIGHEST /f
                6⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:4000
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOPizziafrtW.bat" "
                6⤵
                  PID:3668
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 2216
                  6⤵
                  • Program crash
                  PID:4964
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 1700
              4⤵
              • Program crash
              PID:2456
      • C:\Users\Admin\AppData\Local\Temp\requirements.exe
        "C:\Users\Admin\AppData\Local\Temp\requirements.exe"
        1⤵
        • Executes dropped EXE
        PID:872
      • C:\Users\Admin\AppData\Local\Temp\requirements.exe
        "C:\Users\Admin\AppData\Local\Temp\requirements.exe"
        1⤵
        • Executes dropped EXE
        PID:4592
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2496 -ip 2496
        1⤵
          PID:3036
        • C:\Users\Admin\AppData\Local\Temp\requirements.exe
          "C:\Users\Admin\AppData\Local\Temp\requirements.exe"
          1⤵
          • Executes dropped EXE
          PID:4052
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2148 -ip 2148
          1⤵
            PID:3676

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

            Filesize

            3KB

            MD5

            3eb3833f769dd890afc295b977eab4b4

            SHA1

            e857649b037939602c72ad003e5d3698695f436f

            SHA256

            c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

            SHA512

            c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\requirements.exe.log

            Filesize

            654B

            MD5

            11c6e74f0561678d2cf7fc075a6cc00c

            SHA1

            535ee79ba978554abcb98c566235805e7ea18490

            SHA256

            d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

            SHA512

            32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

            Filesize

            53KB

            MD5

            096498ff2314245f6a4ca58f63881808

            SHA1

            537d9c09121d194c6fe9c10fd40c999fbf508e38

            SHA256

            839cc80f53ba38c3f6a9eb181850574fbdbc192e48f27fc453cee23a027ab1cb

            SHA512

            411243bb29e81b5d84b687bc1683e577d138f0cd15cd23fd3e7ae3851c701ce50238be22858376c9fae5da30b8187294b77ed277160aa5de2d7a2c37bff0802e

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            6f7eb405e2879fb008dc3a533e6357d3

            SHA1

            0d99c40ebc8cc86ca4bda593097837a92dc06f57

            SHA256

            b08ac14c18515a078ceeb317fffbb7be08c0d5825dde712eb9ad285194b203d2

            SHA512

            470f3547656ba63513a8cc4ec7e4a5cc765312e394fc7759ca0eadf244ffd23c5491fa39669f2f5d82845a6884936caba6420e4480375af0daf678bad21c9e32

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            60b3262c3163ee3d466199160b9ed07d

            SHA1

            994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

            SHA256

            e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

            SHA512

            081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            eecb060cc9f344bbd30f0315cc36ac02

            SHA1

            5a974e5276aaa47bddf94ca78b5147c7e055b0f9

            SHA256

            77e1497f014e0c74113d8be3d4382265c4df0ef5ae985bda271b24bc3620b408

            SHA512

            bebcca158418e6df2643c76f01f5633919d287c7f9fe1f1a6927418d4bc77f90a0d83695e983df83dd87cc2a36b992c3e8fd7d5ab28713c9d15dc14e2ba27cdb

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

            Filesize

            1KB

            MD5

            8df996000e2ac28611eb19f3d4d1de29

            SHA1

            03bf11ff339a228cf0d1b72088fc28ee7ff8d516

            SHA256

            e2d1871af8a24a649f43153a7e65fd9df399ea0b6a69bb82979347981cc6050e

            SHA512

            10902514f9e8e0b620d332afb446382b37b2c5857bff272ce830140b23d0d7126320b1c5ccccfd77247e63a05a9693675372eedf48fa730bd376a1205a1180af

          • C:\Users\Admin\AppData\Local\Temp\2PpkWBSbItk4.bat

            Filesize

            211B

            MD5

            56d28395f834839047305a979a55ce85

            SHA1

            4df785ab2f834b4062410397c8e25dd11cf8795c

            SHA256

            960c7aaba76981740b1aeb1ac8fd3518ea51d0cd0f352423646ec641918e557f

            SHA512

            cd5181dc7cfdbbb43730bacecbe6701e6debd0a90b6b37376118209dd5bb1b654b0a80219f783e201067bedd33fd575736f4aec2bb2467a218fcd49650de3c42

          • C:\Users\Admin\AppData\Local\Temp\Files\Discord.exe

            Filesize

            3.1MB

            MD5

            bedd5e5f44b78c79f93e29dc184cfa3d

            SHA1

            11e7e692b9a6b475f8561f283b2dd59c3cd19bfd

            SHA256

            e423c72ea1a279e367f4f0a3dc7d703c67f6d09009ed9d58f9c73dac35d0a85c

            SHA512

            3a7924196830b52d4525b897f45feb52ec2aca6cd20437b38437f171424450fd25692bd4c67ccde2cf147f0ed6efcef395ea0e13b24f0cf606214b58cf8284de

          • C:\Users\Admin\AppData\Local\Temp\Files\ExtremeInjector.exe

            Filesize

            550KB

            MD5

            ee6be1648866b63fd7f860fa0114f368

            SHA1

            42cab62fff29eb98851b33986b637514fc904f4b

            SHA256

            e17bf83e09457d8cecd1f3e903fa4c9770e17e823731650a453bc479591ac511

            SHA512

            d6492d3b3c1d94d6c87b77a9a248e8c46b889d2e23938ddb8a8e242caccb23e8cd1a1fbeffee6b140cf6fd3ea7e8da89190286a912032ce4a671257bd8e3e28a

          • C:\Users\Admin\AppData\Local\Temp\Files\build6_unencrypted.exe

            Filesize

            65KB

            MD5

            3b5926b1dca859fa1a51a103ab0fd068

            SHA1

            9b41d9e1810454b00e12cc386e8e31fc1bd29ef6

            SHA256

            e1f3e0bc705e2917d285f9a9ab49cc6444ff9267b46cbf1be3b97f9a716e6d08

            SHA512

            6f924f3b1a7bcce36cea2ef0f73dfcf837b2ec03da44e0a12d6afcd2af1a92d20af251d04fd3970beedad082d646fc84ae7107b4111f43abc12b5a1e3d03a794

          • C:\Users\Admin\AppData\Local\Temp\Files\intro.avi.exe

            Filesize

            348KB

            MD5

            d219d94cabaa00e5abffc599bdeef75d

            SHA1

            123e511de20beab7bfa2bea5c2206422bc5e8241

            SHA256

            3cc847687e60acda504fc35577f36eedd0bca559a4de915d6dd88db9178567d4

            SHA512

            82dbb2484e3e42fcd6c3914da4ebfc540e135b8b57bf240a28a3e9fceb6409d8a9b1f9ca9b4bf545d05a10fd9b1672a2a6a05d963aaa33f4905e74cc1c068734

          • C:\Users\Admin\AppData\Local\Temp\Files\loader.exe

            Filesize

            10.6MB

            MD5

            f2bb0e58b960c3d8a6b4c2441562d9f9

            SHA1

            0931d714a92164618ca024702d17a34f71bfb6ab

            SHA256

            6d046c393bba7f177ddd0ae5d3771a17c99ffed2ec0e558b760cc5bd8cd4740b

            SHA512

            eb8ad56848ba89cf0f431bd0c57d3200f8ec158cc338499d2142d57c0f4bcf4eab65c0b45b2660062bfd5f1baf50cd55f68955914aa7b42e8482cd9cdf04c7d5

          • C:\Users\Admin\AppData\Local\Temp\Files\requirements.exe

            Filesize

            67KB

            MD5

            00bcef19c1d757d272439bb4a427e2c2

            SHA1

            dddc90e904c33c20898f69dd1529a106c65ad2fa

            SHA256

            8cbdf129e7d0a40ce86513be5dd5d0dcffdd140383bbbfca1d2ac7eebeb10691

            SHA512

            4d4f57af0b5d0157d9151bb7985516faf78b4a55886c7e793144e6662a1b70cc22d0cb4c9e530f832010bd256d0b3bb27117b852a2846ea69cb4abc8e401f081

          • C:\Users\Admin\AppData\Local\Temp\Files\spectrum.exe

            Filesize

            502KB

            MD5

            1441905fc4082ee6055ea39f5875a6c5

            SHA1

            78f91f9f9ffe47e5f47e9844bd026d150146744e

            SHA256

            1b05c4d74e0d17a983f9b91aa706a7a60f37ec270b7e2433d6798afa1c7be766

            SHA512

            70e9ab0e49b4bf89505f16c499538daebc1e8da72488cd63ff60747d15a1d486ba38802b0622c9240d10ff68ab32e6bb36a0b809e7cd0e2ec4945d023ce86c5c

          • C:\Users\Admin\AppData\Local\Temp\Files\steamerx.exe

            Filesize

            8KB

            MD5

            695e9d580533372fb131ed51f8321c06

            SHA1

            c63aa86d1fe306f38d94621247b578819a951860

            SHA256

            cfbcae5f183d4f254603b0c2fcb66a9da2d8db663c92d9203e525f41704f4c89

            SHA512

            7185e34d3ab5b30e9a6c20f995fb4e90c0a0a0fc60c0febf2ab1c97e90803b428d88f6011b38918d782f4d5a15d4b6e53c359435aa25ea56bc1468fc1848680f

          • C:\Users\Admin\AppData\Local\Temp\Files\toolwin.exe

            Filesize

            300KB

            MD5

            5c544cd5437d21e63c9990e42e92ffbf

            SHA1

            15981a0f2a6078e1c65285f2ff3114b1e2158a64

            SHA256

            8f33fcc42396a72e93bc42947d8fc659ff691ea154f76babe06626f666aa3926

            SHA512

            a8e9c15e3db54ae69ca18e07acc14c27298fa4162b6d9e40f87895d1a74267b2797b0137d9fb80c3a8a65f83b0ea071eb7a22d31e7bb99022f712ef8287f0f1c

          • C:\Users\Admin\AppData\Local\Temp\Files\wefhrf.exe

            Filesize

            15KB

            MD5

            2ca4bd5f5fece4e6def53720f2a7a9bb

            SHA1

            04b49bb6f0b9600782d091eaa5d54963ff6d7e10

            SHA256

            ab55d9b53f755a232a7968d7b5fcb6ca56fc0f59e72b1e60ab8624a0ee6be8c1

            SHA512

            3e9e5c9793b4880990fbc8ab38f8a28b38a7493adb3ee1727e5ce0f8377348142705533f672356152a895694800c82517c71f2070c0dff08b73555214a165481

          • C:\Users\Admin\AppData\Local\Temp\YOPizziafrtW.bat

            Filesize

            211B

            MD5

            9914e676dbb245bf038df850e743a6b7

            SHA1

            207cc3cfb53dff09fa90466e336e5e3157e678a6

            SHA256

            d78cf64d85db5b9e7fd28699a3d9720d470485275401df05a369bc3a1142544f

            SHA512

            67f3d0cb1f0ed071b5b191cf59cc283ac2525232ad44cd2d0b2f80e3e50f2f9b6cfc83e102b590ca7cf87cfd12c44d8a6e9c046107b7f68ce8c59eb64ee2ebd0

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pugaxdsm.nsr.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • C:\Users\Admin\AppData\Roaming\logs\01-17-2025

            Filesize

            224B

            MD5

            7d787143413d1085ff96f38c07d0afad

            SHA1

            ff7f0291452fb3fe7dd2217e8f4eea7b5c515a73

            SHA256

            c29fe71286a29fdfb96fc8279a7972669fc266e54fbfee52809dd438699e0f13

            SHA512

            fddee3e139728a857f40544c64f7639c7e0c95e4b59a4c34daac9812e2d3c014239670cc929bd390e0450d0eb408a455152ff32f2a11a750a382a543d18fdfc7

          • C:\Users\Admin\AppData\Roaming\msvcp110.dll

            Filesize

            642KB

            MD5

            9bc424be13dca227268ab018dca9ef0c

            SHA1

            f6f42e926f511d57ef298613634f3a186ec25ddc

            SHA256

            59d3999d0989c9c91dae93c26499f5a14b837a0fe56e6fc29f57456f54a1f8a2

            SHA512

            70a1abb35bd95efc40af6653d5db2e155fab9a8575b7ae5b69ab3fbcd60925c66a675dac6cba57564a430e9b92f1a2ea9e912c4d7f356b82696ed77e92b52715

          • memory/828-2-0x0000000004AA0000-0x0000000004B3C000-memory.dmp

            Filesize

            624KB

          • memory/828-88-0x0000000074430000-0x0000000074BE1000-memory.dmp

            Filesize

            7.7MB

          • memory/828-65-0x000000007443E000-0x000000007443F000-memory.dmp

            Filesize

            4KB

          • memory/828-0-0x000000007443E000-0x000000007443F000-memory.dmp

            Filesize

            4KB

          • memory/828-1-0x0000000000280000-0x0000000000288000-memory.dmp

            Filesize

            32KB

          • memory/828-3-0x0000000074430000-0x0000000074BE1000-memory.dmp

            Filesize

            7.7MB

          • memory/1000-166-0x0000000000A30000-0x0000000000A38000-memory.dmp

            Filesize

            32KB

          • memory/1112-308-0x000001A5A5310000-0x000001A5A53C5000-memory.dmp

            Filesize

            724KB

          • memory/1112-307-0x000001A5A5260000-0x000001A5A527C000-memory.dmp

            Filesize

            112KB

          • memory/1112-309-0x000001A5A5250000-0x000001A5A525A000-memory.dmp

            Filesize

            40KB

          • memory/1632-231-0x0000000007A50000-0x0000000007AF3000-memory.dmp

            Filesize

            652KB

          • memory/1632-230-0x0000000006E40000-0x0000000006E5E000-memory.dmp

            Filesize

            120KB

          • memory/1632-202-0x00000000031B0000-0x00000000031E6000-memory.dmp

            Filesize

            216KB

          • memory/1632-235-0x0000000007DF0000-0x0000000007E86000-memory.dmp

            Filesize

            600KB

          • memory/1632-234-0x0000000007BE0000-0x0000000007BEA000-memory.dmp

            Filesize

            40KB

          • memory/1632-233-0x0000000007B80000-0x0000000007B9A000-memory.dmp

            Filesize

            104KB

          • memory/1632-232-0x00000000081C0000-0x000000000883A000-memory.dmp

            Filesize

            6.5MB

          • memory/1632-216-0x0000000006370000-0x00000000066C7000-memory.dmp

            Filesize

            3.3MB

          • memory/1632-219-0x0000000007A10000-0x0000000007A42000-memory.dmp

            Filesize

            200KB

          • memory/1632-220-0x000000006CE00000-0x000000006CE4C000-memory.dmp

            Filesize

            304KB

          • memory/1632-218-0x0000000006810000-0x000000000682E000-memory.dmp

            Filesize

            120KB

          • memory/1632-209-0x00000000060F0000-0x0000000006112000-memory.dmp

            Filesize

            136KB

          • memory/1632-214-0x0000000006290000-0x00000000062F6000-memory.dmp

            Filesize

            408KB

          • memory/1632-215-0x0000000006300000-0x0000000006366000-memory.dmp

            Filesize

            408KB

          • memory/1632-203-0x0000000005A20000-0x00000000060EA000-memory.dmp

            Filesize

            6.8MB

          • memory/2020-55-0x000001763DCC0000-0x000001763DCE2000-memory.dmp

            Filesize

            136KB

          • memory/2452-252-0x00000000005F0000-0x000000000091A000-memory.dmp

            Filesize

            3.2MB

          • memory/2844-155-0x0000000005C60000-0x0000000006206000-memory.dmp

            Filesize

            5.6MB

          • memory/2844-149-0x0000000000F30000-0x0000000000F3A000-memory.dmp

            Filesize

            40KB

          • memory/2844-162-0x0000000005790000-0x0000000005822000-memory.dmp

            Filesize

            584KB

          • memory/3208-198-0x0000000005680000-0x000000000578A000-memory.dmp

            Filesize

            1.0MB

          • memory/3208-199-0x00000000055B0000-0x00000000055C2000-memory.dmp

            Filesize

            72KB

          • memory/3208-201-0x0000000005790000-0x00000000057DC000-memory.dmp

            Filesize

            304KB

          • memory/3208-200-0x0000000005610000-0x000000000564C000-memory.dmp

            Filesize

            240KB

          • memory/3208-197-0x0000000006F20000-0x0000000007538000-memory.dmp

            Filesize

            6.1MB

          • memory/3208-196-0x00000000054E0000-0x00000000054EA000-memory.dmp

            Filesize

            40KB

          • memory/3208-195-0x0000000000B40000-0x0000000000B92000-memory.dmp

            Filesize

            328KB

          • memory/3580-134-0x0000000000DA0000-0x0000000000E24000-memory.dmp

            Filesize

            528KB

          • memory/3656-170-0x00007FFAA4210000-0x00007FFAA4212000-memory.dmp

            Filesize

            8KB

          • memory/3656-171-0x00007FFAA4220000-0x00007FFAA4222000-memory.dmp

            Filesize

            8KB

          • memory/3656-172-0x0000000140000000-0x00000001414B5000-memory.dmp

            Filesize

            20.7MB

          • memory/3784-44-0x0000000074430000-0x0000000074BE1000-memory.dmp

            Filesize

            7.7MB

          • memory/3784-27-0x0000000074430000-0x0000000074BE1000-memory.dmp

            Filesize

            7.7MB

          • memory/3784-25-0x0000000074430000-0x0000000074BE1000-memory.dmp

            Filesize

            7.7MB

          • memory/3784-19-0x0000000074430000-0x0000000074BE1000-memory.dmp

            Filesize

            7.7MB

          • memory/3784-18-0x0000000000C70000-0x0000000000D00000-memory.dmp

            Filesize

            576KB

          • memory/3932-285-0x00000000007E0000-0x000000000083E000-memory.dmp

            Filesize

            376KB

          • memory/4116-270-0x00000000004E0000-0x00000000004F6000-memory.dmp

            Filesize

            88KB

          • memory/4332-33-0x0000000001300000-0x0000000001365000-memory.dmp

            Filesize

            404KB

          • memory/4332-36-0x0000000001300000-0x0000000001365000-memory.dmp

            Filesize

            404KB

          • memory/4332-28-0x0000000001300000-0x0000000001365000-memory.dmp

            Filesize

            404KB

          • memory/4660-52-0x0000000000880000-0x0000000000898000-memory.dmp

            Filesize

            96KB

          • memory/5068-180-0x000000001C810000-0x000000001C8C2000-memory.dmp

            Filesize

            712KB

          • memory/5068-179-0x000000001B650000-0x000000001B6A0000-memory.dmp

            Filesize

            320KB