Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
27/02/2025, 06:33
250227-hbn4tszmx7 1026/02/2025, 23:57
250226-3zn4ysxwc1 1026/02/2025, 23:14
250226-271x2sxmz9 1014/02/2025, 01:10
250214-bjsnnayne1 1014/02/2025, 01:00
250214-bc5pmsymhw 1013/02/2025, 05:01
250213-fnkwtstpgw 1013/02/2025, 04:24
250213-e1kk6atmaz 1013/02/2025, 04:08
250213-eqe8patkgx 812/02/2025, 23:56
250212-3yzt3azrdx 10Analysis
-
max time kernel
222s -
max time network
248s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/02/2025, 23:44
Static task
static1
Behavioral task
behavioral1
Sample
Downloaders.zip
Resource
win7-20240903-en
General
-
Target
Downloaders.zip
-
Size
12KB
-
MD5
94fe78dc42e3403d06477f995770733c
-
SHA1
ea6ba4a14bab2a976d62ea7ddd4940ec90560586
-
SHA256
16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267
-
SHA512
add85726e7d2c69068381688fe84defe820f600e6214eff029042e3002e9f4ad52dde3b8bb28f4148cca1b950cd54d3999ce9e8445c4562d1ef2efdb1c6bdeff
-
SSDEEP
384:6BfwcSEp9ZjKXSBIDv4dDfjlMJ7HWTHWB:efACW6Dr8HWTHWB
Malware Config
Extracted
asyncrat
0.5.8
Default
172.204.136.22:1604
ghbyTnUySCmF
-
delay
3
-
install
false
-
install_file
RoyalKing.exe
-
install_folder
%AppData%
Extracted
asyncrat
0.5.7B
Default
96.248.52.125:8031
adobe_6SI8OkPnk
-
delay
3
-
install
true
-
install_file
update.exe
-
install_folder
%Temp%
Extracted
quasar
1.4.1
powerstealer
192.168.56.1:4782
6760d0e9-9df9-4aba-89be-4e5ce3e92cc8
-
encryption_key
057FCAF700E62ACFECC7338C474084AF9B47ABEB
-
install_name
powerstealer.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Quasar Client Startup
-
subdirectory
SubDir
Extracted
xworm
5.0
127.0.0.1:8080
aVbGJnLt4HRONX59
-
install_file
USB.exe
Signatures
-
Asyncrat family
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/1528-691-0x00000000013D0000-0x00000000013DE000-memory.dmp family_xworm -
Detects Monster Stealer. 2 IoCs
resource yara_rule behavioral1/files/0x000500000001a4e9-269.dat family_monster behavioral1/memory/1720-295-0x000000013F900000-0x000000014096B000-memory.dmp family_monster -
Monster family
-
Quasar family
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/memory/1548-293-0x0000000000CD0000-0x0000000000FFA000-memory.dmp family_quasar behavioral1/files/0x000500000001c889-330.dat family_quasar behavioral1/memory/2592-332-0x0000000000E00000-0x000000000112A000-memory.dmp family_quasar -
Xworm family
-
Async RAT payload 2 IoCs
resource yara_rule behavioral1/files/0x000600000001a4d8-179.dat family_asyncrat behavioral1/files/0x000b00000001a4da-190.dat family_asyncrat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ petya.exe -
Downloads MZ/PE file 10 IoCs
flow pid Process 10 2000 4363463463464363463463463.exe 10 2000 4363463463464363463463463.exe 13 2000 4363463463464363463463463.exe 13 2000 4363463463464363463463463.exe 13 2000 4363463463464363463463463.exe 13 2000 4363463463464363463463463.exe 13 2000 4363463463464363463463463.exe 13 2000 4363463463464363463463463.exe 14 2000 4363463463464363463463463.exe 14 2000 4363463463464363463463463.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 3124 netsh.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion petya.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion petya.exe -
Executes dropped EXE 15 IoCs
pid Process 2668 build9.exe 600 Sync.exe 1932 AsyncClient.exe 992 update.exe 2016 build11.exe 1720 stub.exe 1548 Discord.exe 2592 powerstealer.exe 2860 mcgen.exe 768 mcgen.exe 2032 v7wa24td.exe 996 Ukodbcdcl.exe 1528 XClient.exe 2612 petya.exe 2148 Microsoft_Hardware_Launch.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine petya.exe -
Loads dropped DLL 64 IoCs
pid Process 2000 4363463463464363463463463.exe 2000 4363463463464363463463463.exe 2020 taskmgr.exe 2020 taskmgr.exe 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 2000 4363463463464363463463463.exe 2000 4363463463464363463463463.exe 1180 Process not Found 1180 Process not Found 2392 cmd.exe 2000 4363463463464363463463463.exe 1104 Process not Found 2020 taskmgr.exe 2016 build11.exe 1720 stub.exe 2020 taskmgr.exe 1180 Process not Found 2000 4363463463464363463463463.exe 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 2000 4363463463464363463463463.exe 768 mcgen.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 2000 4363463463464363463463463.exe 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 2000 4363463463464363463463463.exe 2000 4363463463464363463463463.exe 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 2000 4363463463464363463463463.exe 1180 Process not Found 1180 Process not Found 1180 Process not Found 1180 Process not Found 2000 4363463463464363463463463.exe 2000 4363463463464363463463463.exe 1180 Process not Found 1180 Process not Found -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 v7wa24td.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 v7wa24td.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 v7wa24td.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 v7wa24td.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 v7wa24td.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 v7wa24td.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 v7wa24td.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 v7wa24td.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 v7wa24td.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 13 raw.githubusercontent.com 12 raw.githubusercontent.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 ip-api.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 petya.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2612 petya.exe -
resource yara_rule behavioral1/memory/768-357-0x000007FEEA3D0000-0x000007FEEAA35000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language update.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ukodbcdcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language petya.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4363463463464363463463463.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sync.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AsyncClient.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Microsoft_Hardware_Launch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
pid Process 1744 cmd.exe 1608 netsh.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1128 timeout.exe -
Modifies system certificate store 2 TTPs 4 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e v7wa24td.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e v7wa24td.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 v7wa24td.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e v7wa24td.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1900 schtasks.exe 2736 schtasks.exe 2588 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2020 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 2020 taskmgr.exe Token: 33 680 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 680 AUDIODG.EXE Token: 33 680 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 680 AUDIODG.EXE Token: SeDebugPrivilege 2000 4363463463464363463463463.exe Token: SeDebugPrivilege 1932 AsyncClient.exe Token: SeDebugPrivilege 992 update.exe Token: SeDebugPrivilege 1548 Discord.exe Token: SeDebugPrivilege 2592 powerstealer.exe Token: SeDebugPrivilege 2032 v7wa24td.exe Token: SeDebugPrivilege 996 Ukodbcdcl.exe Token: SeDebugPrivilege 1528 XClient.exe Token: SeShutdownPrivilege 2612 petya.exe Token: SeDebugPrivilege 2148 Microsoft_Hardware_Launch.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe 2020 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2592 powerstealer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2000 wrote to memory of 2668 2000 4363463463464363463463463.exe 44 PID 2000 wrote to memory of 2668 2000 4363463463464363463463463.exe 44 PID 2000 wrote to memory of 2668 2000 4363463463464363463463463.exe 44 PID 2000 wrote to memory of 2668 2000 4363463463464363463463463.exe 44 PID 2000 wrote to memory of 600 2000 4363463463464363463463463.exe 45 PID 2000 wrote to memory of 600 2000 4363463463464363463463463.exe 45 PID 2000 wrote to memory of 600 2000 4363463463464363463463463.exe 45 PID 2000 wrote to memory of 600 2000 4363463463464363463463463.exe 45 PID 2000 wrote to memory of 1932 2000 4363463463464363463463463.exe 46 PID 2000 wrote to memory of 1932 2000 4363463463464363463463463.exe 46 PID 2000 wrote to memory of 1932 2000 4363463463464363463463463.exe 46 PID 2000 wrote to memory of 1932 2000 4363463463464363463463463.exe 46 PID 1932 wrote to memory of 2056 1932 AsyncClient.exe 48 PID 1932 wrote to memory of 2056 1932 AsyncClient.exe 48 PID 1932 wrote to memory of 2056 1932 AsyncClient.exe 48 PID 1932 wrote to memory of 2056 1932 AsyncClient.exe 48 PID 1932 wrote to memory of 2392 1932 AsyncClient.exe 49 PID 1932 wrote to memory of 2392 1932 AsyncClient.exe 49 PID 1932 wrote to memory of 2392 1932 AsyncClient.exe 49 PID 1932 wrote to memory of 2392 1932 AsyncClient.exe 49 PID 2056 wrote to memory of 1900 2056 cmd.exe 52 PID 2056 wrote to memory of 1900 2056 cmd.exe 52 PID 2056 wrote to memory of 1900 2056 cmd.exe 52 PID 2056 wrote to memory of 1900 2056 cmd.exe 52 PID 2392 wrote to memory of 1128 2392 cmd.exe 53 PID 2392 wrote to memory of 1128 2392 cmd.exe 53 PID 2392 wrote to memory of 1128 2392 cmd.exe 53 PID 2392 wrote to memory of 1128 2392 cmd.exe 53 PID 2392 wrote to memory of 992 2392 cmd.exe 54 PID 2392 wrote to memory of 992 2392 cmd.exe 54 PID 2392 wrote to memory of 992 2392 cmd.exe 54 PID 2392 wrote to memory of 992 2392 cmd.exe 54 PID 2392 wrote to memory of 992 2392 cmd.exe 54 PID 2392 wrote to memory of 992 2392 cmd.exe 54 PID 2392 wrote to memory of 992 2392 cmd.exe 54 PID 2000 wrote to memory of 2016 2000 4363463463464363463463463.exe 55 PID 2000 wrote to memory of 2016 2000 4363463463464363463463463.exe 55 PID 2000 wrote to memory of 2016 2000 4363463463464363463463463.exe 55 PID 2000 wrote to memory of 2016 2000 4363463463464363463463463.exe 55 PID 2016 wrote to memory of 1720 2016 build11.exe 57 PID 2016 wrote to memory of 1720 2016 build11.exe 57 PID 2016 wrote to memory of 1720 2016 build11.exe 57 PID 2000 wrote to memory of 1548 2000 4363463463464363463463463.exe 59 PID 2000 wrote to memory of 1548 2000 4363463463464363463463463.exe 59 PID 2000 wrote to memory of 1548 2000 4363463463464363463463463.exe 59 PID 2000 wrote to memory of 1548 2000 4363463463464363463463463.exe 59 PID 1548 wrote to memory of 2736 1548 Discord.exe 60 PID 1548 wrote to memory of 2736 1548 Discord.exe 60 PID 1548 wrote to memory of 2736 1548 Discord.exe 60 PID 1548 wrote to memory of 2592 1548 Discord.exe 62 PID 1548 wrote to memory of 2592 1548 Discord.exe 62 PID 1548 wrote to memory of 2592 1548 Discord.exe 62 PID 2592 wrote to memory of 2588 2592 powerstealer.exe 63 PID 2592 wrote to memory of 2588 2592 powerstealer.exe 63 PID 2592 wrote to memory of 2588 2592 powerstealer.exe 63 PID 2000 wrote to memory of 2860 2000 4363463463464363463463463.exe 65 PID 2000 wrote to memory of 2860 2000 4363463463464363463463463.exe 65 PID 2000 wrote to memory of 2860 2000 4363463463464363463463463.exe 65 PID 2000 wrote to memory of 2860 2000 4363463463464363463463463.exe 65 PID 2860 wrote to memory of 768 2860 mcgen.exe 66 PID 2860 wrote to memory of 768 2860 mcgen.exe 66 PID 2860 wrote to memory of 768 2860 mcgen.exe 66 PID 2000 wrote to memory of 2032 2000 4363463463464363463463463.exe 68 PID 2000 wrote to memory of 2032 2000 4363463463464363463463463.exe 68 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 v7wa24td.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 v7wa24td.exe
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Downloaders.zip1⤵PID:2736
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
PID:2416
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2020
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:1580
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f81⤵
- Suspicious use of AdjustPrivilegeToken
PID:680
-
C:\Users\Admin\Desktop\4363463463464363463463463.exe"C:\Users\Admin\Desktop\4363463463464363463463463.exe"1⤵
- Downloads MZ/PE file
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\Desktop\Files\build9.exe"C:\Users\Admin\Desktop\Files\build9.exe"2⤵
- Executes dropped EXE
PID:2668
-
-
C:\Users\Admin\Desktop\Files\Sync.exe"C:\Users\Admin\Desktop\Files\Sync.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:600
-
-
C:\Users\Admin\Desktop\Files\AsyncClient.exe"C:\Users\Admin\Desktop\Files\AsyncClient.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Local\Temp\update.exe"' & exit3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Local\Temp\update.exe"'4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1900
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6558.tmp.bat""3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\timeout.exetimeout 34⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1128
-
-
C:\Users\Admin\AppData\Local\Temp\update.exe"C:\Users\Admin\AppData\Local\Temp\update.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:992
-
-
-
-
C:\Users\Admin\Desktop\Files\build11.exe"C:\Users\Admin\Desktop\Files\build11.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\onefile_2016_133838776836118000\stub.exeC:\Users\Admin\Desktop\Files\build11.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720
-
-
-
C:\Users\Admin\Desktop\Files\Discord.exe"C:\Users\Admin\Desktop\Files\Discord.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2736
-
-
C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe"C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\system32\schtasks.exe"schtasks" /create /tn "Quasar Client Startup" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\powerstealer.exe" /rl HIGHEST /f4⤵
- Scheduled Task/Job: Scheduled Task
PID:2588
-
-
-
-
C:\Users\Admin\Desktop\Files\mcgen.exe"C:\Users\Admin\Desktop\Files\mcgen.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Users\Admin\Desktop\Files\mcgen.exe"C:\Users\Admin\Desktop\Files\mcgen.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:768
-
-
-
C:\Users\Admin\Desktop\Files\v7wa24td.exe"C:\Users\Admin\Desktop\Files\v7wa24td.exe"2⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2032 -
C:\Windows\system32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"3⤵
- System Network Configuration Discovery: Wi-Fi Discovery
PID:1744 -
C:\Windows\system32\chcp.comchcp 650014⤵PID:2512
-
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
- Event Triggered Execution: Netsh Helper DLL
- System Network Configuration Discovery: Wi-Fi Discovery
PID:1608
-
-
C:\Windows\system32\findstr.exefindstr /R /C:"[ ]:[ ]"4⤵PID:1012
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"3⤵PID:2316
-
C:\Windows\system32\chcp.comchcp 650014⤵PID:2104
-
-
C:\Windows\system32\netsh.exenetsh wlan show networks mode=bssid4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3004
-
-
C:\Windows\system32\findstr.exefindstr "SSID BSSID Signal"4⤵PID:904
-
-
-
-
C:\Users\Admin\Desktop\Files\Ukodbcdcl.exe"C:\Users\Admin\Desktop\Files\Ukodbcdcl.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:996 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEQAZQBzAGsAdABvAHAAXABGAGkAbABlAHMAXABVAGsAbwBkAGIAYwBkAGMAbAAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwARABlAHMAawB0AG8AcABcAEYAaQBsAGUAcwBcAFUAawBvAGQAYgBjAGQAYwBsAC4AZQB4AGUAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABOAHYAYQB1AHIAbgBoAHEALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwATgB2AGEAdQByAG4AaABxAC4AZQB4AGUA3⤵
- System Location Discovery: System Language Discovery
PID:1744
-
-
-
C:\Users\Admin\Desktop\Files\XClient.exe"C:\Users\Admin\Desktop\Files\XClient.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1528
-
-
C:\Users\Admin\Desktop\Files\petya.exe"C:\Users\Admin\Desktop\Files\petya.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\Users\Admin\Desktop\Files\Microsoft_Hardware_Launch.exe"C:\Users\Admin\Desktop\Files\Microsoft_Hardware_Launch.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2148 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\Desktop\Files\Microsoft_Hardware_Launch.exe" "Microsoft_Hardware_Launch.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:3124
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
153B
MD53b3f943d00ca315a84f0657d31046ba2
SHA1006623333a73554fbcff9a7a235633be7f716272
SHA2566938b0e2e17936f3301b220e209d0c7cb5e8b5bb2135ffa0e16bbf965c339b42
SHA512707e63edef457d90c322182761b291e3f9e920c31bb8a7f9066172f4786c8bef4ae009a99e4cab35f3a8dcac19251aa9baacab8ea4b1606a757d5f6c0a6074f6
-
Filesize
3.1MB
MD5bedd5e5f44b78c79f93e29dc184cfa3d
SHA111e7e692b9a6b475f8561f283b2dd59c3cd19bfd
SHA256e423c72ea1a279e367f4f0a3dc7d703c67f6d09009ed9d58f9c73dac35d0a85c
SHA5123a7924196830b52d4525b897f45feb52ec2aca6cd20437b38437f171424450fd25692bd4c67ccde2cf147f0ed6efcef395ea0e13b24f0cf606214b58cf8284de
-
Filesize
4KB
MD5202786d1d9b71c375e6f940e6dd4828a
SHA17cad95faa33e92aceee3bcc809cd687bda650d74
SHA25645930e1ff487557dd242214c1e7d07294dbedfa7bc2cf712fae46d8d6b61de76
SHA512de81012a38c1933a82cb39f1ac5261e7af8df80c8478ed540111fe84a6f150f0595889b0e087889894187559f61e1142d7e4971d05bceb737ed06f13726e7eae
-
Filesize
545KB
MD5e9132f43dcab2d0993a889590ee1e2e6
SHA1fd46cb0d6783b4046a28231160be482b82fe1b0c
SHA25665ea0bc209b7582da7a5839958575390294742547ad121a428eb20ee04a0e0ad
SHA512e5870d97036de9f677d272a389071454a3e304e352867e8bf12a593d1afa3c7a76103ee45e11b0c49de9f73780f983bef8833e7b59d3dfe6567e52ffa9a56805
-
Filesize
454KB
MD5081ad20f6d03123475980562a31244a5
SHA1561f750f48b0fdaed5368ea0fa557852027eee90
SHA2565b6e418094dd968f40be536ab7227632f7f57b64d440d9b9f781b5d9d331daa4
SHA5124c0ed5ebd97beb444cf157b43a02fdec1b94cea3f31214a8911338d887355269bc28db3aea263109169c56daccfff1beb7b17005c57c57a80c3782d9f35988cd
-
Filesize
408KB
MD5accb7a432b43573d1e4e1a4fea541838
SHA1a2724fa36a4f71aa1c4c25279d5afc4c118f7659
SHA256a8b4cdb3e99b5c7530d5fa3a701c9b8d32dbee84020639a26b287be62cfbe11e
SHA51261179827ac1b674c691c3e7d9bff81e9a6a3507696fc3010c71b78f7d0b8adb995334603f85f827f846dc404e94419c36fd1a445c8c050d8ae60490ebcb5e3be
-
Filesize
795KB
MD599a0d843f9f214e95abca634510d3e9d
SHA1e9c8ef6a2263637639745c5dca7efbc40fbb8e26
SHA256c0467d1aec081d4c38165176c7d5e36e7392cf0de0893311993e73f9c3f60d00
SHA512f70774dabcb6aea58005d235ca43a80913fb74c83de7dea0ee46b6cc94361e65f3d0758fbf7bc37d8c4847968d2999aa6d7ff20efc870f4a013ff1ed95f5c9cd
-
Filesize
681KB
MD55e5a128807c9de0abfd7c134b0e046cb
SHA17f3eab8ea825742d093ca9e3cec0eabe5cfc6df7
SHA2568964ef4d85f98e643ecef8c099a205f555a96059952efa269facda603eaa516d
SHA512451138bd0bd1d724c3dc854bda9781ea82f467e96b378f41d495064b42b7b2cfde7a3b8127b9aed70c34e92cb6754eb76e2a04e64fe47a3b00845eeadc866684
-
Filesize
15KB
MD5faa4380cb045e115750af1da1ab4b49e
SHA181943b4e2ddf2869bb87a7fbe724452be45a72af
SHA256e9490c13dacd3c2cfc4d845efbcfae6bd78b9bdde2dfebe7fb1ea1c44aeb71d6
SHA5129fa4db5a6b4a450d7b8e5aeca1864b70c47f1f638a04c5698c086da678db3ce11a8d0a84d8dbe44ab846aa1d1f95f978f3ddd56f2a04c8cfc618d6930f750b3a
-
Filesize
477KB
MD5da01b6c00d7b001945d030241eb3909d
SHA17f125f0cdd6834b8da2efcc870acd675dd23ab1f
SHA256453a2a022217cd1f3ba9ce677071530bb19825aaaa0bcfef5e165224c967f493
SHA51266be163836242938abb9918d87c4e10b6e0ff94098cd405144059bac845faee93bf29c61c38abf49e856c2d94e7eec4cf0667d2f736bcaf52b1fb9a4bfe22005
-
Filesize
45KB
MD57ace559d317742937e8254dc6da92a7e
SHA1e4986e5b11b96bedc62af5cfb3b48bed58d8d1c9
SHA256b6c58155365a5e35952e46611fd7b43e36e256903bff2030bc07a3c6841b836f
SHA5122c50337078075dc6bfd8b02d77d4de8e5b9ad5b01deed1a3b4f3eb0b2d21efce2736e74d5cf94fdf937bcc2a51c2ecf98022049c706350feacb079c4b968d5d3
-
Filesize
93KB
MD57e9aea4310d362cc62c7eef48b9bea7d
SHA10d0f4ba4460f30731da5f5b7a2df5538fc39509c
SHA2567ebeecbc8be6ef0639cdfc58a6e7adb22786de3268efbc71a84e2407abf30c0e
SHA5127e4a2f2076adebf213e2d86f5e8924924db0f609cabd4e55a4707a293410cad83dd93c3c82a4e93fa9d580454e9e20549c621dbc3b7733081874b99ff747b415
-
Filesize
590KB
MD54cd7232e135c2f1f47f2144a3e08add7
SHA197058084562418806d7af95b5d489be209e857ec
SHA2564aa71dc547809b163940753165ef33834105cfa548c9941e7847a5857300728e
SHA512612b95a0e674b7e1f93812e384e98e8997c6fe9c864914e28dba1861f49c373e4dac381ce04067930d7ab81884b7bc2e3176ae322c552997d653411b92e81f8d
-
Filesize
10KB
MD5e2926036cc18ab9b1f74fa7c6f095218
SHA19fa80a1133166f8670b757bcdfef3aa2199bd55e
SHA256d6372090c67169e522f71e82ca18a57b5a71ae8e0ac198218c26f9ffe5893ca0
SHA5128a9ad4a734aa177fdebabfb52fdbd8df15bf9fe97cac83e0304a05633b7f715f6ab1e38f606a772c14e56714bf51ae1a20a537ee4c100988ac8361679be1eede
-
Filesize
318KB
MD5fc95fad8ab4c1a1de22df013cebee038
SHA18277690f24b3fe92462f671023ed07635e98fe2f
SHA256ae64188be9f7a3c6154d40b65dbbf20322088aa6f81bf15817eedcbee6db0149
SHA5123536c77413ac39730de23bb14423396175869f40373fcaeb62426ea462e225d0137903afda071586f37b8406aad5269980179bd68cb1727d98e14ad6da124b57
-
Filesize
363KB
MD56b417941fe81748413e1e4c4c278768c
SHA1829cf47b81755315d6ae49a6b29b6e06479b37ea
SHA256670178a4dfb922832f119f02bb40812a0859b246f6cf25bca289eb42e11bed34
SHA5126f7bf12fb18ed553ee301a8aef92a32d3077cb83b7137cddd835b5d11c186419cf3932189c8e4cf4bbcc44d20b6de9d403b5cb3d6c47c55c2e24998b4f2c6d10
-
Filesize
613KB
MD555c7d8a111f04ef01bca8aa91c4f2f9c
SHA16ab37c27b9d3d14d0b89c1535bcb3943ce9fb033
SHA2568920197c6a74d4ec90dcfaa711f9cc781aa597cda2cbf33b1cfe2b0d718fe21e
SHA512c590716a9d1098ef2e82fd099d3dee40cb528939e4522752193cbcf2e8f4663cd9108b573e0f6c5632f3f3b332c37ddb52778cdbcb0ab0ffff969c8a7c6364d3
-
Filesize
7KB
MD5a7b1b22096cf2b8b9a0156216871768a
SHA148acafe87df586a0434459b068d9323d20f904cb
SHA25682fbb67bf03714661b75a49245c8fe42141e7b68dda3f97f765eb1f2e00a89a9
SHA51235b3c89b18135e3aca482b376f5013557db636a332a18c4b43d34d3983e5d070a926c95e40966fafea1d54569b9e3c4ab483eaca81b015724d42db24b5f3805f
-
Filesize
386KB
MD59fb5cc3f523b474c9647df1a1a69c522
SHA1de600d952476404134be8b9ba8b9a2f3d7bcb09c
SHA256ea7851f681ab498c4e80130c61d73a00cd2a342ba0730aedf20483409a8aa9d1
SHA5120b6addef963b0646fbd648047bdc5e72480b749aaa99b6bab4cccd91b46ff6a3716f1e68203265775f00a012aab5b59e8d5902b9226cdd3259a1092bf5fc9f08
-
Filesize
295KB
MD5d6191e07aa3be2ad9434cd3ecb4c02fa
SHA13fff16a5b76e2900f31a41acca74da507a7c70be
SHA2568846cf027174e82d9ee8d7951bd382b89a70e7b41509dc634669e1df02e91dd0
SHA5125d7b103a4a52ec7d8625b99af4b802ffe7fc7da326b853c6b92eec5027687d61afa3d7de8bf51b58d102fdfdb6585c794f8c681dac6a04d5acc7c211dc1817bc
-
Filesize
1.1MB
MD51fe4158dd69331253ee36749a1a86000
SHA16f0cc820326f4fadbb4946f351763cdac8fe17f9
SHA256d2abab31ea57eddae1e1bbad7d0229a3cf10412e3487a7d950bbb325959367f9
SHA512a2b2b5d89cdf44133c58bf423fc9d9e2b8ca6095fd4ab57171064a62c2440a485cf3bae6e140326f0c3713553d224b9d67e10634d4d26cd54a2cb4aae932c6e6
-
Filesize
658KB
MD58018cc2961056ae92ba8cc13f065c5bd
SHA1d0eb5e1978d6703dc53fe3fd8682fcb168a05941
SHA2565234e09e48b1fbd80218438ae3def3ce474c12ff41c42a2e0735c1e80f401951
SHA5127d1b7917f4ca539bc5fb737802ab00c02fd2b67de3a094f4e32adbf06cff88edf996c25faea9b68b4b770d408e3133fcadf567dc4c3755d3fd37da3fce7837b4
-
Filesize
840KB
MD5cbe29ce96c95b219c71e11731b2cf51c
SHA1b7fcbefd85f58626893d3ab6a2b005b435c203ac
SHA2567768c4a8606e34ab3a12c81fde562810f19236665cd0ff4f9b3ecdcec841c56b
SHA5128dbac23674397e16f3b0ab520fdee17a004ca5bd41fa605f3d07d7d98f1c8fbab5a6bcd5ed44dcc39ef98f70561560270be8f4e674709bd6633396c52255c171
-
Filesize
636KB
MD52a5c34035d90d809f0812efffd9c50cb
SHA147916756085d97626138b73a8461621a7259c84b
SHA256421ca3cc2ba658664795410faf5f6560faf3db9fe5d6293730999f895694f42c
SHA512ff1083c1d45e4486fe8ca935734b40d91e38e8acdfcd88ee6b78eeb5274aab7a9df99d0a08035789786a8721bd329dfb59057752fdeabf8fea3653578aac4856
-
Filesize
704KB
MD5e168af3ebe2221800af07fb1c60ea1e4
SHA15fbc4d6003677df45307eab5ab3926bcc0cf89e7
SHA256020d626d55b73debc7fe85ecbdfb01405e6035f307468b229a6033b416722d04
SHA51253cbf157f860c54dc405e05109c463a519acd03f939c3705e4e0dd84f7c3bd5d1087dd414c04155773a131af39d0569895ca462e7b111514e98e2c520414164f
-
Filesize
340KB
MD59d031052ebcf3530ce3d1ed01229e658
SHA1f0952481ac3cf55e1abf19eea9aafa52cb8ec220
SHA25695f84dd279f105bdf33b2399c1776fe50ac1eb879ef1792c433a7cbfe1f43b49
SHA512f218cd873b5206b889201d02b020eb3cbe0a71999193a0926d4a3663786be631abc0f7f4185b400ca0af20af2a5946e92100e85982ba39c32edeea7d5f86746b
-
Filesize
817KB
MD569697620f8ed4d1e26013411d9499d18
SHA11f40b502d386dd0fb886ee81d02c39db7f693ed8
SHA256c5959d6d7e2986e573c9f3a1fd2f26954d03db980a7bd71cd710729b29202c63
SHA5120b99283aaf2160628b96273dab97dcd935f534904b7b7d6349c7b27c55abb70623413b16d06db0d08fc1dc4effe6a992c2ac2596d8b8c35818ab14b8f15bc71b
-
Filesize
772KB
MD5886c6bceb4c2866e6eb3342b111712d5
SHA158004fc122a8d200a3ad1282a4414d29c7d2615d
SHA25661fd8839f5a4f57196af831d8388f13d4e6d13b8789d400062b07095f4b0fe95
SHA512253eb43c1ab1d7ce39b9727b6a22485f4df1e99395d70bb0212b3789e294d5183f0528ccc0cd4e5d14f74612e677caa88ae1ec57bfec36a5fb6aa9258f831138
-
Filesize
568KB
MD535ca75008c8e63efd1e13f6c32464db9
SHA1a58bf0f9a0e8661a6bf02dc0019acb94410b6c1b
SHA256226a8c59c7ce102febfe08ef47f1cc66340fb5d460c6fac78fab958d21516ab0
SHA51232fa73a995030f51c6c7da23515eb9ab9986a6c21d469389ee04d81dc4897fe1221df39259aa867ff2653656c320dc1558f329d009a748c229c3661520827dfe
-
Filesize
522KB
MD51c00e7c4b515f60a715b8a5d6cb01873
SHA1e8c2e58dd8320f6f59ef2d90a56d2c5533fa7c70
SHA25646ed8f12594da58085c452e313b68ab2a6b772907ad6214f35ba75773f734470
SHA512cb3b4cbf8e77649689ab57d93d20b53019df5efd9f7c25489b7617fa698f91fa91d08cd7ce25a18765356ca0aabdfba37cb6b5e002aa367155c7ea8c45662f08
-
Filesize
499KB
MD59611ae743a259da35a56aac2cecf5782
SHA1c5d7710ada9e68655f24c49f9c70c277c62054ba
SHA256f8951732a7600e5a1c33e45d25b0e932cafce7fe2b4f17b38755ea3a37cf6cbb
SHA51221527f324415eabee9ea6ec0626291303b6e660292cdc319233f422f6bb3c6fbc3b3aa1adc8c85221fe823f028eef30a8bc5fe882d6565c8f86e5afb53e83db8
-
Filesize
749KB
MD56c83c3ab1cbf8aacf41a222a5ffda19b
SHA143358c2a20eb143c4bffd5dbc3a08c2215c01c75
SHA256cacd1dffd99181cb3d3c442071ef242effaebe4c502619f6648950b62c87b09f
SHA51259a7fbdb25b668a6f9f1ac876987f9e4bf313b7b3ad828b9dc7744329980bed089ffc9eb1e7c601e8ed33c8e2b43d4226be0614c46d853d279a7cdb31f604317
-
Filesize
727KB
MD5f2b0118c9bce7ca59692c746fe54b7be
SHA111beb1442a5a0b5bbe80e0228af188a616ec1f78
SHA256c73737dfb4c73aa73950215bb62b4c04214660ff0f0c8de1955981b606ef02f1
SHA512208f85542dbf8c2b6428eb9821f1790e923e30ecd15acaaa7f31d5870da6fe808a0e471c95c811c93c80bb95b61cc89bc28333097ddd58ef7ec0c0e94edc64bc
-
Filesize
431KB
MD55fa720cd5cdb578bc24f62b275b9f62d
SHA1f9822cae101aab4000d2caf355f1dedf14f7db0d
SHA256c547f702916552cc26e76910ea3240dd83a12538eb86c21c8efea0ba25bf4328
SHA512d0d5454540b83abba2d19f0329d05ef7660d809230f698d4726908298472bfdbf379e557dd315240b80e30fdd4dee02fe29e122d5d0f30fe4b38fd4ba44e8553
-
Filesize
1KB
MD593f0af3cdb10427c0ceb4ea2db2fda3e
SHA1898b3b01763859bbbab268fa580a5eadc5cb464d
SHA256f9b7fda7b756118383843e62a9092246a5d7b23f18cae6f49e3a5d0195d9c5af
SHA51239fbec39a5fdb0ad2fcb26c47483c776eb714c8263ff752ede077deb36fcd3dfd09acc92f6cd2bb8ea31f8bcd44376bbb9fa85f62a957d7bafeb81bdc622785a
-
Filesize
931B
MD56b282bc9065f108da28fe9ff016f5dc4
SHA189cd7babafc1a6ed4ac99b22e559b127033134b8
SHA2560d09e42dcc55c17495d41a109e3d20d993a67aa59e76395fb5600af7b6a454bb
SHA51284ab98da7b7fa52a7f55512455aa3643c0860a80944a3aeae11764f85f59f3d1cf0769e1d669bdac710be7a663538a1a0aef9e39db65845e2d898ab2e862e3c8
-
Filesize
2KB
MD517533a04a1e28341bd037aaf2b80aa72
SHA1cab41a28a95dea1bbcc07b68238603784ac542a4
SHA256e82c6c30d3e9624f535b806a34e08b0ee212d94d965a35d51658bd96a9cfa611
SHA5120ad1529cb0003e9a54c0bef14fbdee9d78079bfe77b1abc441a16148a322142053e331442aaf0d24add57803ca6b09cf222ee5d4d4dec89491085fb5c365118f
-
Filesize
878B
MD59ec5e565834f441cc4a9e61743abad42
SHA1c4090dfb08b8093ecbb3df62c50850b2c38bf2ed
SHA2566bd8ddabc50c5f0d3ad7ce6f09eec33accafeefa6c43f55fcae3f41135bb40ae
SHA51227e9c84243bf853d07554565322b2504765c0f67b8ed0fd6498953c4af6a4668b0f80e7a9c5289cdcdafd7d44e28a5306b31e91f87993165597b941fbb9f798a
-
Filesize
16.2MB
MD59cb4cf7e6b271413430c9b3eea8aafa2
SHA15d789fc3756e2f5e113aeba0f9f3053e88db59b3
SHA2560728e88b0c32282e2750d77d172c2454a0fa53bf6a093c7885c93641cf5e794f
SHA512f34db1ba8e1083570318c05370cc24af61dd507532c1c867cd90cc6b5c7fbae2dfde9b4dc13edc1e5587efe74ebfdccfa2c0e095f2ae0477c49cdecc5e6d034b
-
Filesize
45KB
MD54d5a086a9634eb694ec941e898fdc3ce
SHA13b4ce31fcc765f313c95c6844ae206997dc6702b
SHA256149990fa6abd66bd9771383560a23894c70696aaeb3b2304768212be1be8f764
SHA51216546b2d4f361ff0a32ef8314989e28f06bb2ec6b31276031bd7dec4c67ce30e97befb72e962d927cffb57fe283a8de7fa049725f488b3918968c011f9487468
-
Filesize
10.7MB
MD52cb47309bb7dde63256835d5c872b2f9
SHA18baa9effc09cf80b4a1bac1aa2aa92b38c812f1d
SHA25618687a2ceebf3eda4a11a2ef0b1d85360d8837ad05c1b57f9f749ea06578848e
SHA5123db4a42cbf6bc26d77320bf747e7244e54320b5e6ebf6a65bfd731beb7e99958bc5b7e9fe3ab1579becd42c588789c2185be74f143d120041b0331b316017104
-
Filesize
2.0MB
MD54e18e7b1280ebf97a945e68cda93ce33
SHA1602ab8bb769fff3079705bf2d3b545fc08d07ee6
SHA25630b84843ed02b74dfd6c280aa14001a724490379e9e9e32f5f61a86f8e24976d
SHA5129612654887bdd17edba4f238efd327d86e9f2cd0410d6c7f15a125dacfc98bf573f4a480db2a415f328a403240f1b9adc275a7e790fd8521c53724f1f8825f37