xworm | 76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb

Analysis

max time kernel
66s
max time network
130s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30/03/2025, 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NIXWARE.exe
Size

37.3MB
MD5

7c75210de2c558c9050f082e5373ee37
SHA1

a683e20da1195e0e3eacabd19c760ebf9b60768d
SHA256

76055a2e7a65f892affbf012eede61a9ac39fd83a672201e902ce96eb3642ddb
SHA512

874201ba98ebb687f05df0e508ff967b61a6b3d28274a986ee31c8e5d7371e1c6fa24f462125ab7c375d6bd96fed18d5640cba962107d546cfca3c6d147dbf20
SSDEEP

786432:5gB5EOyGOlEaoPvuMMXU2o3SIkDhSdKqlH7R32AsKpDW800m70T+eUNH39:8lyHIPvuMwUp3SVMpHldxM80n7Q+xHN

Score

10^/10

xworm defense_evasion execution persistence rat trojan upx

Malware Config

Extracted

Family

xworm

aboltustimoha-43339.portmap.host:43339

Attributes

Install_directory
%Userprofile%
install_file
svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000400000001ca91-388.dat	family_xworm
behavioral1/memory/2984-432-0x0000000000AF0000-0x0000000000B0A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2820	powershell.exe
2700	powershell.exe
1052	powershell.exe
2528	powershell.exe
2040	powershell.exe
1932	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 6 IoCs

pid	Process
2724	ExLoader_Installer.exe
2956	Built.exe
1748	Built.exe
2984	checker-cheats (1).exe
2516	ExLoader_Installer.exe
2460	system.exe

Loads dropped DLL 8 IoCs

pid	Process
2824	NIXWARE.exe
2824	NIXWARE.exe
2956	Built.exe
1748	Built.exe
2724	ExLoader_Installer.exe
2516	ExLoader_Installer.exe
2824	NIXWARE.exe
2824	NIXWARE.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExLoader_Installer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ExLoader_Installer.exe"	NIXWARE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Built = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Built.exe"	NIXWARE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\checker-cheats (1) = "C:\\Users\\Admin\\AppData\\Local\\Temp\\checker-cheats (1).exe"	NIXWARE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe"	NIXWARE.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2364	powercfg.exe
2932	powercfg.exe
2704	powercfg.exe
3012	powercfg.exe
3028	powercfg.exe
876	powercfg.exe
1048	powercfg.exe
1904	powercfg.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	system.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2460 set thread context of 2676	2460	system.exe	70

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001a463-91.dat	upx
behavioral1/memory/1748-132-0x000007FEF2920000-0x000007FEF2F08000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1620	sc.exe
2576	sc.exe
2868	sc.exe
3052	sc.exe
1880	sc.exe
2720	sc.exe
1288	sc.exe
520	sc.exe
284	sc.exe
2480	sc.exe
2140	sc.exe
560	sc.exe
2480	sc.exe
544	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2820	powershell.exe
2700	powershell.exe
1052	powershell.exe
2528	powershell.exe
2460	system.exe
2460	system.exe
2460	system.exe
2460	system.exe
2460	system.exe
2460	system.exe
2460	system.exe
2460	system.exe
2460	system.exe
2460	system.exe
2460	system.exe
2460	system.exe
2460	system.exe
2676	dialer.exe
2676	dialer.exe
2676	dialer.exe
2676	dialer.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeShutdownPrivilege	2840	explorer.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeShutdownPrivilege	2840	explorer.exe
Token: SeShutdownPrivilege	2840	explorer.exe
Token: SeShutdownPrivilege	2840	explorer.exe
Token: SeShutdownPrivilege	2840	explorer.exe
Token: SeShutdownPrivilege	2840	explorer.exe
Token: SeShutdownPrivilege	2840	explorer.exe
Token: SeShutdownPrivilege	2840	explorer.exe
Token: SeShutdownPrivilege	2840	explorer.exe
Token: SeShutdownPrivilege	2840	explorer.exe
Token: SeShutdownPrivilege	2840	explorer.exe
Token: SeShutdownPrivilege	2840	explorer.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	2984	checker-cheats (1).exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeShutdownPrivilege	2840	explorer.exe
Token: SeShutdownPrivilege	2840	explorer.exe
Token: SeShutdownPrivilege	2364	powercfg.exe
Token: SeShutdownPrivilege	1904	powercfg.exe
Token: SeDebugPrivilege	2460	system.exe
Token: SeDebugPrivilege	2676	dialer.exe
Token: SeShutdownPrivilege	2932	powercfg.exe
Token: SeShutdownPrivilege	2704	powercfg.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe

Suspicious use of SendNotifyMessage 19 IoCs

pid	Process
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe
2840	explorer.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2820	2824	NIXWARE.exe	30
PID 2824 wrote to memory of 2820	2824	NIXWARE.exe	30
PID 2824 wrote to memory of 2820	2824	NIXWARE.exe	30
PID 2824 wrote to memory of 2724	2824	NIXWARE.exe	33
PID 2824 wrote to memory of 2724	2824	NIXWARE.exe	33
PID 2824 wrote to memory of 2724	2824	NIXWARE.exe	33
PID 2824 wrote to memory of 2700	2824	NIXWARE.exe	34
PID 2824 wrote to memory of 2700	2824	NIXWARE.exe	34
PID 2824 wrote to memory of 2700	2824	NIXWARE.exe	34
PID 2824 wrote to memory of 2956	2824	NIXWARE.exe	36
PID 2824 wrote to memory of 2956	2824	NIXWARE.exe	36
PID 2824 wrote to memory of 2956	2824	NIXWARE.exe	36
PID 2956 wrote to memory of 1748	2956	Built.exe	38
PID 2956 wrote to memory of 1748	2956	Built.exe	38
PID 2956 wrote to memory of 1748	2956	Built.exe	38
PID 2824 wrote to memory of 1052	2824	NIXWARE.exe	37
PID 2824 wrote to memory of 1052	2824	NIXWARE.exe	37
PID 2824 wrote to memory of 1052	2824	NIXWARE.exe	37
PID 2824 wrote to memory of 2984	2824	NIXWARE.exe	41
PID 2824 wrote to memory of 2984	2824	NIXWARE.exe	41
PID 2824 wrote to memory of 2984	2824	NIXWARE.exe	41
PID 2824 wrote to memory of 2528	2824	NIXWARE.exe	42
PID 2824 wrote to memory of 2528	2824	NIXWARE.exe	42
PID 2824 wrote to memory of 2528	2824	NIXWARE.exe	42
PID 2724 wrote to memory of 2516	2724	ExLoader_Installer.exe	44
PID 2724 wrote to memory of 2516	2724	ExLoader_Installer.exe	44
PID 2724 wrote to memory of 2516	2724	ExLoader_Installer.exe	44
PID 2824 wrote to memory of 2460	2824	NIXWARE.exe	45
PID 2824 wrote to memory of 2460	2824	NIXWARE.exe	45
PID 2824 wrote to memory of 2460	2824	NIXWARE.exe	45
PID 544 wrote to memory of 1876	544	cmd.exe	53
PID 544 wrote to memory of 1876	544	cmd.exe	53
PID 544 wrote to memory of 1876	544	cmd.exe	53
PID 2460 wrote to memory of 2676	2460	system.exe	70
PID 2460 wrote to memory of 2676	2460	system.exe	70
PID 2460 wrote to memory of 2676	2460	system.exe	70
PID 2460 wrote to memory of 2676	2460	system.exe	70
PID 2460 wrote to memory of 2676	2460	system.exe	70
PID 2460 wrote to memory of 2676	2460	system.exe	70
PID 2460 wrote to memory of 2676	2460	system.exe	70
PID 2676 wrote to memory of 416	2676	dialer.exe	5
PID 2676 wrote to memory of 464	2676	dialer.exe	6
PID 2676 wrote to memory of 472	2676	dialer.exe	7
PID 2676 wrote to memory of 480	2676	dialer.exe	8
PID 2676 wrote to memory of 576	2676	dialer.exe	9
PID 2676 wrote to memory of 656	2676	dialer.exe	10
PID 2676 wrote to memory of 744	2676	dialer.exe	11
PID 2676 wrote to memory of 792	2676	dialer.exe	12
PID 2676 wrote to memory of 820	2676	dialer.exe	13
PID 2676 wrote to memory of 972	2676	dialer.exe	15
PID 2676 wrote to memory of 280	2676	dialer.exe	16
PID 2676 wrote to memory of 112	2676	dialer.exe	17
PID 2676 wrote to memory of 672	2676	dialer.exe	18
PID 2676 wrote to memory of 1096	2676	dialer.exe	19
PID 2676 wrote to memory of 1164	2676	dialer.exe	20
PID 2676 wrote to memory of 1332	2676	dialer.exe	23

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2840

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:576
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:656
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:744
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:792
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1164
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  PID:820
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:972
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:280
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:112
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:672
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1096
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1332
- C:\ProgramData\sqqlezmfstqp\ixoqduepyxci.exe
  C:\ProgramData\sqqlezmfstqp\ixoqduepyxci.exe
  2⤵
  PID:2372
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2856
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2400
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1288
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:520
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:560
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:544
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2480
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:1048
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:876
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:3028
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:3012
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:2872
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:1216
- - C:\Windows\system32\dialer.exe
    dialer.exe
    3⤵
    PID:2860

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:472

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:480

C:\Users\Admin\AppData\Local\Temp\NIXWARE.exe
"C:\Users\Admin\AppData\Local\Temp\NIXWARE.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Users\Admin\AppData\Local\Temp\Built.exe
  "C:\Users\Admin\AppData\Local\Temp\Built.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\checker-cheats (1).exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- C:\Users\Admin\AppData\Local\Temp\checker-cheats (1).exe
  "C:\Users\Admin\AppData\Local\Temp\checker-cheats (1).exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\system.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Users\Admin\AppData\Local\Temp\system.exe
  "C:\Users\Admin\AppData\Local\Temp\system.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:1876
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1620
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2576
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:284
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:2480
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2140
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1904
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2364
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2676
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "VLKIAJCI"
    3⤵
    - Launches sc.exe
    PID:3052
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "VLKIAJCI" binpath= "C:\ProgramData\sqqlezmfstqp\ixoqduepyxci.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2868
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:1880
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "VLKIAJCI"
    3⤵
    - Launches sc.exe
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\sqqlezmfstqp\ixoqduepyxci.exe

Filesize
3.3MB

MD5
165d299bdfca726783a410c7086dead2

SHA1
03375a1c662a89b6dd1e2972bbe3caeafec74dcf

SHA256
3f35a0dc4a376a440889e24b84dd5c4bee9836578987d817ab5d7f6d4ee9ea42

SHA512
de615356c2490ca7ff30c331b1e58234b9aadec567d59f116bcc154b1ec01f83b624c9efce3bfb98ce5fda4aca2c1c1ead222f3d8217d1126dd087fed3d69b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe

Filesize
184KB

MD5
672d8f840df04da81a68c12354c67602

SHA1
f14a9a358bce7225435a4f9327722edf363139cf

SHA256
cc8522a81ca478837e76ee0975f820c0211242f859769dad4349afc9892dd6b2

SHA512
4ac90decbf88025c7ed0484b030d484b3659541ad4bf2f029d74657bcb4fc4d7f5f66a84ac9bfe8184e21fd412c1ad367c8ebf6a9e19761736bbeaf9722db962

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\flutter_windows.dll

Filesize
17.3MB

MD5
225782e5d02f400a76b8fabe8a6f5cd1

SHA1
e54ef4f664a250808749be2ea9870607c20ace31

SHA256
b66713715a7aeaa2f88ba18838aa7c245556eaaeb31c82da3f5aebcb71a7715e

SHA512
9e88489361b36970a982329184b7afa9ef403ca86830427c60397e49522e5d38fc652ce4b65e79c54583a50ffee83fb138a02d638e015c9ff53e56164556be76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29562\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\checker-cheats (1).exe

Filesize
75KB

MD5
04e6de63f885854bc352dcaedf70f687

SHA1
2ab12179885dc57bbf255564012fa8e2b82a3330

SHA256
e7e69559f54ae11b078702201d788c1825a79b8e88a77b1b2fde01c1da1f8b06

SHA512
fe8d496253ceb225c29ed5c3e6074a7d4736fb51b77bee1ee6a118e21f05e461e27462604ff167bc6b468b62a3b6716ebd6cbb1201c9337aac31814661ce0c1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3251TJO5G30DJCSP6F3O.temp

Filesize
7KB

MD5
055ea436e09ff57033054dc24c5471ac

SHA1
0f9ab08731cbd0c19647ebb5aca9a9d88055e0fd

SHA256
0e4725fad11b88d1a97c6826fd683b126c6a60c40ae23b9d2d2b746034e570c9

SHA512
5c1253ab8eed0039c3a1acebbacc083a76f7e549b1abb55ffbcccdf3af0295d3bf18925f5eb72d836bb30fc1139570f1e4f5e2faa1ada2210584b66dbf347dbb

Download Submit
\ProgramData\sqqlezmfstqp\ixoqduepyxci.exe

Filesize
3.1MB

MD5
d30ca2c557fce4f96ca2fbe64df86c9b

SHA1
23797bb30536b6731bfa3fbc7098b810cf96388a

SHA256
0584baa28888dec9e2266174cdec0801f62b1c5258c71d7b1df89ae1bf8a4a45

SHA512
e2b36e6f24831c31d8548d1cf465643ec2146fb96bdc23f096ed0cadc648db00b718c442d2ed22d36c7ad49ab2eec3f1a88605918a1a33f80b2d5939b1bdda61

Download Submit
\ProgramData\sqqlezmfstqp\ixoqduepyxci.exe

Filesize
3.9MB

MD5
06a1fb7590353ba18b3f104fd1847cf8

SHA1
f189cd1b533ba606fc24e52c3ba4f03d05687e7d

SHA256
243e2fa9d0208fd7600fbac77d1b4af07c6a8cb922d3126b2b8e0c4641e6af5d

SHA512
25f789aa9e9f22b7ed5dc215ff2d28e30d6ffc2b5521daa4fa9f5b8e29a3a86afd0f9c33d1e6db966e8ad21ad75c173fcfd7db5704993f2d561af9b82383b6d9

Download Submit
\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
6.9MB

MD5
6b915cd816ef2570b3c203ff6f4668c4

SHA1
4a96ed7b4e3ee8f553a4e7581bc42df3356856f3

SHA256
12dcc7a7ae7e83049ade18d3699ad8d0fe8b34a5a1f33ad31d825008f2460715

SHA512
06db8f913e06625d8bca3464bd4951d30b0ffd53c60bbbed80216f9e21342cc5fb8d8aaee12e06f6478c976c318eab164f31c7440d8bf0ed40418584544f4a9d

Download Submit
\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe

Filesize
26.5MB

MD5
dcd3344e5bdca9492706ed74cbf8b233

SHA1
ed0ad8d0e65d27d34644b75fbd73b7ee8a825bc6

SHA256
75243dbdd7668c07417eb463d1b4f24d8ff4781b6d5aa0522afb2509b920cf9c

SHA512
9d31001b90e2610a74aa66b7d9a383094b3d904ad105b50c55be3aa46ef8be2f2a45a082e990a905b8673e4bcf320b4f078a53fe1435bd96e08df0bc9e09bca4

Download Submit
\Users\Admin\AppData\Local\Temp\system.exe

Filesize
5.2MB

MD5
332a796dafffbfba2d0655e2f5d72b79

SHA1
41540d6e81ef9afff85b7623115655c245d286e4

SHA256
c26fb59378ead10e14125f1c86c54fb5db72c08eb268d0d01dce864353829769

SHA512
63b91400d5675da0cc290205d845e6fc584c1ed99c2df97fc33f63ddc17e915b605640241e201c8cf1c089213b36dcb0d389ca8aa78db925b46a301503efe9a8

Download Submit
memory/416-783-0x0000000037B80000-0x0000000037B90000-memory.dmp

Filesize
64KB

Download
memory/416-734-0x00000000003F0000-0x0000000000414000-memory.dmp

Filesize
144KB

Download
memory/416-736-0x00000000003F0000-0x0000000000414000-memory.dmp

Filesize
144KB

Download
memory/416-780-0x0000000000760000-0x000000000078B000-memory.dmp

Filesize
172KB

Download
memory/416-782-0x000007FEBDF20000-0x000007FEBDF30000-memory.dmp

Filesize
64KB

Download
memory/472-743-0x0000000000D80000-0x0000000000DAB000-memory.dmp

Filesize
172KB

Download
memory/472-777-0x000007FEBDF20000-0x000007FEBDF30000-memory.dmp

Filesize
64KB

Download
memory/472-778-0x0000000037B80000-0x0000000037B90000-memory.dmp

Filesize
64KB

Download
memory/1052-204-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/1748-132-0x000007FEF2920000-0x000007FEF2F08000-memory.dmp

Filesize
5.9MB

Download
memory/1932-1024-0x0000000000A30000-0x0000000000A38000-memory.dmp

Filesize
32KB

Download
memory/2676-731-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2676-729-0x0000000077B40000-0x0000000077CE9000-memory.dmp

Filesize
1.7MB

Download
memory/2676-725-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2676-723-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2676-728-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2676-730-0x0000000077A20000-0x0000000077B3F000-memory.dmp

Filesize
1.1MB

Download
memory/2676-726-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2676-724-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2700-21-0x00000000020C0000-0x00000000020C8000-memory.dmp

Filesize
32KB

Download
memory/2700-20-0x000000001B380000-0x000000001B662000-memory.dmp

Filesize
2.9MB

Download
memory/2820-7-0x000000001B370000-0x000000001B652000-memory.dmp

Filesize
2.9MB

Download
memory/2820-8-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2820-6-0x00000000026A0000-0x0000000002720000-memory.dmp

Filesize
512KB

Download
memory/2824-0-0x000007FEF6383000-0x000007FEF6384000-memory.dmp

Filesize
4KB

Download
memory/2824-1-0x0000000000230000-0x0000000002782000-memory.dmp

Filesize
37.3MB

Download
memory/2824-37-0x000007FEF6383000-0x000007FEF6384000-memory.dmp

Filesize
4KB

Download
memory/2984-432-0x0000000000AF0000-0x0000000000B0A000-memory.dmp

Filesize
104KB

Download