Analysis
-
max time kernel
98s -
max time network
164s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system -
submitted
27-02-2024 04:49
Static task
static1
Behavioral task
behavioral1
Sample
8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exe
Resource
win7-20240221-en
General
-
Target
8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exe
-
Size
164KB
-
MD5
c7e909d16fbebfbaf79cfb035ca2a39e
-
SHA1
2a532e5373cf513995ca3062b6ce110be8785f64
-
SHA256
8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c
-
SHA512
db5c922281a8827438fa05606dc1944e03638656fc7fff2ffdbbf7642acc0fe2387df7488c1be739aacd58096b7a0f22cefa894b28d5a7eb885772d8edcd5f35
-
SSDEEP
3072:VxQ3f7CCQDou0GplVh/Ud+ZbozbqPCS4b2f14+AhjIZ:VxuWCQsullfUgZM0CHg4JI
Malware Config
Extracted
smokeloader
2022
http://selebration17io.io/index.php
http://vacantion18ffeu.cc/index.php
http://valarioulinity1.net/index.php
http://buriatiarutuhuob.net/index.php
http://cassiosssionunu.me/index.php
http://sulugilioiu19.net/index.php
http://goodfooggooftool.net/index.php
Extracted
smokeloader
pub1
Extracted
lumma
https://resergvearyinitiani.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Glupteba payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4964-161-0x0000000002DE0000-0x00000000036CB000-memory.dmp family_glupteba behavioral2/memory/4964-162-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/4964-179-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba behavioral2/memory/4964-371-0x0000000000400000-0x0000000000D1C000-memory.dmp family_glupteba -
Pitou 2 IoCs
Pitou.
Processes:
resource yara_rule behavioral2/memory/3636-56-0x0000000000400000-0x0000000002D8C000-memory.dmp pitou behavioral2/memory/3636-112-0x0000000000400000-0x0000000002D8C000-memory.dmp pitou -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Stops running service(s) 3 TTPs
-
Deletes itself 1 IoCs
Processes:
pid process 3128 -
Executes dropped EXE 15 IoCs
Processes:
aedraaaD830.exeE6F7.exeE6F7.exeEB7C.exeF447.exeF447.tmp2F0F.exe288c47bbc1871b439df19ff4df68f076.exeInstallSetup4.exeFourthX.exeBroomSetup.exensp44A7.tmp6255.exe9741.exepid process 4948 aedraaa 2912 D830.exe 4556 E6F7.exe 64 E6F7.exe 3636 EB7C.exe 1348 F447.exe 5016 F447.tmp 584 2F0F.exe 4964 288c47bbc1871b439df19ff4df68f076.exe 4672 InstallSetup4.exe 4188 FourthX.exe 4956 BroomSetup.exe 4380 nsp44A7.tmp 5000 6255.exe 1644 9741.exe -
Loads dropped DLL 9 IoCs
Processes:
regsvr32.exeE6F7.exeF447.tmpInstallSetup4.exensp44A7.tmppid process 3192 regsvr32.exe 64 E6F7.exe 5016 F447.tmp 5016 F447.tmp 5016 F447.tmp 4672 InstallSetup4.exe 4672 InstallSetup4.exe 4380 nsp44A7.tmp 4380 nsp44A7.tmp -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/64-38-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/64-40-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/64-41-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/64-42-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/64-43-0x0000000000400000-0x0000000000848000-memory.dmp upx behavioral2/memory/64-44-0x0000000000400000-0x0000000000848000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
EB7C.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 EB7C.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
E6F7.exedescription pid process target process PID 4556 set thread context of 64 4556 E6F7.exe E6F7.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 1360 sc.exe 4192 sc.exe 4028 sc.exe 4892 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
aedraaa6255.exe8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aedraaa Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aedraaa Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI aedraaa Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6255.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6255.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6255.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
nsp44A7.tmpdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nsp44A7.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString nsp44A7.tmp -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exepid process 212 8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exe 212 8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exe 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 3128 -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exeaedraaa6255.exepid process 212 8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exe 4948 aedraaa 5000 6255.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
powershell.exedescription pid process Token: SeShutdownPrivilege 3128 Token: SeCreatePagefilePrivilege 3128 Token: SeShutdownPrivilege 3128 Token: SeCreatePagefilePrivilege 3128 Token: SeShutdownPrivilege 3128 Token: SeCreatePagefilePrivilege 3128 Token: SeShutdownPrivilege 3128 Token: SeCreatePagefilePrivilege 3128 Token: SeShutdownPrivilege 3128 Token: SeCreatePagefilePrivilege 3128 Token: SeShutdownPrivilege 3128 Token: SeCreatePagefilePrivilege 3128 Token: SeShutdownPrivilege 3128 Token: SeCreatePagefilePrivilege 3128 Token: SeShutdownPrivilege 3128 Token: SeCreatePagefilePrivilege 3128 Token: SeShutdownPrivilege 3128 Token: SeCreatePagefilePrivilege 3128 Token: SeShutdownPrivilege 3128 Token: SeCreatePagefilePrivilege 3128 Token: SeShutdownPrivilege 3128 Token: SeCreatePagefilePrivilege 3128 Token: SeShutdownPrivilege 3128 Token: SeCreatePagefilePrivilege 3128 Token: SeShutdownPrivilege 3128 Token: SeCreatePagefilePrivilege 3128 Token: SeShutdownPrivilege 3128 Token: SeCreatePagefilePrivilege 3128 Token: SeDebugPrivilege 3860 powershell.exe Token: SeIncreaseQuotaPrivilege 3860 powershell.exe Token: SeSecurityPrivilege 3860 powershell.exe Token: SeTakeOwnershipPrivilege 3860 powershell.exe Token: SeLoadDriverPrivilege 3860 powershell.exe Token: SeSystemProfilePrivilege 3860 powershell.exe Token: SeSystemtimePrivilege 3860 powershell.exe Token: SeProfSingleProcessPrivilege 3860 powershell.exe Token: SeIncBasePriorityPrivilege 3860 powershell.exe Token: SeCreatePagefilePrivilege 3860 powershell.exe Token: SeBackupPrivilege 3860 powershell.exe Token: SeRestorePrivilege 3860 powershell.exe Token: SeShutdownPrivilege 3860 powershell.exe Token: SeDebugPrivilege 3860 powershell.exe Token: SeSystemEnvironmentPrivilege 3860 powershell.exe Token: SeRemoteShutdownPrivilege 3860 powershell.exe Token: SeUndockPrivilege 3860 powershell.exe Token: SeManageVolumePrivilege 3860 powershell.exe Token: 33 3860 powershell.exe Token: 34 3860 powershell.exe Token: 35 3860 powershell.exe Token: 36 3860 powershell.exe Token: SeShutdownPrivilege 3128 Token: SeCreatePagefilePrivilege 3128 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
F447.tmppid process 5016 F447.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
BroomSetup.exepid process 4956 BroomSetup.exe -
Suspicious use of WriteProcessMemory 60 IoCs
Processes:
regsvr32.exeE6F7.exeF447.exe2F0F.exeInstallSetup4.exeBroomSetup.execmd.exedescription pid process target process PID 3128 wrote to memory of 2912 3128 D830.exe PID 3128 wrote to memory of 2912 3128 D830.exe PID 3128 wrote to memory of 2912 3128 D830.exe PID 3128 wrote to memory of 4692 3128 regsvr32.exe PID 3128 wrote to memory of 4692 3128 regsvr32.exe PID 4692 wrote to memory of 3192 4692 regsvr32.exe regsvr32.exe PID 4692 wrote to memory of 3192 4692 regsvr32.exe regsvr32.exe PID 4692 wrote to memory of 3192 4692 regsvr32.exe regsvr32.exe PID 3128 wrote to memory of 4556 3128 E6F7.exe PID 3128 wrote to memory of 4556 3128 E6F7.exe PID 3128 wrote to memory of 4556 3128 E6F7.exe PID 4556 wrote to memory of 64 4556 E6F7.exe E6F7.exe PID 4556 wrote to memory of 64 4556 E6F7.exe E6F7.exe PID 4556 wrote to memory of 64 4556 E6F7.exe E6F7.exe PID 4556 wrote to memory of 64 4556 E6F7.exe E6F7.exe PID 4556 wrote to memory of 64 4556 E6F7.exe E6F7.exe PID 4556 wrote to memory of 64 4556 E6F7.exe E6F7.exe PID 4556 wrote to memory of 64 4556 E6F7.exe E6F7.exe PID 4556 wrote to memory of 64 4556 E6F7.exe E6F7.exe PID 3128 wrote to memory of 3636 3128 EB7C.exe PID 3128 wrote to memory of 3636 3128 EB7C.exe PID 3128 wrote to memory of 3636 3128 EB7C.exe PID 3128 wrote to memory of 1348 3128 F447.exe PID 3128 wrote to memory of 1348 3128 F447.exe PID 3128 wrote to memory of 1348 3128 F447.exe PID 1348 wrote to memory of 5016 1348 F447.exe F447.tmp PID 1348 wrote to memory of 5016 1348 F447.exe F447.tmp PID 1348 wrote to memory of 5016 1348 F447.exe F447.tmp PID 3128 wrote to memory of 584 3128 2F0F.exe PID 3128 wrote to memory of 584 3128 2F0F.exe PID 3128 wrote to memory of 584 3128 2F0F.exe PID 584 wrote to memory of 4964 584 2F0F.exe 288c47bbc1871b439df19ff4df68f076.exe PID 584 wrote to memory of 4964 584 2F0F.exe 288c47bbc1871b439df19ff4df68f076.exe PID 584 wrote to memory of 4964 584 2F0F.exe 288c47bbc1871b439df19ff4df68f076.exe PID 584 wrote to memory of 4672 584 2F0F.exe InstallSetup4.exe PID 584 wrote to memory of 4672 584 2F0F.exe InstallSetup4.exe PID 584 wrote to memory of 4672 584 2F0F.exe InstallSetup4.exe PID 584 wrote to memory of 4188 584 2F0F.exe FourthX.exe PID 584 wrote to memory of 4188 584 2F0F.exe FourthX.exe PID 4672 wrote to memory of 4956 4672 InstallSetup4.exe BroomSetup.exe PID 4672 wrote to memory of 4956 4672 InstallSetup4.exe BroomSetup.exe PID 4672 wrote to memory of 4956 4672 InstallSetup4.exe BroomSetup.exe PID 4956 wrote to memory of 820 4956 BroomSetup.exe cmd.exe PID 4956 wrote to memory of 820 4956 BroomSetup.exe cmd.exe PID 4956 wrote to memory of 820 4956 BroomSetup.exe cmd.exe PID 4672 wrote to memory of 4380 4672 InstallSetup4.exe nsp44A7.tmp PID 4672 wrote to memory of 4380 4672 InstallSetup4.exe nsp44A7.tmp PID 4672 wrote to memory of 4380 4672 InstallSetup4.exe nsp44A7.tmp PID 820 wrote to memory of 1308 820 cmd.exe chcp.com PID 820 wrote to memory of 1308 820 cmd.exe chcp.com PID 820 wrote to memory of 1308 820 cmd.exe chcp.com PID 3128 wrote to memory of 5000 3128 6255.exe PID 3128 wrote to memory of 5000 3128 6255.exe PID 3128 wrote to memory of 5000 3128 6255.exe PID 820 wrote to memory of 4232 820 cmd.exe schtasks.exe PID 820 wrote to memory of 4232 820 cmd.exe schtasks.exe PID 820 wrote to memory of 4232 820 cmd.exe schtasks.exe PID 3128 wrote to memory of 1644 3128 9741.exe PID 3128 wrote to memory of 1644 3128 9741.exe PID 3128 wrote to memory of 1644 3128 9741.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exe"C:\Users\Admin\AppData\Local\Temp\8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:212
-
C:\Users\Admin\AppData\Roaming\aedraaaC:\Users\Admin\AppData\Roaming\aedraaa1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4948
-
C:\Users\Admin\AppData\Local\Temp\D830.exeC:\Users\Admin\AppData\Local\Temp\D830.exe1⤵
- Executes dropped EXE
PID:2912
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\DF84.dll1⤵
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\DF84.dll2⤵
- Loads dropped DLL
PID:3192
-
C:\Users\Admin\AppData\Local\Temp\E6F7.exeC:\Users\Admin\AppData\Local\Temp\E6F7.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\E6F7.exeC:\Users\Admin\AppData\Local\Temp\E6F7.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:64
-
C:\Users\Admin\AppData\Local\Temp\EB7C.exeC:\Users\Admin\AppData\Local\Temp\EB7C.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3636
-
C:\Users\Admin\AppData\Local\Temp\F447.exeC:\Users\Admin\AppData\Local\Temp\F447.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\is-D8OM8.tmp\F447.tmp"C:\Users\Admin\AppData\Local\Temp\is-D8OM8.tmp\F447.tmp" /SL5="$601FA,2349102,54272,C:\Users\Admin\AppData\Local\Temp\F447.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5016
-
C:\Users\Admin\AppData\Local\Temp\2F0F.exeC:\Users\Admin\AppData\Local\Temp\2F0F.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"2⤵
- Executes dropped EXE
PID:4964 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵PID:1900
-
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exeC:\Users\Admin\AppData\Local\Temp\BroomSetup.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\chcp.comchcp 12515⤵PID:1308
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F5⤵
- Creates scheduled task(s)
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\nsp44A7.tmpC:\Users\Admin\AppData\Local\Temp\nsp44A7.tmp3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:4380 -
C:\Users\Admin\AppData\Local\Temp\FourthX.exe"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"2⤵
- Executes dropped EXE
PID:4188 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3860 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "UTIXDCVF"3⤵
- Launches sc.exe
PID:1360 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:4996
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:3188
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"3⤵
- Launches sc.exe
PID:4192 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "UTIXDCVF"3⤵
- Launches sc.exe
PID:4028 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:4892
-
C:\Users\Admin\AppData\Local\Temp\6255.exeC:\Users\Admin\AppData\Local\Temp\6255.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:5000
-
C:\Users\Admin\AppData\Local\Temp\9741.exeC:\Users\Admin\AppData\Local\Temp\9741.exe1⤵
- Executes dropped EXE
PID:1644
-
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exeC:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe1⤵PID:584
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵PID:5084
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:3120
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:4868
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
2Windows Service
2Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5a33e5b189842c5867f46566bdbf7a095
SHA1e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA2565abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.5MB
MD5deeef20437d3b23eed705a961dcce21d
SHA1075ee46aba44d13b4d5fa3ff12e1705af364614d
SHA25662215ffb49f0951a20df86cd9a097626c0aaa8e75510cd3975d6081ec915eb32
SHA512aed654d16310ec353a99f1264b3fdf91ea738bf2954599d9133971f4e24511d73ddb01e6d0c723b6ee6590f31fcb0ac68256cb61b6cc000fed1948c0320ece5a
-
Filesize
2.5MB
MD5b03886cb64c04b828b6ec1b2487df4a4
SHA1a7b9a99950429611931664950932f0e5525294a4
SHA2565dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA51221d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659
-
Filesize
896KB
MD58c9607a8c8359d15ec05a327be0b80a8
SHA1645ef703da82d57f169789d42c5c88625548bcc1
SHA256924f06d5c5dfa4ac57ea02f3899d9e083a61844d3e86372fc5d71e0e184df233
SHA51260880b8445341e3ad208977d2d328e497243dc6d5d51dc6a35923752f83cc8e621d6ca377d8638ef4415689f6e74e230bfa8a29953d639a5757bdf94a8d5dda1
-
Filesize
704KB
MD5f30b31cd985bb3b4c2dced17df5ed9fb
SHA194a2218267ddd03b538636ace0593e38f52c9b5a
SHA256b650d35b4c45c0ae9ff9a10df74e5d3c724a8e693a05706e61e798805a731645
SHA512648ae868eaf7473a7922796d1e1572df192a81dc7ee38c6ca17b3ca8c81dc6af7b3539564fce58ba8c220a3154618e45dfb79640a96a14c56a51123a339b2213
-
Filesize
256KB
MD5aeaefbc7191137e1e86080b4bb17345b
SHA164076073e426b71f9ff087708dab60a5daa9ef27
SHA256dc1be7461d1d69d41070ee4dc78aa0cc93518c408ca78f2c57eff05d45d9032c
SHA512f7bfa845d5730993bad78699c8d348621c785c4a9a8d58bbf9be58c1562cf7ff75fc42e42dcc512a1f312e9d34081e41218f0555b1817948b865faf442e0315e
-
Filesize
64KB
MD509daace6074ca06ea3737d622083d5dd
SHA1eb5e13591e3e86cfd51c0f284ca323aace0d1501
SHA256bb7d28c3a4d3efc1b473a7b07c4d4af8ce775d1461eae61f6913c81b745997b2
SHA512b5eff759b219614869d18b50fe80490a75a76db474f5f55d783b991f7fb5ecbc7b904a956a42badb6e6b9b08921b9dc00e567ff786b7ea315a9222c6944cc541
-
Filesize
2.6MB
MD5be4e08adb67b58113b8ffe1893c6f321
SHA1fd32e0a3ccf052472630ce59ea134b03aecb0f58
SHA256dfade7a38e519c11f4b001bfab3f4c9eeb6f7f077a0533c35a2c2f6820695421
SHA5128bce21d8995e6f8d7a3e0632bfd891206c91be1d77c3db0eff61a15b07f7a58ebfb997b9a6bd9306b5722922136175e7b38d8382766ecc56fc77444c443d393b
-
Filesize
5.0MB
MD55a127694986cf7ccd6fcc0a7478b68d9
SHA11a7d70af0600f30e9c735a8cac63bbd3273d048b
SHA256bc4af5a1e8110a25cac8490e8c67b86cd40f5a48801ce282e8a0918490245888
SHA512395aeb4ed64aad79a4aac5c4cc92a221902e91f5ee98b3132082992c23e544ea7f3757032ea85672f4e159356c753179f25fa73034334bd47ac71544b35cae66
-
Filesize
163KB
MD50ca68f13f3db569984dbcc9c0be6144a
SHA18c53b9026e3c34bcf20f35af15fc6545cb337936
SHA2569cd86fa59ea2d10f9b9f3293c132f158fcb7dd993fdb706944f9fe9fa409504a
SHA5124c3a3be5fda0f9060a08b95383b5260e4079dbcff73849d2fac88520ae625c33a73c5858b25b717fcccebf03c3ad9b19807de8bcfa7ea22be6648cc965072b7d
-
Filesize
2.5MB
MD556fddd1d25dfd8671136909069c15266
SHA1479e9718829a0bfaf79899b025149a8cda8b0495
SHA256c2a643e819ffd588bfe282efe5a24727bdd0af0558bdef6a57575cfb5cfaa70f
SHA512fa7a8b747ad3e53097e8df901df283408621ca491a1c06c62a721a72794e6ce11e185829bf11cd6314717f50ff0dd31d5cb7b693bcb7eac6c4b755685351ff10
-
Filesize
1.9MB
MD5abdb0fc1589c9e4b85abd90c4aeaadd8
SHA1c34042fc0a4ca9a0c85c2d97b3b38adcf3dcb1fb
SHA2566354a8d08b1cfd002a89ee919f9561adae52d886aeb506d6ade6600b492b01d4
SHA5123d8351d6ba9945301c189dab8bda2218fd60db25a28a5bdf6e519b28b64d51bd9fbc83504e9da5d59b26deb34ea7c91b88a23e5fe93f8a8e076ed17b240162c8
-
Filesize
1.6MB
MD595bf71504e0b7d40a0b230128eda2910
SHA1d544e844f5bdbe1ddc3df0bdc5dd47fbc89c0aca
SHA256f5bc93a03932e8dae0bf721685ac6bcc7052662ed709013617806cb6294fc373
SHA512c008a5ef865a50dfe40e8a8c7c64200265a8ed41987651b0e0915294f4d43019ad8aaf53c49881596dc0088a589f45e223ced97c12de6dab36b7284620f3babd
-
Filesize
2.9MB
MD5a4f5f9847a2832716cd5d277e0e5a7c6
SHA14eb056c5d2f7c5d5446aabf3923d851e6e79bbb7
SHA256a27ca48051ef259e682baf3e819b82b40caaa19f1d749469335000155dfde548
SHA51213945c10c1b1d43fa276cb5f38607b160787f7a2f834f055250c2cb81b194e7ddc935affb8981ea1e6792aea92c9c349a6642c8e5b28e59a3c4a01d731f499d3
-
Filesize
3.0MB
MD59ed08c5738d2181288a020b8cc63e452
SHA1059faa5b9f454d481cc59c51c39cfd2711eb2cde
SHA256b6d6a0971e9da925f7be123080c2396cae83f2dd195f6324a6c76fb99eb13620
SHA512f213e46e04f2a4b080ddf71fe394a06fcc9f1a42ec81b4abaf470d15755fc230095c20d12d15d1147f33632ca7efed56b3630b823e950ddcfccab4b8a229ff7e
-
Filesize
2.0MB
MD57aecbe510817ee9636a5bcbff0ee5fdd
SHA16a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae
-
Filesize
1.1MB
MD5ae2581d517391e8b5e0efc9f5f6ec926
SHA17a111027e39d14e8ca1389550e1c557df6b833fb
SHA256f211956e306c81c84fba75d3e82adcd854a19303258906aeb320e047b86f8ebf
SHA512dca94b622c86f6c6d62978f809aa0991f0f8a7ab0f84cd945633c828d1d05408bead142ecddde7b92ce91391864b6bcefe2cd1e46ad85c942784b58ec348efc1
-
Filesize
1.1MB
MD54edeff5dde798f98e3350ee909a34c2e
SHA18a5bed7a25016e6241399dc39b6247a42f483439
SHA2566e1c29596ca0552e3610c1db4ed31aaa9b293762661a855a201da588341f3b7e
SHA512ba0829b325a37119915649cf78e1fd7d44cd9331f2119ffaed9abfabc23b4665e78ea5d0f24445ba97bbd3c554e75e2eda8174395af11fc0c6bf6de148940ee3
-
Filesize
462KB
MD5b24cf0af7c58489dfed22d6cd814effe
SHA1ebbb344fa52d05e4104eb9389f80860a0d4ff039
SHA256391b77cd29d1b20f3bd7a8a08f5ce0027146ee909f061914209d23875684ebf6
SHA512219695f483adf09b38212e51f4f7b75250b2d07bf714e1d753fedf7e840832607a39fc32d992843c0480b0ec6fcbfe675c1fa5b28bbc2d30bde68758bd65bfe2
-
Filesize
560KB
MD5e6dd149f484e5dd78f545b026f4a1691
SHA13ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA25611243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA5120defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b
-
Filesize
915KB
MD527b1a15e825dd98b117614fa3aafc2e3
SHA14b8d5230ba222426bdf4c1920c6847ce1f0266bc
SHA256bea4d7f93ca1d9716e4f3d7ef99e583a197d3f8d9b8f358b048bbcee50d4927b
SHA5123ed2c6213ef2380c3d6db6241c4fb0ed786327c4bca9a2e5078f54c072788564f2778166b32206b830375ea21fdb8f285be313020807d14e65ec3611eb64f1a8
-
Filesize
848KB
MD53418def18982652c437fb29bc9dd371c
SHA170f81689cda69c536e08a891ecd41eb246a0ec3c
SHA2562f12308d4525544d5c18e8d836d12ff38e6899409e0efad9c332b082cd2c03a1
SHA5129feb4bab4148e59bd87a99d1f9d99ede760f4746a7de639d8653010ddee855239f4d6360b2c80507187c15334b3a75bbfb9a432e923c287f68ade4b51bdfb508
-
Filesize
2.1MB
MD562fb6e9c5d9d7542af9c141a0f860992
SHA1ee0836d9c9c259d1e75cc8a9a8ebdd88ea1b01db
SHA25669a2e13a0b31019893de9fee03eefd52ae3aef1a37c9ab4f21f9dc0155f16ef5
SHA512e3c9e2dd1da1a19ffd1cf5edfec1dcf7d287505fc2951264e6ddb27c96f4857ebed60640ece133120091806523af06004a5fb0f0ce7a68e98027298eb304707a
-
Filesize
2.4MB
MD5c0a62641779a00a6ee4c01686de53107
SHA11cb45213ea856f778f2dd76983420139e64d17ab
SHA2562312e31bb06e52e177d4a7ff2bc2d508c44ee1959dfc85ba99c0c5b5f80b7fdb
SHA5127a1cdf556bce31591885812c48f013f3d5250ed4f0e2eacd239bc9366b42a48508cc92434138cc31703a28add32a9ce3efc11a289db1b5848a75ac5c33c39303
-
Filesize
2.0MB
MD528b72e7425d6d224c060d3cf439c668c
SHA1a0a14c90e32e1ffd82558f044c351ad785e4dcd8
SHA256460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98
SHA5123e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
539KB
MD558deb1f2f6abb82f16cc4d089e4309ce
SHA14951d4cf23936670af1faea7e9aff3bf4a976f70
SHA25695e67eb0fce00ca4cd021ce8dedb61326881f30b908f36adae7ded7ea9d4f7ce
SHA51201c9e1e6a4d2b3812db75c962a883f366ba7e42c28a37f8dd67d824d71aeed87ea8873bc1d1e4e4b9149326256778b761f299f360d07ec61ba145eb25a8cc682
-
Filesize
487KB
MD53340d143662cfbfb99273ce0ac9e1a34
SHA111ae91048f408c11e93b0e7cb439e416ba57b1ce
SHA256941c79b5170d94a5d91a3c5a5326002c9dd770e343559bd6e055260ab23a1381
SHA5124683b85b4a097052f48167e415978dfcd63ddec366b53a12013863fe29b7384d3a94aea25411aa7769d9dbbca5514b232b96cb9723ca48fca41831b5272d29ac
-
Filesize
192KB
MD59089c5ddf54262d275ab0ea6ceaebcba
SHA14796313ad8d780936e549ea509c1932deb41e02a
SHA25696766ea71dc59a5b1734aba76c1ab1cbc8459a9ee023e9875359667dbf51ea4a
SHA512ec71801feccd0c900132425d6bc601bcae6e78702b708df80783a752d08c8bdc49f0b0c8e7c37b15a02b381369b8a3c1114d7385796316b834738045f7dc053c
-
Filesize
128B
MD511bb3db51f701d4e42d3287f71a6a43e
SHA163a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA2566be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2
-
Filesize
164KB
MD5c7e909d16fbebfbaf79cfb035ca2a39e
SHA12a532e5373cf513995ca3062b6ce110be8785f64
SHA2568b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c
SHA512db5c922281a8827438fa05606dc1944e03638656fc7fff2ffdbbf7642acc0fe2387df7488c1be739aacd58096b7a0f22cefa894b28d5a7eb885772d8edcd5f35
-
Filesize
1.8MB
MD5c8fd377288d30e53e199d46090b8f1f4
SHA1d7cccc2ccdcbbbd031677e8cd7545e6e96c3fd56
SHA256dce78b0f4368655b8ad514467967c543035e6dee01c57177e94d063a2ae85233
SHA5122977586f207fc663ef1d885cf57e3ed478311680cf80e2e1de521d13c073c840283426c57037ed00af02a8efa4ac8602c36c5964b4ec8888fb5a44fbb9ae641f
-
Filesize
1.9MB
MD5e365002c794423e4072d83b42330a97b
SHA17213e658f511e9ba1951dcbda807bf0272a21663
SHA25677c709fa16ffc095898d3f7a7c0d2fb1232f7d3e487b69a5f654321224a0fcdd
SHA5123e94791eff16f4ec2c618b24020f8f8843a2805ea762d801d7f2d4116a8bcb8b3ed508c7d2634fe578ca092eaa847073d12faf4aae68a9541e34888514fec8ec
-
Filesize
42KB
MD53214eb9a7085b54ed45ef107f5d23af3
SHA1cbeaf79f126fc8ce0f0d4e6625638cfe3013c357
SHA256142b169237563aa871dd5078ac3bc6ebe583c57c89a898f8e422eeda8c8211fb
SHA512bef57689faed8e3a2a8b5a1aef0aef682ff4280ab9dea9db0f66790da01492151e3f95d516afac3a01c7bc70fe66bd0844259fe16c6e377180e8ecacb3ae0d8c
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
13KB
MD5a813d18268affd4763dde940246dc7e5
SHA1c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4
-
Filesize
25KB
MD540d7eca32b2f4d29db98715dd45bfac5
SHA1124df3f617f562e46095776454e1c0c7bb791cc7
SHA25685e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA5125fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d