Analysis
-
max time kernel
1027s -
max time network
1025s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2024 13:38
Static task
static1
Behavioral task
behavioral1
Sample
Solara.exe
Resource
win10v2004-20241007-en
Errors
General
-
Target
Solara.exe
-
Size
796KB
-
MD5
e91f3ec430934cf29cda88d9b730d893
-
SHA1
6453d1f200f568b7964861c683a4f519431a9468
-
SHA256
4960838a390adf1ea412850ca14f15ce7c201fa967c0089df97742ee517ed0fe
-
SHA512
cc6afc8a20943ef7d18aaddde9f9257dbd7d0913aeb5ef66734cd593e580ecddde7a0706e4415c202655536b0665ce81116fd5ed487d3311caa10b33fbb7406b
-
SSDEEP
12288:wyveQB/fTHIGaPkKEYzURNAwbAg/KyEbx/j76eLaOfqPCm+3KP8ps1uZ:wuDXTIGaPhEYzUzA0kyE1jue+AvUG
Malware Config
Extracted
xworm
127.0.0.1:1764
cash-hispanic.gl.at.ply.gg:1764
-
Install_directory
%AppData%
-
install_file
explorer.exe
-
telegram
https://api.telegram.org/bot8013268995:AAHt5-BJsAIEM9hnoTy17y1WYC4NnCMU398/sendMessage?chat_id=5405936031
Extracted
gurcu
https://api.telegram.org/bot8013268995:AAHt5-BJsAIEM9hnoTy17y1WYC4NnCMU398/sendMessage?chat_id=5405936031
Signatures
-
Detect Xworm Payload 2 IoCs
resource yara_rule behavioral1/files/0x0008000000023ca2-6.dat family_xworm behavioral1/memory/692-23-0x0000000000860000-0x000000000087A000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 452 powershell.exe 5068 powershell.exe 4036 powershell.exe 1916 powershell.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation Solara.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation BootstrapperV21.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation oyowkx.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation TrojanXD.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk BootstrapperV21.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.lnk BootstrapperV21.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 21 IoCs
pid Process 692 BootstrapperV21.exe 2688 Bootstrapper.exe 2160 explorer.exe 2500 explorer.exe 4800 explorer.exe 2924 explorer.exe 2420 explorer.exe 916 explorer.exe 2204 explorer.exe 5044 explorer.exe 212 explorer.exe 212 explorer.exe 1916 explorer.exe 3740 explorer.exe 1448 explorer.exe 3448 oyowkx.exe 3332 TrojanXD.exe 4404 explorer.exe 1904 explorer.exe 3300 explorer.exe 4916 explorer.exe -
Modifies system executable filetype association 2 TTPs 47 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\DefaultIcon reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\DropHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\Compatibility reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers\PintoStartScreen reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\ContextMenuHandlers reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runas\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\ContextMenuHandlers\Compatibility reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\DefaultIcon reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runasuser\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\edit reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shellex\DropHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\print reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\DropHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\DefaultIcon reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\runasuser reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\runas\command reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\lnkfile\shellex\ContextMenuHandlers reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\tabsets reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command reg.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" BootstrapperV21.exe -
Drops desktop.ini file(s) 17 IoCs
description ioc Process File opened for modification C:\Users\Admin\Contacts\desktop.ini BootstrapperV21.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini BootstrapperV21.exe File opened for modification C:\Users\Admin\Documents\desktop.ini BootstrapperV21.exe File opened for modification C:\Users\Admin\Music\desktop.ini BootstrapperV21.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini BootstrapperV21.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini BootstrapperV21.exe File opened for modification C:\Users\Admin\Videos\desktop.ini BootstrapperV21.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini BootstrapperV21.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini BootstrapperV21.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini BootstrapperV21.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini BootstrapperV21.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini BootstrapperV21.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini BootstrapperV21.exe File opened for modification C:\Users\Admin\Searches\desktop.ini BootstrapperV21.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini BootstrapperV21.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini BootstrapperV21.exe File opened for modification C:\Users\Admin\Links\desktop.ini BootstrapperV21.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 TrojanXD.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" BootstrapperV21.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 64 IoCs
description ioc Process Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0280-ABCDEFFEDCBA} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0182-ABCDEFFEDCBC}\InprocServer32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0002442B-0000-0000-C000-000000000046} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.ogv\AppX6eg8h5sxqq90pv53845wmnbewywdqq5h reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PolicyCache\Microsoft.WindowsMaps_8wekyb3d8bbwe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{769ADDEF-E3D4-3EEF-B2B4-8F5B21BD06C6}\15.0.0.0 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}\InprocServer32 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0046-ABCDEFFEDCBA}\InprocServer32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{40673495-3AEF-45C5-9AC2-F2D13C953301}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.fileTypeAssociation\.dib reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shellex\ContextMenuHandlers\PlayTo reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Picture.8\Protocol reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{767A19A0-3CC7-415B-9D08-D48DD7B8557D} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30590078-98B5-11CF-BB82-00AA00BDCE0B} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E322340-E4A8-4292-9D52-24E5B7B08253}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Extensions\ContractId\Windows.Protocol\PackageId\Microsoft.Windows.Search_1.14.2.19041_neutral_neutral_cw5n1h2txyewy\ActivatableClassId reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0002094F-0000-0000-C000-000000000046} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0085-ABCDEFFEDCBA}\InprocServer32 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0167-ABCDEFFEDCBA}\InprocServer32 reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Word.Picture.6\CLSID reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30590079-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\LR.LexRefTfFunctionProvider.1.0\CurVer reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.heif\ShellEx reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B69D88F9-BC5A-4EB3-A43C-9AF3155F0632}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AcroExch.XFDFDoc\shell\Open reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0048-ABCDEFFEDCBC} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{56B1CCCB-6490-396D-8C09-2257259F3CAA} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FC098A45-913B-4914-B6C3-AE6304593E75}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C030E-0000-0000-C000-000000000046}\TypeLib reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{75CB4DB9-6DA0-4DA3-83CE-422B6A433346} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CID\f238900f-f070-4e50-96a8-a1da692cd727\Host reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0063-ABCDEFFEDCBC}\InprocServer32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Excel.Chart.8\Protocol\StdFileEditing\RequestDataFormats reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{cdf2d6a5-df11-47c0-850e-62f342410c53} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2B45394F-79B0-44E0-93C4-82B06AD9D4C1}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.ppsx\ShellEx\PropertyHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\evtxfile reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0375-0000-0000-C000-000000000046}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000C0341-0000-0000-C000-000000000046}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{84054849-4B50-5635-BCC9-76273A3C5007}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.oasis.opendocument.text reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6299711A-E372-36AB-A8AB-129031BFD9B9}\15.0.0.0 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WordDocument\Protocol\StdFileEditing reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.scd\PersistentHandler reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.wri reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000CDB10-0000-0000-C000-000000000046}\ProxyStubClsid32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3883C8B9-FF24-4571-A867-09F960426E14} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FDEA20DB-AC7A-42f8-90EE-82208B9B4FC0}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0002094D-0000-0000-C000-000000000046} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{30217F3C-E8FA-416B-ABA6-BF0BD3B79321} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020811-0000-0000-C000-000000000046}\ProgID reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8D4F994C-EBBE-4F8D-BA4B-AE20CD36E72D} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Stack.System.Music.Artist reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C1724-0000-0000-C000-000000000046} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.inf reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\.TS\ShellEx\{e357fccd-a995-4576-b01f-234630154e96} reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E0FD8B8E-66EA-45D6-A10A-81E74453733A} reg.exe Key deleted \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0376-ABCDEFFEDCBA}\InprocServer32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{048EB43E-2059-422F-95E0-557DA96038AF}\DataFormats\GetSet\1 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F283-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3C18EAE4-BC25-4134-B7DF-1ECA1337DDDC}\AuxUserType reg.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1340 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4328 vlc.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 452 powershell.exe 452 powershell.exe 5068 powershell.exe 5068 powershell.exe 4036 powershell.exe 4036 powershell.exe 1916 powershell.exe 1916 powershell.exe 692 BootstrapperV21.exe 872 msedge.exe 872 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 1840 identity_helper.exe 1840 identity_helper.exe 692 BootstrapperV21.exe 692 BootstrapperV21.exe 692 BootstrapperV21.exe 692 BootstrapperV21.exe 692 BootstrapperV21.exe 692 BootstrapperV21.exe 692 BootstrapperV21.exe 692 BootstrapperV21.exe 692 BootstrapperV21.exe 692 BootstrapperV21.exe 692 BootstrapperV21.exe 692 BootstrapperV21.exe 692 BootstrapperV21.exe 692 BootstrapperV21.exe 692 BootstrapperV21.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4328 vlc.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 3972 msedge.exe 3972 msedge.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 692 BootstrapperV21.exe Token: SeDebugPrivilege 2688 Bootstrapper.exe Token: SeDebugPrivilege 452 powershell.exe Token: SeDebugPrivilege 5068 powershell.exe Token: SeDebugPrivilege 4036 powershell.exe Token: SeDebugPrivilege 1916 powershell.exe Token: SeDebugPrivilege 692 BootstrapperV21.exe Token: SeDebugPrivilege 2160 explorer.exe Token: SeDebugPrivilege 2500 explorer.exe Token: SeDebugPrivilege 4800 explorer.exe Token: SeDebugPrivilege 2924 explorer.exe Token: SeDebugPrivilege 2420 explorer.exe Token: SeDebugPrivilege 916 explorer.exe Token: SeDebugPrivilege 2204 explorer.exe Token: SeDebugPrivilege 5044 explorer.exe Token: SeDebugPrivilege 212 explorer.exe Token: SeDebugPrivilege 212 explorer.exe Token: SeDebugPrivilege 1916 explorer.exe Token: SeDebugPrivilege 3740 explorer.exe Token: SeDebugPrivilege 1448 explorer.exe Token: SeDebugPrivilege 3332 TrojanXD.exe Token: SeDebugPrivilege 3332 TrojanXD.exe Token: 33 5028 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 5028 AUDIODG.EXE Token: SeDebugPrivilege 4404 explorer.exe Token: SeDebugPrivilege 1904 explorer.exe Token: SeDebugPrivilege 3300 explorer.exe Token: SeDebugPrivilege 4916 explorer.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
pid Process 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 4328 vlc.exe 4328 vlc.exe 4328 vlc.exe 4328 vlc.exe 4328 vlc.exe 4328 vlc.exe 4328 vlc.exe 4328 vlc.exe 4328 vlc.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 3972 msedge.exe 4328 vlc.exe 4328 vlc.exe 4328 vlc.exe 4328 vlc.exe 4328 vlc.exe 4328 vlc.exe 4328 vlc.exe 4328 vlc.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 692 BootstrapperV21.exe 4328 vlc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3868 wrote to memory of 692 3868 Solara.exe 84 PID 3868 wrote to memory of 692 3868 Solara.exe 84 PID 3868 wrote to memory of 2688 3868 Solara.exe 86 PID 3868 wrote to memory of 2688 3868 Solara.exe 86 PID 692 wrote to memory of 452 692 BootstrapperV21.exe 90 PID 692 wrote to memory of 452 692 BootstrapperV21.exe 90 PID 692 wrote to memory of 5068 692 BootstrapperV21.exe 92 PID 692 wrote to memory of 5068 692 BootstrapperV21.exe 92 PID 692 wrote to memory of 4036 692 BootstrapperV21.exe 94 PID 692 wrote to memory of 4036 692 BootstrapperV21.exe 94 PID 692 wrote to memory of 1916 692 BootstrapperV21.exe 96 PID 692 wrote to memory of 1916 692 BootstrapperV21.exe 96 PID 692 wrote to memory of 1340 692 BootstrapperV21.exe 98 PID 692 wrote to memory of 1340 692 BootstrapperV21.exe 98 PID 692 wrote to memory of 3972 692 BootstrapperV21.exe 104 PID 692 wrote to memory of 3972 692 BootstrapperV21.exe 104 PID 3972 wrote to memory of 4516 3972 msedge.exe 105 PID 3972 wrote to memory of 4516 3972 msedge.exe 105 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 2996 3972 msedge.exe 106 PID 3972 wrote to memory of 872 3972 msedge.exe 107 PID 3972 wrote to memory of 872 3972 msedge.exe 107 PID 3972 wrote to memory of 1464 3972 msedge.exe 108 PID 3972 wrote to memory of 1464 3972 msedge.exe 108 PID 3972 wrote to memory of 1464 3972 msedge.exe 108 PID 3972 wrote to memory of 1464 3972 msedge.exe 108 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara.exe"C:\Users\Admin\AppData\Local\Temp\Solara.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\BootstrapperV21.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'BootstrapperV21.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\explorer.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'explorer.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "explorer" /tr "C:\Users\Admin\AppData\Roaming\explorer.exe"3⤵
- Scheduled Task/Job: Scheduled Task
PID:1340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc865446f8,0x7ffc86544708,0x7ffc865447184⤵PID:4516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,6407733943469418952,11170015373516670425,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:24⤵PID:2996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,6407733943469418952,11170015373516670425,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,6407733943469418952,11170015373516670425,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:84⤵PID:1464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,6407733943469418952,11170015373516670425,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:14⤵PID:932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,6407733943469418952,11170015373516670425,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:14⤵PID:2972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,6407733943469418952,11170015373516670425,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 /prefetch:84⤵PID:5036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,6407733943469418952,11170015373516670425,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:1840
-
-
-
C:\Users\Admin\AppData\Local\Temp\oyowkx.exe"C:\Users\Admin\AppData\Local\Temp\oyowkx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
PID:3448 -
C:\Users\Admin\AppData\Local\Temp\TrojanXD.exe"C:\Users\Admin\AppData\Local\Temp\TrojanXD.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of AdjustPrivilegeToken
PID:3332 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /k reg delete HKCR /f5⤵PID:916
-
C:\Windows\system32\reg.exereg delete HKCR /f6⤵
- Modifies system executable filetype association
- Modifies registry class
PID:2284
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"4⤵
- Checks computer location settings
PID:4816 -
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Hamster.mp3"5⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4328
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2688
-
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5068
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4728
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1964
-
C:\Windows\System32\fontview.exe"C:\Windows\System32\fontview.exe" C:\Users\Admin\Downloads\SuspendCompare.otf1⤵PID:808
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4800
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2420
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:916
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2204
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5044
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:212
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:212
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3740
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1448
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x39c 0x49c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5028
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4404
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1904
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3300
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4916
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Change Default File Association
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD5ba6ef346187b40694d493da98d5da979
SHA1643c15bec043f8673943885199bb06cd1652ee37
SHA256d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA5122e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c
-
Filesize
152B
MD5b8880802fc2bb880a7a869faa01315b0
SHA151d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2
-
Filesize
6KB
MD5719cec0af15c9541c12e6f12673323ec
SHA104dc95ccaf7714569d120b01d488c52553c3faf0
SHA256f129e6f63721dadc5222683d13b33e32d5ad65a6b5a36df3464177a0f4f94141
SHA5128538ef90410e7254fa6fb83cb87077bcbbac43a0e01a7719c30dca2e9df0b807ca0b5be40db76450e04745a7c072bbec63f5cb286a0527690e11cc0ba607e935
-
Filesize
6KB
MD593ebcaa39ab7655044332cdd1fea1837
SHA16e132c694a364b660ae1287de1efa6d62fdb1d62
SHA2568a77b1ff8a44c0ab434cc319bb8695c72b7854697d1772a09ff4a4bc9df2a64f
SHA512d0ea8a6898ead1688aa37d3ca8104222193766f202b82f0a7aabb094e33017a32b715bb91b86785f41da09cb1d9a1aaceed7e22ca427e8efe7b5ac2433a5958f
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD5a623880bc9e7fa386cda37fd4fb5f16f
SHA19e36e3b80d0cf82826c71cde3fd565dea594332e
SHA2562d962ca4806ecc0f018356a76c3da9f031702f09a1d92b4c8f95f37098f0c723
SHA5129233575763d61805f6deed9aac53fc94c7131c49663c7b1a3fd95d1524eb4b9f21f3ff8fcc61ce5be811d8c79e8d5f4df447f13e01e158ed3dbf11ada33ad62c
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
944B
MD507ab6cc81c5230a598c0ad1711b6bd97
SHA1de7e270e12d447dfc5896b7c96777eb32725778a
SHA256900aa2c83ec8773c3f9705f75b28fff0eaca57f7adb33dc82564d7ea8f8069a3
SHA512ffef0ad0824ea0fdab29eb3c44448100f79365a1729c7665eba9aef85a88e60901bc6a6c248de15a28d21be9ce5839d68861e4449ff557d8845927c740ba3a25
-
Filesize
944B
MD5b3bc9ca267ea2969eb6201d77e58560c
SHA178f83a443aa1ca235edcab2da9e2fda6fecc1da4
SHA2567ea18b6f900f2c30a5c34845d62d4fe9fc1f11e40714b3dbd69592cbfb5dc695
SHA5128cc70e4f88f3d9f59beec22dafdb403144f7f390250205e08279a2f8e01e783af44ae31aa4a8a7ea05865b05303ac5e5048f7fb44488be538d9701b6195e9b28
-
Filesize
796KB
MD54b94b989b0fe7bec6311153b309dfe81
SHA1bb50a4bb8a66f0105c5b74f32cd114c672010b22
SHA2567c4283f5e620b2506bcb273f947def4435d95e143ae3067a783fd3adc873a659
SHA512fbbe60cf3e5d028d906e7d444b648f7dff8791c333834db8119e0a950532a75fda2e9bd5948f0b210904667923eb7b2c0176140babc497955d227e7d80fb109d
-
Filesize
77KB
MD5b3a1a7ef45c3a920f515adc541ee75f4
SHA1fa69e1c57709dfa076e792509e6c77d297e47664
SHA2565cb0406be361324ecaeaa54238d82b24dffdfff8ae35dd2a59301e83e71d9d79
SHA5128628cbac85e04d9f0ada20e6f46c74d3e22edda7095043e1f61bcfd7836b54f29f4dde6de6c72309fd8f7cf66a2d69d1fe7288914a213c35b1d40f7d98e4271c
-
Filesize
2.1MB
MD51a7155c17d58427879fbcee961df0faf
SHA1655d78a73fd07c97eaa06a4a358419af8719d630
SHA2562c716f935bff0b8cde906f2144c91fb70dcc5914c11c54423f3f10290a1795b7
SHA5121f75e168d8c61f45c3635a0a38627ca2f8ccbf89971eaa43212d97bcd42fea012428eb61660b1acc0d2ef0c90d9b6eb6d3a2b066470cb3709323cc4c8ad554e4
-
Filesize
14KB
MD59776b41cc11329e32ca35a161f0af774
SHA1307fa631ef36f00540c27565bf6adaec8ed4ceef
SHA256c982e9c712dd27f31cc419ec6b420238e83587b6e021da256568c9237d01944c
SHA512172585383a63b99693ca386f683055e92152c28cd0e9a3c643dfa61a4147cc600ca69d7b79093217f0cc020590614c88fa8df8026dacfb8b6eeb7eb1bed65487
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.5MB
MD5bd950f6c677cd5e6c0d39fe8e6543e37
SHA14f24cb7586abdcdb6791d857e52d16e352eed09a
SHA256b518bffc32040e3c830ecb74fe2b16ae24f8ba22f4730e05221e9dcdb452235d
SHA51276ce2774d482811c378739532fdb40ec491ac32a4984b8df67340cf9994f5e35ee8bb1045ebd379413d9dce264defdadf0f15c91f8fce7febbadade8d3dc3946
-
Filesize
240B
MD592532347e1ab8bddbf09a71a1ca7f808
SHA1dd765c6e8b69f52895fe92f32fd6b8817ce2a3ee
SHA2565a5395c770d86eecd51da9c8612ad27e0bb85359788a64af8cb5e380362de4a7
SHA512481a5188d5fa2a512cd101c909a580af61795406c9df9a32066e2084538779ffa909ab6e484afdd7086b07491a3f95b9cd84ad47b02454a0e9c38c35eca1c342
-
Filesize
412B
MD5449f2e76e519890a212814d96ce67d64
SHA1a316a38e1a8325bef6f68f18bc967b9aaa8b6ebd
SHA25648a6703a09f1197ee85208d5821032b77d20b3368c6b4de890c44fb482149cf7
SHA512c66521ed261dcbcc9062a81d4f19070216c6335d365bac96b64d3f6be73cd44cbfbd6f3441be606616d13017a8ab3c0e7a25d0caa211596e97a9f7f16681b738
-
Filesize
644B
MD52abb0c0187d8d8a532e656c378c5d197
SHA1b9a5bcc295b6883547102ab307302295e4feb214
SHA256cadde1cd76cc3dbc5bd41e12eab2c426a0dd422194175c1d7267c8ba16592749
SHA5123ca0db778c0c85cb89dce61997ce474077b8264e3916abc1cd76ed21dc472a54158c902303e959461bc78b8bde7a9e184776693402a28a689a44fa75a948d4fc
-
Filesize
282B
MD59e36cc3537ee9ee1e3b10fa4e761045b
SHA17726f55012e1e26cc762c9982e7c6c54ca7bb303
SHA2564b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026
SHA5125f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790
-
Filesize
402B
MD5ecf88f261853fe08d58e2e903220da14
SHA1f72807a9e081906654ae196605e681d5938a2e6c
SHA256cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844
SHA51282c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b
-
Filesize
617KB
MD5500cfb1051537b1574b08671b47ceeeb
SHA1daeab83ee4cb2e94e5f50128ade8acecf4a1a20d
SHA256e009d9bcee84245108bfcca69fc8ff1f3f43c2e9ef31d6dca9d4140eea686ceb
SHA512f718b99f5da7a52d8361181aa93581e6cafaf12c2383f9f091357de062cb34bc9a96210de64f47539a405136ab27d108fb3bfdfe5266de55946c36b7654f1df4
-
Filesize
282B
MD53a37312509712d4e12d27240137ff377
SHA130ced927e23b584725cf16351394175a6d2a9577
SHA256b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3
SHA512dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05
-
Filesize
402B
MD5881dfac93652edb0a8228029ba92d0f5
SHA15b317253a63fecb167bf07befa05c5ed09c4ccea
SHA256a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464
SHA512592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810
-
Filesize
504B
MD53b960da228cc489b622697659c885d64
SHA100686a12f1a43501f6eea2140da9be141a11bd3b
SHA256a4234e2cf44c57609fd7cb0f9f0a33ee136b542fba5121ac02d85b38fb2ea02d
SHA5123cc46f016865b3d541506cb15d7b22c83e1434bf73de23b158101aff08532eac29a6d9709060e9681cbeb375e2f843497ce80c3085579a8266c7f22b9567efd6
-
Filesize
504B
MD506e8f7e6ddd666dbd323f7d9210f91ae
SHA1883ae527ee83ed9346cd82c33dfc0eb97298dc14
SHA2568301e344371b0753d547b429c5fe513908b1c9813144f08549563ac7f4d7da68
SHA512f7646f8dcd37019623d5540ad8e41cb285bcc04666391258dbf4c42873c4de46977a4939b091404d8d86f367cc31e36338757a776a632c7b5bf1c6f28e59ad98
-
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC
Filesize16B
MD5db11d0f1cfa068b6e9e446ad575e19a5
SHA12a231b1b0e2d96e3df3a48d5f1578f0af6444c21
SHA25646ca0aaa44cee88be393eb445e970f9849ded8fb99b4f8cf707e12358ff2eaa8
SHA512e59c233fc47a44c9303c90a427cdf645348eb74c62e64284dad01665289c01f90cd7677c9b101f0855329cd7d29547a0443d253a6effdb1393fcb24f1549e14b
-
Filesize
96B
MD5c193d420fc5bbd3739b40dbe111cd882
SHA1a60f6985aa750931d9988c3229242f868dd1ca35
SHA256e5bfc54e8f2409eba7d560ebe1c9bb5c3d73b18c02913657ed9b20ae14925adc
SHA512d983334b7dbe1e284dbc79cf971465663ca29cec45573b49f9ecdb851cdb6e5f9a6b49d710a1553bdae58c764887c65ba13fd75dfdd380c5c9ef9c0024aa3ef0
-
Filesize
504B
MD529eae335b77f438e05594d86a6ca22ff
SHA1d62ccc830c249de6b6532381b4c16a5f17f95d89
SHA25688856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4
SHA5125d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17
-
Filesize
282B
MD5b441cf59b5a64f74ac3bed45be9fadfc
SHA13da72a52e451a26ca9a35611fa8716044a7c0bbc
SHA256e6fdf8ed07b19b2a3b8eff05de7bc71152c85b377b9226f126dc54b58b930311
SHA512fdc26609a674d36f5307fa3f1c212da1f87a5c4cd463d861ce1bd2e614533f07d943510abed0c2edeb07a55f1dccff37db7e1f5456705372d5da8e12d83f0bb3
-
Filesize
524B
MD5089d48a11bff0df720f1079f5dc58a83
SHA188f1c647378b5b22ebadb465dc80fcfd9e7b97c9
SHA256a9e8ad0792b546a4a8ce49eda82b327ad9581141312efec3ac6f2d3ad5a05f17
SHA512f0284a3cc46e9c23af22fec44ac7bbde0b72f5338260c402564242c3dd244f8f8ca71dd6ceabf6a2b539cacc85a204d9495f43c74f6876317ee8e808d4a60ed8
-
Filesize
504B
MD550a956778107a4272aae83c86ece77cb
SHA110bce7ea45077c0baab055e0602eef787dba735e
SHA256b287b639f6edd612f414caf000c12ba0555adb3a2643230cbdd5af4053284978
SHA512d1df6bdc871cacbc776ac8152a76e331d2f1d905a50d9d358c7bf9ed7c5cbb510c9d52d6958b071e5bcba7c5117fc8f9729fe51724e82cc45f6b7b5afe5ed51a