xmrig | b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd

Analysis

max time kernel
149s
max time network
130s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd.exe
Size

13.7MB
MD5

cc6d7a6b17febe201b7f7d26ce944c08
SHA1

231e8439c0facca7cc4b730bf950351d48e3a7c2
SHA256

b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd
SHA512

c2abd5a8a59e09951df3d17b591442097cb2615a57abbef9afee9660dcd59ece483ca9a6ab4e83a622235eef4c75ef64dc2b32b58829cef8c485e1517e9ba652
SSDEEP

393216:KsEANEX3gBGYVwwoE0VhUqE7SlO9h4m/a360m:KhIEX3kGN/XBEWs4EA60m

Score

10^/10

xmrig evasion execution miner persistence pyinstaller upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/888-152-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/888-151-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/888-157-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/888-158-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/888-155-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/888-154-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/888-156-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/888-159-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/888-160-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2196	powershell.exe
2716	powershell.exe
1564	powershell.exe
716	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 6 IoCs

pid	Process
2700	Solara.exe
2876	Exela.exe
1504	Exela.exe
1200	Process not Found
472	Process not Found
784	rdqanwpudvuj.exe

Loads dropped DLL 6 IoCs

pid	Process
2532	b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd.exe
2532	b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd.exe
2532	b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd.exe
2876	Exela.exe
1504	Exela.exe
472	Process not Found

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Solara = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Solara.exe"	b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd.exe

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1576	powercfg.exe
868	powercfg.exe
1780	powercfg.exe
1344	powercfg.exe
976	powercfg.exe
1684	powercfg.exe
2104	powercfg.exe
2548	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Solara.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	rdqanwpudvuj.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 784 set thread context of 1952	784	rdqanwpudvuj.exe	90
PID 784 set thread context of 888	784	rdqanwpudvuj.exe	94

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001a4e6-78.dat	upx
behavioral1/memory/1504-80-0x000007FEF57E0000-0x000007FEF5C4E000-memory.dmp	upx
behavioral1/memory/888-147-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/888-152-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/888-151-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/888-150-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/888-149-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/888-146-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/888-148-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/888-157-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/888-158-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/888-155-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/888-154-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/888-156-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/888-159-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/888-160-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
272	sc.exe
2128	sc.exe
928	sc.exe
1540	sc.exe
2704	sc.exe
1672	sc.exe
3016	sc.exe
1276	sc.exe
2100	sc.exe
1720	sc.exe
564	sc.exe
2516	sc.exe
960	sc.exe
712	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000800000001926b-28.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 304ffed56465db01	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2196	powershell.exe
2716	powershell.exe
2700	Solara.exe
1564	powershell.exe
2700	Solara.exe
2700	Solara.exe
2700	Solara.exe
2700	Solara.exe
2700	Solara.exe
2700	Solara.exe
2700	Solara.exe
2700	Solara.exe
2700	Solara.exe
2700	Solara.exe
2700	Solara.exe
2700	Solara.exe
2700	Solara.exe
2700	Solara.exe
784	rdqanwpudvuj.exe
716	powershell.exe
784	rdqanwpudvuj.exe
784	rdqanwpudvuj.exe
784	rdqanwpudvuj.exe
784	rdqanwpudvuj.exe
784	rdqanwpudvuj.exe
784	rdqanwpudvuj.exe
784	rdqanwpudvuj.exe
784	rdqanwpudvuj.exe
784	rdqanwpudvuj.exe
784	rdqanwpudvuj.exe
784	rdqanwpudvuj.exe
784	rdqanwpudvuj.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe
888	conhost.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeShutdownPrivilege	1344	powercfg.exe
Token: SeShutdownPrivilege	976	powercfg.exe
Token: SeShutdownPrivilege	868	powercfg.exe
Token: SeShutdownPrivilege	1780	powercfg.exe
Token: SeDebugPrivilege	716	powershell.exe
Token: SeShutdownPrivilege	1576	powercfg.exe
Token: SeShutdownPrivilege	2104	powercfg.exe
Token: SeShutdownPrivilege	1684	powercfg.exe
Token: SeShutdownPrivilege	2548	powercfg.exe
Token: SeLockMemoryPrivilege	888	conhost.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2196	2532	b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd.exe	30
PID 2532 wrote to memory of 2196	2532	b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd.exe	30
PID 2532 wrote to memory of 2196	2532	b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd.exe	30
PID 2532 wrote to memory of 2700	2532	b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd.exe	32
PID 2532 wrote to memory of 2700	2532	b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd.exe	32
PID 2532 wrote to memory of 2700	2532	b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd.exe	32
PID 2532 wrote to memory of 2716	2532	b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd.exe	33
PID 2532 wrote to memory of 2716	2532	b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd.exe	33
PID 2532 wrote to memory of 2716	2532	b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd.exe	33
PID 2532 wrote to memory of 2876	2532	b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd.exe	36
PID 2532 wrote to memory of 2876	2532	b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd.exe	36
PID 2532 wrote to memory of 2876	2532	b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd.exe	36
PID 2876 wrote to memory of 1504	2876	Exela.exe	37
PID 2876 wrote to memory of 1504	2876	Exela.exe	37
PID 2876 wrote to memory of 1504	2876	Exela.exe	37
PID 2356 wrote to memory of 2152	2356	cmd.exe	46
PID 2356 wrote to memory of 2152	2356	cmd.exe	46
PID 2356 wrote to memory of 2152	2356	cmd.exe	46
PID 1524 wrote to memory of 2572	1524	cmd.exe	77
PID 1524 wrote to memory of 2572	1524	cmd.exe	77
PID 1524 wrote to memory of 2572	1524	cmd.exe	77
PID 784 wrote to memory of 1952	784	rdqanwpudvuj.exe	90
PID 784 wrote to memory of 1952	784	rdqanwpudvuj.exe	90
PID 784 wrote to memory of 1952	784	rdqanwpudvuj.exe	90
PID 784 wrote to memory of 1952	784	rdqanwpudvuj.exe	90
PID 784 wrote to memory of 1952	784	rdqanwpudvuj.exe	90
PID 784 wrote to memory of 1952	784	rdqanwpudvuj.exe	90
PID 784 wrote to memory of 1952	784	rdqanwpudvuj.exe	90
PID 784 wrote to memory of 1952	784	rdqanwpudvuj.exe	90
PID 784 wrote to memory of 1952	784	rdqanwpudvuj.exe	90
PID 784 wrote to memory of 888	784	rdqanwpudvuj.exe	94
PID 784 wrote to memory of 888	784	rdqanwpudvuj.exe	94
PID 784 wrote to memory of 888	784	rdqanwpudvuj.exe	94
PID 784 wrote to memory of 888	784	rdqanwpudvuj.exe	94
PID 784 wrote to memory of 888	784	rdqanwpudvuj.exe	94

C:\Users\Admin\AppData\Local\Temp\b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd.exe
"C:\Users\Admin\AppData\Local\Temp\b1883486b5e6da993af6deb6f4d0f524ccdc6317bdc32ed50dccd1799867a3bd.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Solara.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Users\Admin\AppData\Local\Temp\Solara.exe
  "C:\Users\Admin\AppData\Local\Temp\Solara.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2700
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:2152
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2100
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1720
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2704
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:960
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:3016
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:976
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1344
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:868
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "PGYNROQK"
    3⤵
    - Launches sc.exe
    PID:2128
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "PGYNROQK" binpath= "C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:1672
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:928
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "PGYNROQK"
    3⤵
    - Launches sc.exe
    PID:1540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Users\Admin\AppData\Local\Temp\Exela.exe
  "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\Exela.exe
    "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1504

C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exe
C:\ProgramData\hoyktorfcbbz\rdqanwpudvuj.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:784
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:2572
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:712
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:564
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:272
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1276
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2516
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:1952
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Exela.exe

Filesize
9.5MB

MD5
0615d49be12c174704a3daad945f7b56

SHA1
90d67801dcff362ce2c2accafd5010c7f79567d6

SHA256
573a7f2fa701a7630318119d9e6d916cb8a0acd87a0a2797b7197e9ae85c0071

SHA512
40d702b8fd2993aeeb09755e760d3611d76f927ae6831ab7066386d3a133257e06330ddff2d28406b77c1d9e502e79a7a72b8984ce0d795948da07dd03b9bea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.exe

Filesize
5.3MB

MD5
089094590df5698b03a7428a5864ed33

SHA1
6a4866b798a38e40b61095e2c4a6861b15f4cabb

SHA256
c3b138b65057d5a27d859763974a3afe5df2693ce64326d36ae8784d092929c7

SHA512
001c4aeeddcbfaa9b979e81b742391c6ec6f9400b23b8b5827c69c7e8c36bd9e8576146f0487c3522deca21e1488a36c948dff3c69b2c441406f2081ead09e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28762\python310.dll

Filesize
1.4MB

MD5
fc7bd515b12e537a39dc93a09b3eaad6

SHA1
96f5d4b0967372553cb106539c5566bc184f6167

SHA256
461e008b7cdf034f99a566671b87849772873a175aefec6ed00732976f5c4164

SHA512
a8433d5b403f898e4eeebd72fce08ebad066ca60aeb0b70e2ae78377babc2acbbae2ac91ab20f813cce4b1dc58c2ad6b3868f18cc8ac0fe7be2bff020eb73122

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
97f711dfd39d15eab98824315a1078c3

SHA1
39172c095bb82568f7d7653f84033ff83570f1f3

SHA256
0ee5b612ad643b5dca34a9f36fa63a7bc6257b3802864cb20e3314b95e8b7a19

SHA512
838e08cee53c9a08f43189a0c844df829fc2d9aff883a7d5dcb3b28f5332f78b75d583df0c410acc8c25f017823c6533da50dde0eee6a7f75c44a8bc1bcc1495

Download Submit
memory/888-149-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/888-152-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/888-154-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/888-155-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/888-157-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/888-160-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/888-159-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/888-153-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/888-158-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/888-148-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/888-146-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/888-156-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/888-150-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/888-151-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/888-147-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1504-80-0x000007FEF57E0000-0x000007FEF5C4E000-memory.dmp

Filesize
4.4MB

Download
memory/1952-138-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1952-137-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1952-139-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1952-140-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1952-141-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1952-143-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2196-8-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download
memory/2196-7-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2196-6-0x0000000002CE0000-0x0000000002D60000-memory.dmp

Filesize
512KB

Download
memory/2532-0-0x000007FEF5263000-0x000007FEF5264000-memory.dmp

Filesize
4KB

Download
memory/2532-1-0x0000000000DE0000-0x0000000001BA0000-memory.dmp

Filesize
13.8MB

Download
memory/2716-23-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/2716-22-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download