Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
21-06-2024 19:05
Behavioral task
behavioral1
Sample
Solara.zip
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Solara.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Solara.zip
Resource
win11-20240508-en
Behavioral task
behavioral4
Sample
Solara/SolaraBootstrapper.exe
Resource
win10-20240404-en
Behavioral task
behavioral5
Sample
Solara/SolaraBootstrapper.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral6
Sample
Solara/SolaraBootstrapper.exe
Resource
win11-20240508-en
General
-
Target
Solara/SolaraBootstrapper.exe
-
Size
1.9MB
-
MD5
8911439914996ec2bd5ba4dc50ffd163
-
SHA1
bed9b04aaab10cf740a5eb07f894c71f62ef88b2
-
SHA256
40488c03efa03bac855bf7195a94dae672bcda3ed2cdf3a004817cad86471a41
-
SHA512
c0be4a292be417838f973e9dd4fb99370473b32c1db731610a468572f2e5557032b8088c70bbb728bd237855d028b5d1f62486855f7d210ee68bc592a98dcd93
-
SSDEEP
24576:U2G/nvxW3Ww0tVOzdE5lXHKtZRqdw0OYdr7OISbKOwQR+BVEBr7Yo4GI4dxEyQTt:UbA30wzCjKopOFbVn+zE1ex4dxE3x
Malware Config
Signatures
-
DcRat 43 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSolaraBootstrapper.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1684 schtasks.exe 3464 schtasks.exe 4640 schtasks.exe 1816 schtasks.exe 4836 schtasks.exe 4800 schtasks.exe 792 schtasks.exe 3208 schtasks.exe 3588 schtasks.exe 4584 schtasks.exe 2140 schtasks.exe 3708 schtasks.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings SolaraBootstrapper.exe 3388 schtasks.exe 2920 schtasks.exe 1188 schtasks.exe 4368 schtasks.exe 3592 schtasks.exe 4772 schtasks.exe 4124 schtasks.exe 2408 schtasks.exe 3652 schtasks.exe 4908 schtasks.exe 2748 schtasks.exe 2452 schtasks.exe 3460 schtasks.exe 4448 schtasks.exe 2300 schtasks.exe 4544 schtasks.exe 3308 schtasks.exe 1352 schtasks.exe 4456 schtasks.exe 4612 schtasks.exe 4928 schtasks.exe 3148 schtasks.exe 3276 schtasks.exe 4816 schtasks.exe 3068 schtasks.exe 3912 schtasks.exe 3688 schtasks.exe 1300 schtasks.exe 3596 schtasks.exe 4796 schtasks.exe -
Process spawned unexpected child process 42 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2452 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1684 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3388 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3308 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4836 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4816 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3464 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2920 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3068 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3592 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1352 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4456 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4800 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3912 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4584 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1188 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4772 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4124 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 792 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3460 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3688 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2408 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3208 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4448 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3708 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3596 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3588 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3652 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4796 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3276 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4612 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4908 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4928 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2748 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4640 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4544 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3148 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 4616 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4368 4616 schtasks.exe -
Processes:
explorer.exereviewinto.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewinto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reviewinto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reviewinto.exe -
Processes:
resource yara_rule C:\SavesRuntimecrtmonitorCommon\reviewinto.exe dcrat behavioral4/memory/4896-14-0x00000000004C0000-0x0000000000662000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
reviewinto.exeexplorer.exepid process 4896 reviewinto.exe 4644 explorer.exe -
Processes:
reviewinto.exeexplorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA reviewinto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewinto.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
Drops file in Program Files directory 10 IoCs
Processes:
reviewinto.exedescription ioc process File created C:\Program Files\Mozilla Firefox\browser\b1200e0ac9bfc0 reviewinto.exe File created C:\Program Files (x86)\Windows Portable Devices\sysmon.exe reviewinto.exe File created C:\Program Files\Windows Defender Advanced Threat Protection\ja-JP\spoolsv.exe reviewinto.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\sihost.exe reviewinto.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\66fc9ff0ee96c2 reviewinto.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe reviewinto.exe File created C:\Program Files\Windows Defender Advanced Threat Protection\ja-JP\f3b6ecef712a24 reviewinto.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\f3b6ecef712a24 reviewinto.exe File created C:\Program Files\Mozilla Firefox\browser\reviewinto.exe reviewinto.exe File created C:\Program Files (x86)\Windows Portable Devices\121e5b5079f7c0 reviewinto.exe -
Drops file in Windows directory 2 IoCs
Processes:
reviewinto.exedescription ioc process File created C:\Windows\de-DE\explorer.exe reviewinto.exe File created C:\Windows\de-DE\7a0fd90576e088 reviewinto.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 3 IoCs
Processes:
SolaraBootstrapper.exereviewinto.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings SolaraBootstrapper.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings reviewinto.exe Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings explorer.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4908 schtasks.exe 4928 schtasks.exe 4544 schtasks.exe 2140 schtasks.exe 3596 schtasks.exe 3652 schtasks.exe 4796 schtasks.exe 4612 schtasks.exe 4584 schtasks.exe 3708 schtasks.exe 1352 schtasks.exe 3912 schtasks.exe 3460 schtasks.exe 2408 schtasks.exe 1300 schtasks.exe 2300 schtasks.exe 2452 schtasks.exe 3308 schtasks.exe 3148 schtasks.exe 3276 schtasks.exe 3068 schtasks.exe 792 schtasks.exe 3688 schtasks.exe 3208 schtasks.exe 3588 schtasks.exe 4368 schtasks.exe 3592 schtasks.exe 4772 schtasks.exe 4456 schtasks.exe 1188 schtasks.exe 4448 schtasks.exe 4640 schtasks.exe 4836 schtasks.exe 2920 schtasks.exe 2748 schtasks.exe 1816 schtasks.exe 3388 schtasks.exe 4800 schtasks.exe 3464 schtasks.exe 4124 schtasks.exe 1684 schtasks.exe 4816 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
reviewinto.exeexplorer.exepid process 4896 reviewinto.exe 4896 reviewinto.exe 4896 reviewinto.exe 4896 reviewinto.exe 4896 reviewinto.exe 4896 reviewinto.exe 4896 reviewinto.exe 4896 reviewinto.exe 4896 reviewinto.exe 4896 reviewinto.exe 4896 reviewinto.exe 4896 reviewinto.exe 4896 reviewinto.exe 4896 reviewinto.exe 4896 reviewinto.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe 4644 explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
explorer.exepid process 4644 explorer.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
reviewinto.exeexplorer.exevssvc.exedescription pid process Token: SeDebugPrivilege 4896 reviewinto.exe Token: SeDebugPrivilege 4644 explorer.exe Token: SeBackupPrivilege 2176 vssvc.exe Token: SeRestorePrivilege 2176 vssvc.exe Token: SeAuditPrivilege 2176 vssvc.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
SolaraBootstrapper.exeWScript.execmd.exereviewinto.execmd.exeexplorer.exedescription pid process target process PID 1396 wrote to memory of 4608 1396 SolaraBootstrapper.exe WScript.exe PID 1396 wrote to memory of 4608 1396 SolaraBootstrapper.exe WScript.exe PID 1396 wrote to memory of 4608 1396 SolaraBootstrapper.exe WScript.exe PID 4608 wrote to memory of 3988 4608 WScript.exe cmd.exe PID 4608 wrote to memory of 3988 4608 WScript.exe cmd.exe PID 4608 wrote to memory of 3988 4608 WScript.exe cmd.exe PID 3988 wrote to memory of 4896 3988 cmd.exe reviewinto.exe PID 3988 wrote to memory of 4896 3988 cmd.exe reviewinto.exe PID 4896 wrote to memory of 3236 4896 reviewinto.exe cmd.exe PID 4896 wrote to memory of 3236 4896 reviewinto.exe cmd.exe PID 3988 wrote to memory of 2820 3988 cmd.exe reg.exe PID 3988 wrote to memory of 2820 3988 cmd.exe reg.exe PID 3988 wrote to memory of 2820 3988 cmd.exe reg.exe PID 3236 wrote to memory of 2236 3236 cmd.exe w32tm.exe PID 3236 wrote to memory of 2236 3236 cmd.exe w32tm.exe PID 3236 wrote to memory of 4644 3236 cmd.exe explorer.exe PID 3236 wrote to memory of 4644 3236 cmd.exe explorer.exe PID 4644 wrote to memory of 4812 4644 explorer.exe WScript.exe PID 4644 wrote to memory of 4812 4644 explorer.exe WScript.exe PID 4644 wrote to memory of 868 4644 explorer.exe WScript.exe PID 4644 wrote to memory of 868 4644 explorer.exe WScript.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
explorer.exereviewinto.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewinto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reviewinto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reviewinto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" explorer.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe"1⤵
- DcRat
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\SavesRuntimecrtmonitorCommon\jlhL2OmdnM.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\SavesRuntimecrtmonitorCommon\4ZsCcJGcA5WhDRgpe0Cmw.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\SavesRuntimecrtmonitorCommon\reviewinto.exe"C:\SavesRuntimecrtmonitorCommon\reviewinto.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4896 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZhjKPAlWJ0.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:2236
-
C:\Windows\de-DE\explorer.exe"C:\Windows\de-DE\explorer.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4644 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\626051b2-1ddd-4bbd-b1f3-6acf1b847e1e.vbs"7⤵PID:4812
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5453d5f-cf98-4f5e-b151-0ba95bc4a58e.vbs"7⤵PID:868
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:2820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\sihost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\explorer.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\de-DE\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\explorer.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewintor" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\browser\reviewinto.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewinto" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\reviewinto.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewintor" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\browser\reviewinto.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4124
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\sysmon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\sysmon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\SavesRuntimecrtmonitorCommon\cmd.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\SavesRuntimecrtmonitorCommon\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3708
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\SavesRuntimecrtmonitorCommon\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\SavesRuntimecrtmonitorCommon\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\SavesRuntimecrtmonitorCommon\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\SavesRuntimecrtmonitorCommon\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\SavesRuntimecrtmonitorCommon\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\SavesRuntimecrtmonitorCommon\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\SavesRuntimecrtmonitorCommon\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\ja-JP\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\ja-JP\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\ja-JP\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\ShellExperienceHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\ShellExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4368
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2176
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\SavesRuntimecrtmonitorCommon\4ZsCcJGcA5WhDRgpe0Cmw.batFilesize
160B
MD5aa1ca164a728084ffd5e22bcf41ef9fb
SHA1a46fc620937abf7e82d6c97e728530549c74805f
SHA256c98facc1c471936575f62d9bdafd6614f5a66477c33c3a53ab41688a4917750d
SHA51271dda5b7b13809823069eada39a0b6c3ebb26377125b6b4f1e7a283dfcee4139732b5b456fcba91bfaaf29a38929fb8adc5c17b18bf7733457e4db878df0a9e4
-
C:\SavesRuntimecrtmonitorCommon\jlhL2OmdnM.vbeFilesize
226B
MD54defbf69b7ac7cd48d5d28019164fc15
SHA1475d6ef458c0505261f6e058b84d602dd55a792a
SHA2560b66c2ddaca8e3a1be3a5a7543d480993ab71bf4b8308fff4ebe3754ea22f47f
SHA5126eadacef630be325097a307e115fac9e960b6bdb2460dff8c2058a78d92b46d1a6845d36b2d1ed0794d1b64694bb60cd12f71be2e4f5634f023506962161d2fe
-
C:\SavesRuntimecrtmonitorCommon\reviewinto.exeFilesize
1.6MB
MD5c3d7d94a09a4a29ddc66ba84508d559f
SHA18bdcdd488649b311182622b7b07ea526bfd021c8
SHA256dee994f94e8e98b45fa47215e4593157d13a39f87ca2de6208614a61208c7b5c
SHA512ae1a238b5cbd08a6b4db092390fd22bb3f0970ed1bc744d676e357e38f2ac182025e01abd8d7da9771f154df378e972c27e324608da29d0c0cbb9db606e9e0d0
-
C:\Users\Admin\AppData\Local\Temp\626051b2-1ddd-4bbd-b1f3-6acf1b847e1e.vbsFilesize
705B
MD56ed116302b66b8a06a42a3f0a42e71a8
SHA12cc4abb154dfee00ac5aa51497c9ce680ee23145
SHA2560fb53438b3d6cc1a466305c71feaaf5989d75a47667db4341bef94f742988d17
SHA51277207b1e7e0c6077cfcd2331184d052131aaad66d4da9db87ad78879b50759c9b598be8f76d9341d84f94d6af209b261ed5f68dd27e0b8e5b7d82d9e663356a4
-
C:\Users\Admin\AppData\Local\Temp\ZhjKPAlWJ0.batFilesize
194B
MD5267ec0e7133262a9921581e0ad459516
SHA1c1d0c91f71b136126c58efd1f796d461480746e7
SHA2561c12c2666ef5c6c818841163e20b01ead6d8471e06269840b60d03feae048f76
SHA51205086a72866d6c9c5e460b2b2a83213efeecffaa36ec19630d871273f257e1e42f0878476782c8e6d76f406a48a1c76716650336a4eaf55d5d70ae638d14f2c7
-
C:\Users\Admin\AppData\Local\Temp\c5453d5f-cf98-4f5e-b151-0ba95bc4a58e.vbsFilesize
481B
MD55c8323fa4a7ed8b39fb3f036d758373f
SHA130f3313e88663b0b57f89c4b65387af8bcfdb8ff
SHA25675f50c25311cab1dc7ae48c162590b3469095112a4496f3b73ce91c9366b0988
SHA512941132fd68325995ba52a515e28a526079946cd567f316153ee7886dbe051c4e1d0851102b563ce3a1b692d526664fb0842d1c98cf085eb5f081fe0c00aa6f0d
-
memory/4644-68-0x0000000002F20000-0x0000000002F32000-memory.dmpFilesize
72KB
-
memory/4896-23-0x000000001B1C0000-0x000000001B1CC000-memory.dmpFilesize
48KB
-
memory/4896-27-0x000000001B260000-0x000000001B26C000-memory.dmpFilesize
48KB
-
memory/4896-20-0x000000001B190000-0x000000001B198000-memory.dmpFilesize
32KB
-
memory/4896-21-0x000000001B1B0000-0x000000001B1C0000-memory.dmpFilesize
64KB
-
memory/4896-22-0x000000001B1A0000-0x000000001B1AA000-memory.dmpFilesize
40KB
-
memory/4896-18-0x000000001B160000-0x000000001B168000-memory.dmpFilesize
32KB
-
memory/4896-24-0x000000001B1D0000-0x000000001B1E2000-memory.dmpFilesize
72KB
-
memory/4896-25-0x000000001BEB0000-0x000000001C3D6000-memory.dmpFilesize
5.1MB
-
memory/4896-26-0x000000001B250000-0x000000001B25C000-memory.dmpFilesize
48KB
-
memory/4896-19-0x000000001B170000-0x000000001B180000-memory.dmpFilesize
64KB
-
memory/4896-29-0x000000001B990000-0x000000001B99E000-memory.dmpFilesize
56KB
-
memory/4896-28-0x000000001B980000-0x000000001B98A000-memory.dmpFilesize
40KB
-
memory/4896-30-0x000000001B9A0000-0x000000001B9A8000-memory.dmpFilesize
32KB
-
memory/4896-17-0x000000001B1E0000-0x000000001B230000-memory.dmpFilesize
320KB
-
memory/4896-16-0x0000000002930000-0x000000000294C000-memory.dmpFilesize
112KB
-
memory/4896-15-0x0000000002920000-0x000000000292E000-memory.dmpFilesize
56KB
-
memory/4896-14-0x00000000004C0000-0x0000000000662000-memory.dmpFilesize
1.6MB