Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-06-2024 19:05
Behavioral task
behavioral1
Sample
Solara.zip
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
Solara.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Solara.zip
Resource
win11-20240508-en
Behavioral task
behavioral4
Sample
Solara/SolaraBootstrapper.exe
Resource
win10-20240404-en
Behavioral task
behavioral5
Sample
Solara/SolaraBootstrapper.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral6
Sample
Solara/SolaraBootstrapper.exe
Resource
win11-20240508-en
General
-
Target
Solara/SolaraBootstrapper.exe
-
Size
1.9MB
-
MD5
8911439914996ec2bd5ba4dc50ffd163
-
SHA1
bed9b04aaab10cf740a5eb07f894c71f62ef88b2
-
SHA256
40488c03efa03bac855bf7195a94dae672bcda3ed2cdf3a004817cad86471a41
-
SHA512
c0be4a292be417838f973e9dd4fb99370473b32c1db731610a468572f2e5557032b8088c70bbb728bd237855d028b5d1f62486855f7d210ee68bc592a98dcd93
-
SSDEEP
24576:U2G/nvxW3Ww0tVOzdE5lXHKtZRqdw0OYdr7OISbKOwQR+BVEBr7Yo4GI4dxEyQTt:UbA30wzCjKopOFbVn+zE1ex4dxE3x
Malware Config
Signatures
-
DcRat 54 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSolaraBootstrapper.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exereviewinto.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4076 schtasks.exe 3160 schtasks.exe 2428 schtasks.exe 3336 schtasks.exe 3908 schtasks.exe 3644 schtasks.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings SolaraBootstrapper.exe 4232 schtasks.exe 1524 schtasks.exe 2636 schtasks.exe 572 schtasks.exe 3020 schtasks.exe 4988 schtasks.exe 1896 schtasks.exe 1192 schtasks.exe 2308 schtasks.exe 1892 schtasks.exe 2460 schtasks.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\5b884080fd4f94 reviewinto.exe 4508 schtasks.exe 4544 schtasks.exe 2260 schtasks.exe 2348 schtasks.exe File created C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\microsoft.system.package.metadata\cc11b995f2a76d reviewinto.exe 4960 schtasks.exe 1976 schtasks.exe 4756 schtasks.exe 4764 schtasks.exe 1900 schtasks.exe 484 schtasks.exe 1972 schtasks.exe 1808 schtasks.exe 3688 schtasks.exe 2652 schtasks.exe 412 schtasks.exe 3140 schtasks.exe 3348 schtasks.exe 3188 schtasks.exe 2836 schtasks.exe 4176 schtasks.exe 3040 schtasks.exe 4920 schtasks.exe 4984 schtasks.exe 1352 schtasks.exe 788 schtasks.exe 1996 schtasks.exe 4340 schtasks.exe 3636 schtasks.exe 2860 schtasks.exe 1548 schtasks.exe 4944 schtasks.exe 4900 schtasks.exe 796 schtasks.exe 3936 schtasks.exe -
Process spawned unexpected child process 51 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3188 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1892 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3020 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1900 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 572 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4960 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2860 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1996 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1352 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4984 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4508 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4988 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 412 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2836 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4340 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2308 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4176 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1976 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3348 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4076 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3644 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3140 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 484 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1972 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4764 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4756 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4232 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1524 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4920 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4544 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 788 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1808 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3336 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3636 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2460 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3688 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4944 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4900 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3908 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 796 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3936 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1192 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3160 2772 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2772 schtasks.exe -
Processes:
reviewinto.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exereviewinto.exewininit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewinto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reviewinto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reviewinto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewinto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reviewinto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reviewinto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe -
Processes:
resource yara_rule C:\SavesRuntimecrtmonitorCommon\reviewinto.exe dcrat behavioral6/memory/5020-13-0x0000000000BD0000-0x0000000000D72000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Executes dropped EXE 11 IoCs
Processes:
reviewinto.exereviewinto.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exepid process 5020 reviewinto.exe 4852 reviewinto.exe 1960 wininit.exe 4780 wininit.exe 3628 wininit.exe 1944 wininit.exe 460 wininit.exe 3944 wininit.exe 3704 wininit.exe 4608 wininit.exe 4960 wininit.exe -
Processes:
wininit.exewininit.exewininit.exewininit.exewininit.exewininit.exereviewinto.exereviewinto.exewininit.exewininit.exewininit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA reviewinto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewinto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewinto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA wininit.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA reviewinto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe -
Drops file in Program Files directory 11 IoCs
Processes:
reviewinto.exereviewinto.exedescription ioc process File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\fontdrvhost.exe reviewinto.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\5b884080fd4f94 reviewinto.exe File created C:\Program Files\Microsoft Office 15\ClientX64\unsecapp.exe reviewinto.exe File created C:\Program Files\Microsoft Office 15\ClientX64\29c1c3cc0f7685 reviewinto.exe File created C:\Program Files (x86)\Google\24dbde2999530e reviewinto.exe File created C:\Program Files\Windows Photo Viewer\en-US\b1200e0ac9bfc0 reviewinto.exe File created C:\Program Files (x86)\Google\Update\Offline\SppExtComObj.exe reviewinto.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\fontdrvhost.exe reviewinto.exe File created C:\Program Files\Windows Photo Viewer\en-US\reviewinto.exe reviewinto.exe File created C:\Program Files (x86)\Google\Update\Offline\e1ef82546f0b02 reviewinto.exe File created C:\Program Files (x86)\Google\WmiPrvSE.exe reviewinto.exe -
Drops file in Windows directory 2 IoCs
Processes:
reviewinto.exedescription ioc process File created C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\microsoft.system.package.metadata\winlogon.exe reviewinto.exe File created C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\microsoft.system.package.metadata\cc11b995f2a76d reviewinto.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 11 IoCs
Processes:
wininit.exewininit.exewininit.exewininit.exeSolaraBootstrapper.exereviewinto.exewininit.exewininit.exewininit.exewininit.exewininit.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings SolaraBootstrapper.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings reviewinto.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings wininit.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings wininit.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2860 schtasks.exe 3644 schtasks.exe 3160 schtasks.exe 3636 schtasks.exe 1192 schtasks.exe 4960 schtasks.exe 1892 schtasks.exe 1996 schtasks.exe 2652 schtasks.exe 4944 schtasks.exe 4176 schtasks.exe 4764 schtasks.exe 2428 schtasks.exe 1976 schtasks.exe 1808 schtasks.exe 796 schtasks.exe 4544 schtasks.exe 2260 schtasks.exe 1900 schtasks.exe 1352 schtasks.exe 4340 schtasks.exe 1896 schtasks.exe 3040 schtasks.exe 3140 schtasks.exe 1524 schtasks.exe 2460 schtasks.exe 3188 schtasks.exe 412 schtasks.exe 2836 schtasks.exe 4900 schtasks.exe 2308 schtasks.exe 3348 schtasks.exe 2636 schtasks.exe 3336 schtasks.exe 3688 schtasks.exe 4988 schtasks.exe 4076 schtasks.exe 572 schtasks.exe 4756 schtasks.exe 3908 schtasks.exe 3020 schtasks.exe 4984 schtasks.exe 4508 schtasks.exe 2348 schtasks.exe 788 schtasks.exe 3936 schtasks.exe 484 schtasks.exe 1972 schtasks.exe 4232 schtasks.exe 1548 schtasks.exe 4920 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
reviewinto.exereviewinto.exewininit.exepid process 5020 reviewinto.exe 5020 reviewinto.exe 5020 reviewinto.exe 5020 reviewinto.exe 5020 reviewinto.exe 5020 reviewinto.exe 5020 reviewinto.exe 4852 reviewinto.exe 4852 reviewinto.exe 4852 reviewinto.exe 4852 reviewinto.exe 4852 reviewinto.exe 4852 reviewinto.exe 4852 reviewinto.exe 4852 reviewinto.exe 4852 reviewinto.exe 4852 reviewinto.exe 4852 reviewinto.exe 4852 reviewinto.exe 4852 reviewinto.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe 1960 wininit.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
reviewinto.exereviewinto.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exedescription pid process Token: SeDebugPrivilege 5020 reviewinto.exe Token: SeDebugPrivilege 4852 reviewinto.exe Token: SeDebugPrivilege 1960 wininit.exe Token: SeDebugPrivilege 4780 wininit.exe Token: SeDebugPrivilege 3628 wininit.exe Token: SeDebugPrivilege 1944 wininit.exe Token: SeDebugPrivilege 460 wininit.exe Token: SeDebugPrivilege 3944 wininit.exe Token: SeDebugPrivilege 3704 wininit.exe Token: SeDebugPrivilege 4608 wininit.exe Token: SeDebugPrivilege 4960 wininit.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
SolaraBootstrapper.exeWScript.execmd.exereviewinto.exereviewinto.execmd.exewininit.exeWScript.exewininit.exeWScript.exewininit.exeWScript.exewininit.exeWScript.exewininit.exeWScript.exewininit.exeWScript.exewininit.exeWScript.exewininit.exedescription pid process target process PID 1856 wrote to memory of 3880 1856 SolaraBootstrapper.exe WScript.exe PID 1856 wrote to memory of 3880 1856 SolaraBootstrapper.exe WScript.exe PID 1856 wrote to memory of 3880 1856 SolaraBootstrapper.exe WScript.exe PID 3880 wrote to memory of 1384 3880 WScript.exe cmd.exe PID 3880 wrote to memory of 1384 3880 WScript.exe cmd.exe PID 3880 wrote to memory of 1384 3880 WScript.exe cmd.exe PID 1384 wrote to memory of 5020 1384 cmd.exe reviewinto.exe PID 1384 wrote to memory of 5020 1384 cmd.exe reviewinto.exe PID 5020 wrote to memory of 4852 5020 reviewinto.exe reviewinto.exe PID 5020 wrote to memory of 4852 5020 reviewinto.exe reviewinto.exe PID 1384 wrote to memory of 1156 1384 cmd.exe reg.exe PID 1384 wrote to memory of 1156 1384 cmd.exe reg.exe PID 1384 wrote to memory of 1156 1384 cmd.exe reg.exe PID 4852 wrote to memory of 3588 4852 reviewinto.exe cmd.exe PID 4852 wrote to memory of 3588 4852 reviewinto.exe cmd.exe PID 3588 wrote to memory of 2080 3588 cmd.exe w32tm.exe PID 3588 wrote to memory of 2080 3588 cmd.exe w32tm.exe PID 3588 wrote to memory of 1960 3588 cmd.exe wininit.exe PID 3588 wrote to memory of 1960 3588 cmd.exe wininit.exe PID 1960 wrote to memory of 4712 1960 wininit.exe WScript.exe PID 1960 wrote to memory of 4712 1960 wininit.exe WScript.exe PID 1960 wrote to memory of 1172 1960 wininit.exe WScript.exe PID 1960 wrote to memory of 1172 1960 wininit.exe WScript.exe PID 4712 wrote to memory of 4780 4712 WScript.exe wininit.exe PID 4712 wrote to memory of 4780 4712 WScript.exe wininit.exe PID 4780 wrote to memory of 4028 4780 wininit.exe WScript.exe PID 4780 wrote to memory of 4028 4780 wininit.exe WScript.exe PID 4780 wrote to memory of 4364 4780 wininit.exe WScript.exe PID 4780 wrote to memory of 4364 4780 wininit.exe WScript.exe PID 4028 wrote to memory of 3628 4028 WScript.exe wininit.exe PID 4028 wrote to memory of 3628 4028 WScript.exe wininit.exe PID 3628 wrote to memory of 3776 3628 wininit.exe WScript.exe PID 3628 wrote to memory of 3776 3628 wininit.exe WScript.exe PID 3628 wrote to memory of 4884 3628 wininit.exe WScript.exe PID 3628 wrote to memory of 4884 3628 wininit.exe WScript.exe PID 3776 wrote to memory of 1944 3776 WScript.exe wininit.exe PID 3776 wrote to memory of 1944 3776 WScript.exe wininit.exe PID 1944 wrote to memory of 1596 1944 wininit.exe WScript.exe PID 1944 wrote to memory of 1596 1944 wininit.exe WScript.exe PID 1944 wrote to memory of 1456 1944 wininit.exe WScript.exe PID 1944 wrote to memory of 1456 1944 wininit.exe WScript.exe PID 1596 wrote to memory of 460 1596 WScript.exe wininit.exe PID 1596 wrote to memory of 460 1596 WScript.exe wininit.exe PID 460 wrote to memory of 4592 460 wininit.exe WScript.exe PID 460 wrote to memory of 4592 460 wininit.exe WScript.exe PID 460 wrote to memory of 800 460 wininit.exe WScript.exe PID 460 wrote to memory of 800 460 wininit.exe WScript.exe PID 4592 wrote to memory of 3944 4592 WScript.exe wininit.exe PID 4592 wrote to memory of 3944 4592 WScript.exe wininit.exe PID 3944 wrote to memory of 3324 3944 wininit.exe WScript.exe PID 3944 wrote to memory of 3324 3944 wininit.exe WScript.exe PID 3944 wrote to memory of 3392 3944 wininit.exe WScript.exe PID 3944 wrote to memory of 3392 3944 wininit.exe WScript.exe PID 3324 wrote to memory of 3704 3324 WScript.exe wininit.exe PID 3324 wrote to memory of 3704 3324 WScript.exe wininit.exe PID 3704 wrote to memory of 4956 3704 wininit.exe WScript.exe PID 3704 wrote to memory of 4956 3704 wininit.exe WScript.exe PID 3704 wrote to memory of 1104 3704 wininit.exe WScript.exe PID 3704 wrote to memory of 1104 3704 wininit.exe WScript.exe PID 4956 wrote to memory of 4608 4956 WScript.exe wininit.exe PID 4956 wrote to memory of 4608 4956 WScript.exe wininit.exe PID 4608 wrote to memory of 4148 4608 wininit.exe WScript.exe PID 4608 wrote to memory of 4148 4608 wininit.exe WScript.exe PID 4608 wrote to memory of 4876 4608 wininit.exe WScript.exe -
System policy modification 1 TTPs 33 IoCs
Processes:
reviewinto.exewininit.exewininit.exewininit.exewininit.exewininit.exewininit.exereviewinto.exewininit.exewininit.exewininit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reviewinto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewinto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reviewinto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewinto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reviewinto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reviewinto.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" wininit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" wininit.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe"1⤵
- DcRat
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\SavesRuntimecrtmonitorCommon\jlhL2OmdnM.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:3880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\SavesRuntimecrtmonitorCommon\4ZsCcJGcA5WhDRgpe0Cmw.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\SavesRuntimecrtmonitorCommon\reviewinto.exe"C:\SavesRuntimecrtmonitorCommon\reviewinto.exe"4⤵
- DcRat
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5020 -
C:\SavesRuntimecrtmonitorCommon\reviewinto.exe"C:\SavesRuntimecrtmonitorCommon\reviewinto.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4852 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\amzpk88eS2.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:2080
-
C:\Recovery\WindowsRE\wininit.exe"C:\Recovery\WindowsRE\wininit.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1960 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dafdeb52-16a6-479b-a42e-cffe1ca646b1.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:4712 -
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe9⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4780 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04b9f0f5-78d2-4d43-9395-a68671996323.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe11⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3628 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bb09c01-b2e9-4840-a999-6997e487c985.vbs"12⤵
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe13⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1944 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c0f8ca1-9f8c-4c31-b96f-fc9a96406e79.vbs"14⤵
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe15⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:460 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc987819-2fb8-44d5-a2fa-94e1136871c6.vbs"16⤵
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe17⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3944 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdeb7455-c130-4c82-a3e0-cc4e71904698.vbs"18⤵
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe19⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3704 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64cb5b56-1f47-420b-9331-2bccc5bab3eb.vbs"20⤵
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe21⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4608 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2171fe72-002b-4241-821f-ad96e9b3a260.vbs"22⤵PID:4148
-
C:\Recovery\WindowsRE\wininit.exeC:\Recovery\WindowsRE\wininit.exe23⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4960 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2485f83f-a81a-42b4-8051-6632daddfda6.vbs"24⤵PID:1864
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3a87fa1-3dc6-4c9b-94c6-5d41fe02c2b5.vbs"24⤵PID:4028
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76c4140a-d1da-480f-90dc-7e6b8490c807.vbs"22⤵PID:4876
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44b559c9-1740-47f8-abe2-cc59a9d941a9.vbs"20⤵PID:1104
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3073b8a6-bb1b-4a42-b239-ad8211a32748.vbs"18⤵PID:3392
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6070b8d-e090-4e33-82ca-b92321ae8794.vbs"16⤵PID:800
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\695c9034-022c-4d67-9327-4517fd5d74c2.vbs"14⤵PID:1456
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d567250a-6961-43ed-8dd2-a8e94f5c07af.vbs"12⤵PID:4884
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\810e0e39-f556-4a52-b5ba-dc955298d315.vbs"10⤵PID:4364
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc8ce5d3-02b0-46c1-bf65-df9be6394706.vbs"8⤵PID:1172
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:1156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\fontdrvhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\microsoft.system.package.metadata\winlogon.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\microsoft.system.package.metadata\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\microsoft.system.package.metadata\winlogon.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\SavesRuntimecrtmonitorCommon\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\SavesRuntimecrtmonitorCommon\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\SavesRuntimecrtmonitorCommon\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\SavesRuntimecrtmonitorCommon\Idle.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\SavesRuntimecrtmonitorCommon\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\SavesRuntimecrtmonitorCommon\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4988
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\SavesRuntimecrtmonitorCommon\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\SavesRuntimecrtmonitorCommon\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\SavesRuntimecrtmonitorCommon\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewintor" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\USOShared\Logs\reviewinto.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewinto" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\Logs\reviewinto.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewintor" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\USOShared\Logs\reviewinto.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\SavesRuntimecrtmonitorCommon\StartMenuExperienceHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\SavesRuntimecrtmonitorCommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\SavesRuntimecrtmonitorCommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\unsecapp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\WmiPrvSE.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewintor" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\en-US\reviewinto.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewinto" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\reviewinto.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewintor" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\en-US\reviewinto.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\Offline\SppExtComObj.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Offline\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\Offline\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\SavesRuntimecrtmonitorCommon\4ZsCcJGcA5WhDRgpe0Cmw.batFilesize
160B
MD5aa1ca164a728084ffd5e22bcf41ef9fb
SHA1a46fc620937abf7e82d6c97e728530549c74805f
SHA256c98facc1c471936575f62d9bdafd6614f5a66477c33c3a53ab41688a4917750d
SHA51271dda5b7b13809823069eada39a0b6c3ebb26377125b6b4f1e7a283dfcee4139732b5b456fcba91bfaaf29a38929fb8adc5c17b18bf7733457e4db878df0a9e4
-
C:\SavesRuntimecrtmonitorCommon\jlhL2OmdnM.vbeFilesize
226B
MD54defbf69b7ac7cd48d5d28019164fc15
SHA1475d6ef458c0505261f6e058b84d602dd55a792a
SHA2560b66c2ddaca8e3a1be3a5a7543d480993ab71bf4b8308fff4ebe3754ea22f47f
SHA5126eadacef630be325097a307e115fac9e960b6bdb2460dff8c2058a78d92b46d1a6845d36b2d1ed0794d1b64694bb60cd12f71be2e4f5634f023506962161d2fe
-
C:\SavesRuntimecrtmonitorCommon\reviewinto.exeFilesize
1.6MB
MD5c3d7d94a09a4a29ddc66ba84508d559f
SHA18bdcdd488649b311182622b7b07ea526bfd021c8
SHA256dee994f94e8e98b45fa47215e4593157d13a39f87ca2de6208614a61208c7b5c
SHA512ae1a238b5cbd08a6b4db092390fd22bb3f0970ed1bc744d676e357e38f2ac182025e01abd8d7da9771f154df378e972c27e324608da29d0c0cbb9db606e9e0d0
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\reviewinto.exe.logFilesize
1KB
MD5311f1926e60b4f85bf8140299ca70235
SHA19b700a28d63b5dae143da22bf642c67f3bb0af49
SHA256aaa667e50ce82f1cc798b5aacf93f14ef83632c20bea6655d66f631ce6f0c70b
SHA512e58bcdcd64b52b68cf88c7e92932665a196a35b5a0b3c483179b69389553669607e443c33ffb40ec02b506ee353522e973b58292215697fc430226e79dcb7f24
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.logFilesize
1KB
MD5b058942fe750846925da0c79dbad94ec
SHA1338efbdf7514f23e73dac4e69c6e9b979b0c902f
SHA256de170e04a6f6e8c23b3c293a4c9386ec929f3ab0b79d0051fbe285a894edb559
SHA512bcfa26f2dc24237eefd8070714735a0ebde5a3f83845f31ea412807e98b61f93ea96b6f1166d21e0bcec948483347790b2238151caceadcb0ec353dd877f375e
-
C:\Users\Admin\AppData\Local\Temp\04b9f0f5-78d2-4d43-9395-a68671996323.vbsFilesize
709B
MD52a156be74157db09718b96a557e8cc9a
SHA13705b0a31b96db84a756754002d537e602817355
SHA25672de03e93c20d79982fcbd2b0153c14cdd769a937d72231c8184f3ca2f72b330
SHA51255e1076c0aca7ae8808674e2a302ae3e07f4c9e9b94345c5aa2dad6f549e0b3f02486217e2e67c0687db3a59d5ab14a27f29fdee1d07d3bafa8955b376553739
-
C:\Users\Admin\AppData\Local\Temp\2171fe72-002b-4241-821f-ad96e9b3a260.vbsFilesize
709B
MD5bb9bcc13a26dce61d2b6a83cf364dcd4
SHA1ecfebb95b0346edc74ad48c45adcb06f514d79ef
SHA256eeddaef6b765dab401f0d08e78f44ae7363b6fb181d691f3fe9daa39916010fe
SHA51211970ab7fbf0f3733471a52405e98e5567e2d04940024ee43ad9ebd02863f2e4c62378290ae2ea9642d907fab6d822b8a27bbc94051b5f558c3b2d8b16ed1c20
-
C:\Users\Admin\AppData\Local\Temp\2485f83f-a81a-42b4-8051-6632daddfda6.vbsFilesize
709B
MD5a24f797a58443914b50d58fa55739094
SHA191d3ed5521444eec0a1140f8ecd00f7503e083f7
SHA256eb82d6e774d0ed4d34b310ae74adade9db452c68a1f25d4eed874e3378d3a6f6
SHA5125f55fe8e4f50266c16a658567641c4e84366e8d2c80093dc31b4fafa885f72551cbac2840b30c90c422db62880ef625b90ad0d7242740de390fc7abe870f71ac
-
C:\Users\Admin\AppData\Local\Temp\4c0f8ca1-9f8c-4c31-b96f-fc9a96406e79.vbsFilesize
709B
MD55f30ea31e5a61f485eb33da65e13d6db
SHA16c031884c83811b924fdf77cb00449d9baceabd5
SHA256f51a428dc4d403d1d099bf02f56ea9fa15c3d095f5c1324cd1c10d85260ad10e
SHA5125577d6795af07bc2982f8d730873a01e5b2d614484135b4c385b5b7a883e94cd2f2b95ef8e4d1fa27f0b80f9c0b0ddbf5dfac8033047321a4113b2d3ca5a1852
-
C:\Users\Admin\AppData\Local\Temp\64cb5b56-1f47-420b-9331-2bccc5bab3eb.vbsFilesize
709B
MD50b9c3f7eabbdb141a7572758dd3e00fb
SHA1a950ea3f2b5e24900e1323d6ab6c4636a750d320
SHA25665f138258d3bf2620de9b3111eab543ada3661e85518af18010038476627851d
SHA5127170be6a4e72d7895a2865e716f6a25571db7b3199fc9ba79bab6d4c4031da6dd8ff6a5f1020436ea14dfeb376a2bb1d00f1ba966423410d22f4d1326d16d18c
-
C:\Users\Admin\AppData\Local\Temp\6bb09c01-b2e9-4840-a999-6997e487c985.vbsFilesize
709B
MD5162262297695eb62a52acb98ba0293c3
SHA181d12045244e44f11ea7edec40e1eeb5a3cdbb9a
SHA256524e503d69608f6e8dd00056de4aac696f1a634ee9b614f6e26954f913fe6836
SHA51252c1066c0de5aba378d142ad5419939250dc07bc28c36fc11b13462582676f7c968ae1a7aea3f282e85b3f7961ddcde0d6c0221187cd29fdcb31542dbdf49adc
-
C:\Users\Admin\AppData\Local\Temp\amzpk88eS2.batFilesize
198B
MD5afca0a3c12ee421409a0dba3b012a62f
SHA1ee3121cd358dbfd2d3461e75f74a868140348f7b
SHA2566e9b7090dbb447303ea65325fae1b8721f067759401867a46ab7ff00ab056d32
SHA512ed2b9cc246104da371e62b128df80513e4960b3ba1ea838af48e87b528c0ca73c38cd78132807aa7212530c38a0b6e6a4887dc8042764e927add3c801e2365bd
-
C:\Users\Admin\AppData\Local\Temp\cc8ce5d3-02b0-46c1-bf65-df9be6394706.vbsFilesize
485B
MD594dda34c2855e1a15b328328f51a3d36
SHA13929e7f3a1b705e63ff7878b8608e07cd1b14e4d
SHA2561efe274b27b072f862140078c2884ab897582e5bac31d008456ca2cb3d568f01
SHA5127125ceca454c4700eeced97e9097fc87a114488ea456e9b9d12ae3b5ffba3f365ea8a9741a89ae7763f37e2e8d93ebea1074cc91f5bba61804e5db714863cdd9
-
C:\Users\Admin\AppData\Local\Temp\cdeb7455-c130-4c82-a3e0-cc4e71904698.vbsFilesize
709B
MD5364f318b796511a6a0060ee2f243b8fc
SHA161435bc199b46f923fe3af7c718f29dcd14edac5
SHA25619de93005aa774653891cf5b37c035be071013c0b2b229d54874dffbd7d39ef9
SHA512e261ee8ce3e7a41c11308410bfb59494ce3e0c7c7a11f5c4ef757afad079c2b67a67779e9640b4fd532cb43c8e5f8da20e6ff1942d97cbbcc421e65ee0f2359e
-
C:\Users\Admin\AppData\Local\Temp\dafdeb52-16a6-479b-a42e-cffe1ca646b1.vbsFilesize
709B
MD54e627f79a0787bf93235f1e3d99107fe
SHA1b3e869ee10c79e370b26fcfb531864ef10cc8d14
SHA256bc2587e065a33973174b6f2a5b2312478e0cb9db97cbd3caef4de1d5fa130659
SHA5126a1066b68ba6aa1849cfafc4af98b377188d0fe97a5398d809a0e501b0748f95f6a58b2edfa60272442764e57b2e9126fc750f738e86e167b25e557342e1859a
-
C:\Users\Admin\AppData\Local\Temp\dc987819-2fb8-44d5-a2fa-94e1136871c6.vbsFilesize
708B
MD5e161af3ae928577738c580ef19c2b5b3
SHA103ecbeb0a9db87065aac0542c6098382d4de7692
SHA2564d36ab8d6a72634f45be78601c74681c2e82f9abe136fc5985f0902e472d0976
SHA5127d187f54995ba04ca2543850156dd9a1e15b8e143e255fee001fb11aaa7501e071016513ba095f9495c7882870c8d9dafd3ee7e64a01a360b8d6ac571cfddba0
-
memory/3628-98-0x000000001C3F0000-0x000000001C402000-memory.dmpFilesize
72KB
-
memory/3704-143-0x000000001C5F0000-0x000000001C602000-memory.dmpFilesize
72KB
-
memory/4960-166-0x000000001BFF0000-0x000000001C002000-memory.dmpFilesize
72KB
-
memory/5020-18-0x00000000019E0000-0x00000000019F0000-memory.dmpFilesize
64KB
-
memory/5020-27-0x0000000002090000-0x000000000209A000-memory.dmpFilesize
40KB
-
memory/5020-28-0x00000000020A0000-0x00000000020AE000-memory.dmpFilesize
56KB
-
memory/5020-29-0x000000001C350000-0x000000001C358000-memory.dmpFilesize
32KB
-
memory/5020-26-0x0000000001BE0000-0x0000000001BEC000-memory.dmpFilesize
48KB
-
memory/5020-25-0x0000000001BD0000-0x0000000001BDC000-memory.dmpFilesize
48KB
-
memory/5020-24-0x000000001C680000-0x000000001CBA8000-memory.dmpFilesize
5.2MB
-
memory/5020-23-0x0000000001BA0000-0x0000000001BB2000-memory.dmpFilesize
72KB
-
memory/5020-22-0x0000000001A20000-0x0000000001A2C000-memory.dmpFilesize
48KB
-
memory/5020-21-0x0000000001A10000-0x0000000001A1A000-memory.dmpFilesize
40KB
-
memory/5020-17-0x00000000015C0000-0x00000000015C8000-memory.dmpFilesize
32KB
-
memory/5020-20-0x0000000001B90000-0x0000000001BA0000-memory.dmpFilesize
64KB
-
memory/5020-19-0x00000000019F0000-0x00000000019F8000-memory.dmpFilesize
32KB
-
memory/5020-16-0x000000001C100000-0x000000001C150000-memory.dmpFilesize
320KB
-
memory/5020-15-0x00000000019C0000-0x00000000019DC000-memory.dmpFilesize
112KB
-
memory/5020-14-0x00000000015B0000-0x00000000015BE000-memory.dmpFilesize
56KB
-
memory/5020-13-0x0000000000BD0000-0x0000000000D72000-memory.dmpFilesize
1.6MB
-
memory/5020-12-0x00007FFB9C413000-0x00007FFB9C415000-memory.dmpFilesize
8KB