Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21-06-2024 19:05

General

  • Target

    Solara/SolaraBootstrapper.exe

  • Size

    1.9MB

  • MD5

    8911439914996ec2bd5ba4dc50ffd163

  • SHA1

    bed9b04aaab10cf740a5eb07f894c71f62ef88b2

  • SHA256

    40488c03efa03bac855bf7195a94dae672bcda3ed2cdf3a004817cad86471a41

  • SHA512

    c0be4a292be417838f973e9dd4fb99370473b32c1db731610a468572f2e5557032b8088c70bbb728bd237855d028b5d1f62486855f7d210ee68bc592a98dcd93

  • SSDEEP

    24576:U2G/nvxW3Ww0tVOzdE5lXHKtZRqdw0OYdr7OISbKOwQR+BVEBr7Yo4GI4dxEyQTt:UbA30wzCjKopOFbVn+zE1ex4dxE3x

Malware Config

Signatures

  • DcRat 54 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 33 IoCs
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Executes dropped EXE 11 IoCs
  • Checks whether UAC is enabled 1 TTPs 22 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 11 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 33 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe"
    1⤵
    • DcRat
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1856
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\SavesRuntimecrtmonitorCommon\jlhL2OmdnM.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3880
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\SavesRuntimecrtmonitorCommon\4ZsCcJGcA5WhDRgpe0Cmw.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1384
        • C:\SavesRuntimecrtmonitorCommon\reviewinto.exe
          "C:\SavesRuntimecrtmonitorCommon\reviewinto.exe"
          4⤵
          • DcRat
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:5020
          • C:\SavesRuntimecrtmonitorCommon\reviewinto.exe
            "C:\SavesRuntimecrtmonitorCommon\reviewinto.exe"
            5⤵
            • UAC bypass
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Drops file in Program Files directory
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:4852
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\amzpk88eS2.bat"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3588
              • C:\Windows\system32\w32tm.exe
                w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                7⤵
                  PID:2080
                • C:\Recovery\WindowsRE\wininit.exe
                  "C:\Recovery\WindowsRE\wininit.exe"
                  7⤵
                  • UAC bypass
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  • System policy modification
                  PID:1960
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dafdeb52-16a6-479b-a42e-cffe1ca646b1.vbs"
                    8⤵
                    • Suspicious use of WriteProcessMemory
                    PID:4712
                    • C:\Recovery\WindowsRE\wininit.exe
                      C:\Recovery\WindowsRE\wininit.exe
                      9⤵
                      • UAC bypass
                      • Executes dropped EXE
                      • Checks whether UAC is enabled
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      • System policy modification
                      PID:4780
                      • C:\Windows\System32\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04b9f0f5-78d2-4d43-9395-a68671996323.vbs"
                        10⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4028
                        • C:\Recovery\WindowsRE\wininit.exe
                          C:\Recovery\WindowsRE\wininit.exe
                          11⤵
                          • UAC bypass
                          • Executes dropped EXE
                          • Checks whether UAC is enabled
                          • Modifies registry class
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          • System policy modification
                          PID:3628
                          • C:\Windows\System32\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bb09c01-b2e9-4840-a999-6997e487c985.vbs"
                            12⤵
                            • Suspicious use of WriteProcessMemory
                            PID:3776
                            • C:\Recovery\WindowsRE\wininit.exe
                              C:\Recovery\WindowsRE\wininit.exe
                              13⤵
                              • UAC bypass
                              • Executes dropped EXE
                              • Checks whether UAC is enabled
                              • Modifies registry class
                              • Suspicious use of AdjustPrivilegeToken
                              • Suspicious use of WriteProcessMemory
                              • System policy modification
                              PID:1944
                              • C:\Windows\System32\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c0f8ca1-9f8c-4c31-b96f-fc9a96406e79.vbs"
                                14⤵
                                • Suspicious use of WriteProcessMemory
                                PID:1596
                                • C:\Recovery\WindowsRE\wininit.exe
                                  C:\Recovery\WindowsRE\wininit.exe
                                  15⤵
                                  • UAC bypass
                                  • Executes dropped EXE
                                  • Checks whether UAC is enabled
                                  • Modifies registry class
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of WriteProcessMemory
                                  • System policy modification
                                  PID:460
                                  • C:\Windows\System32\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc987819-2fb8-44d5-a2fa-94e1136871c6.vbs"
                                    16⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:4592
                                    • C:\Recovery\WindowsRE\wininit.exe
                                      C:\Recovery\WindowsRE\wininit.exe
                                      17⤵
                                      • UAC bypass
                                      • Executes dropped EXE
                                      • Checks whether UAC is enabled
                                      • Modifies registry class
                                      • Suspicious use of AdjustPrivilegeToken
                                      • Suspicious use of WriteProcessMemory
                                      • System policy modification
                                      PID:3944
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdeb7455-c130-4c82-a3e0-cc4e71904698.vbs"
                                        18⤵
                                        • Suspicious use of WriteProcessMemory
                                        PID:3324
                                        • C:\Recovery\WindowsRE\wininit.exe
                                          C:\Recovery\WindowsRE\wininit.exe
                                          19⤵
                                          • UAC bypass
                                          • Executes dropped EXE
                                          • Checks whether UAC is enabled
                                          • Modifies registry class
                                          • Suspicious use of AdjustPrivilegeToken
                                          • Suspicious use of WriteProcessMemory
                                          • System policy modification
                                          PID:3704
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64cb5b56-1f47-420b-9331-2bccc5bab3eb.vbs"
                                            20⤵
                                            • Suspicious use of WriteProcessMemory
                                            PID:4956
                                            • C:\Recovery\WindowsRE\wininit.exe
                                              C:\Recovery\WindowsRE\wininit.exe
                                              21⤵
                                              • UAC bypass
                                              • Executes dropped EXE
                                              • Checks whether UAC is enabled
                                              • Modifies registry class
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of WriteProcessMemory
                                              • System policy modification
                                              PID:4608
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2171fe72-002b-4241-821f-ad96e9b3a260.vbs"
                                                22⤵
                                                  PID:4148
                                                  • C:\Recovery\WindowsRE\wininit.exe
                                                    C:\Recovery\WindowsRE\wininit.exe
                                                    23⤵
                                                    • UAC bypass
                                                    • Executes dropped EXE
                                                    • Checks whether UAC is enabled
                                                    • Modifies registry class
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • System policy modification
                                                    PID:4960
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2485f83f-a81a-42b4-8051-6632daddfda6.vbs"
                                                      24⤵
                                                        PID:1864
                                                      • C:\Windows\System32\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3a87fa1-3dc6-4c9b-94c6-5d41fe02c2b5.vbs"
                                                        24⤵
                                                          PID:4028
                                                    • C:\Windows\System32\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76c4140a-d1da-480f-90dc-7e6b8490c807.vbs"
                                                      22⤵
                                                        PID:4876
                                                  • C:\Windows\System32\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44b559c9-1740-47f8-abe2-cc59a9d941a9.vbs"
                                                    20⤵
                                                      PID:1104
                                                • C:\Windows\System32\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3073b8a6-bb1b-4a42-b239-ad8211a32748.vbs"
                                                  18⤵
                                                    PID:3392
                                              • C:\Windows\System32\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6070b8d-e090-4e33-82ca-b92321ae8794.vbs"
                                                16⤵
                                                  PID:800
                                            • C:\Windows\System32\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\695c9034-022c-4d67-9327-4517fd5d74c2.vbs"
                                              14⤵
                                                PID:1456
                                          • C:\Windows\System32\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d567250a-6961-43ed-8dd2-a8e94f5c07af.vbs"
                                            12⤵
                                              PID:4884
                                        • C:\Windows\System32\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\810e0e39-f556-4a52-b5ba-dc955298d315.vbs"
                                          10⤵
                                            PID:4364
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc8ce5d3-02b0-46c1-bf65-df9be6394706.vbs"
                                        8⤵
                                          PID:1172
                                • C:\Windows\SysWOW64\reg.exe
                                  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                  4⤵
                                  • Modifies registry key
                                  PID:1156
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\fontdrvhost.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3188
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\fontdrvhost.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1892
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\fontdrvhost.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3020
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\microsoft.system.package.metadata\winlogon.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1900
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\microsoft.system.package.metadata\winlogon.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:572
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\microsoft.system.package.metadata\winlogon.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4960
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\SavesRuntimecrtmonitorCommon\csrss.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2860
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\SavesRuntimecrtmonitorCommon\csrss.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1996
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\SavesRuntimecrtmonitorCommon\csrss.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1352
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\SavesRuntimecrtmonitorCommon\Idle.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4984
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\SavesRuntimecrtmonitorCommon\Idle.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4508
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\SavesRuntimecrtmonitorCommon\Idle.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4988
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\SavesRuntimecrtmonitorCommon\dllhost.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:412
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\SavesRuntimecrtmonitorCommon\dllhost.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2836
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\SavesRuntimecrtmonitorCommon\dllhost.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4340
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1896
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2308
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4176
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "reviewintor" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\USOShared\Logs\reviewinto.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3040
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "reviewinto" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\Logs\reviewinto.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1976
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "reviewintor" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\USOShared\Logs\reviewinto.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3348
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4076
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3644
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3140
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\SavesRuntimecrtmonitorCommon\StartMenuExperienceHost.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:484
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\SavesRuntimecrtmonitorCommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1972
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\SavesRuntimecrtmonitorCommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4764
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\System.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2428
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4756
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4232
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1524
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1548
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4920
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\unsecapp.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4544
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\unsecapp.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2636
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\unsecapp.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:788
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\WmiPrvSE.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1808
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\WmiPrvSE.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3336
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\WmiPrvSE.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3636
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2460
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3688
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2260
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "reviewintor" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\en-US\reviewinto.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4944
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "reviewinto" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\reviewinto.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:4900
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "reviewintor" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\en-US\reviewinto.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3908
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:796
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3936
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:1192
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\Offline\SppExtComObj.exe'" /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2348
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Offline\SppExtComObj.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:3160
                          • C:\Windows\system32\schtasks.exe
                            schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\Offline\SppExtComObj.exe'" /rl HIGHEST /f
                            1⤵
                            • DcRat
                            • Process spawned unexpected child process
                            • Scheduled Task/Job: Scheduled Task
                            PID:2652

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\SavesRuntimecrtmonitorCommon\4ZsCcJGcA5WhDRgpe0Cmw.bat
                            Filesize

                            160B

                            MD5

                            aa1ca164a728084ffd5e22bcf41ef9fb

                            SHA1

                            a46fc620937abf7e82d6c97e728530549c74805f

                            SHA256

                            c98facc1c471936575f62d9bdafd6614f5a66477c33c3a53ab41688a4917750d

                            SHA512

                            71dda5b7b13809823069eada39a0b6c3ebb26377125b6b4f1e7a283dfcee4139732b5b456fcba91bfaaf29a38929fb8adc5c17b18bf7733457e4db878df0a9e4

                          • C:\SavesRuntimecrtmonitorCommon\jlhL2OmdnM.vbe
                            Filesize

                            226B

                            MD5

                            4defbf69b7ac7cd48d5d28019164fc15

                            SHA1

                            475d6ef458c0505261f6e058b84d602dd55a792a

                            SHA256

                            0b66c2ddaca8e3a1be3a5a7543d480993ab71bf4b8308fff4ebe3754ea22f47f

                            SHA512

                            6eadacef630be325097a307e115fac9e960b6bdb2460dff8c2058a78d92b46d1a6845d36b2d1ed0794d1b64694bb60cd12f71be2e4f5634f023506962161d2fe

                          • C:\SavesRuntimecrtmonitorCommon\reviewinto.exe
                            Filesize

                            1.6MB

                            MD5

                            c3d7d94a09a4a29ddc66ba84508d559f

                            SHA1

                            8bdcdd488649b311182622b7b07ea526bfd021c8

                            SHA256

                            dee994f94e8e98b45fa47215e4593157d13a39f87ca2de6208614a61208c7b5c

                            SHA512

                            ae1a238b5cbd08a6b4db092390fd22bb3f0970ed1bc744d676e357e38f2ac182025e01abd8d7da9771f154df378e972c27e324608da29d0c0cbb9db606e9e0d0

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\reviewinto.exe.log
                            Filesize

                            1KB

                            MD5

                            311f1926e60b4f85bf8140299ca70235

                            SHA1

                            9b700a28d63b5dae143da22bf642c67f3bb0af49

                            SHA256

                            aaa667e50ce82f1cc798b5aacf93f14ef83632c20bea6655d66f631ce6f0c70b

                            SHA512

                            e58bcdcd64b52b68cf88c7e92932665a196a35b5a0b3c483179b69389553669607e443c33ffb40ec02b506ee353522e973b58292215697fc430226e79dcb7f24

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log
                            Filesize

                            1KB

                            MD5

                            b058942fe750846925da0c79dbad94ec

                            SHA1

                            338efbdf7514f23e73dac4e69c6e9b979b0c902f

                            SHA256

                            de170e04a6f6e8c23b3c293a4c9386ec929f3ab0b79d0051fbe285a894edb559

                            SHA512

                            bcfa26f2dc24237eefd8070714735a0ebde5a3f83845f31ea412807e98b61f93ea96b6f1166d21e0bcec948483347790b2238151caceadcb0ec353dd877f375e

                          • C:\Users\Admin\AppData\Local\Temp\04b9f0f5-78d2-4d43-9395-a68671996323.vbs
                            Filesize

                            709B

                            MD5

                            2a156be74157db09718b96a557e8cc9a

                            SHA1

                            3705b0a31b96db84a756754002d537e602817355

                            SHA256

                            72de03e93c20d79982fcbd2b0153c14cdd769a937d72231c8184f3ca2f72b330

                            SHA512

                            55e1076c0aca7ae8808674e2a302ae3e07f4c9e9b94345c5aa2dad6f549e0b3f02486217e2e67c0687db3a59d5ab14a27f29fdee1d07d3bafa8955b376553739

                          • C:\Users\Admin\AppData\Local\Temp\2171fe72-002b-4241-821f-ad96e9b3a260.vbs
                            Filesize

                            709B

                            MD5

                            bb9bcc13a26dce61d2b6a83cf364dcd4

                            SHA1

                            ecfebb95b0346edc74ad48c45adcb06f514d79ef

                            SHA256

                            eeddaef6b765dab401f0d08e78f44ae7363b6fb181d691f3fe9daa39916010fe

                            SHA512

                            11970ab7fbf0f3733471a52405e98e5567e2d04940024ee43ad9ebd02863f2e4c62378290ae2ea9642d907fab6d822b8a27bbc94051b5f558c3b2d8b16ed1c20

                          • C:\Users\Admin\AppData\Local\Temp\2485f83f-a81a-42b4-8051-6632daddfda6.vbs
                            Filesize

                            709B

                            MD5

                            a24f797a58443914b50d58fa55739094

                            SHA1

                            91d3ed5521444eec0a1140f8ecd00f7503e083f7

                            SHA256

                            eb82d6e774d0ed4d34b310ae74adade9db452c68a1f25d4eed874e3378d3a6f6

                            SHA512

                            5f55fe8e4f50266c16a658567641c4e84366e8d2c80093dc31b4fafa885f72551cbac2840b30c90c422db62880ef625b90ad0d7242740de390fc7abe870f71ac

                          • C:\Users\Admin\AppData\Local\Temp\4c0f8ca1-9f8c-4c31-b96f-fc9a96406e79.vbs
                            Filesize

                            709B

                            MD5

                            5f30ea31e5a61f485eb33da65e13d6db

                            SHA1

                            6c031884c83811b924fdf77cb00449d9baceabd5

                            SHA256

                            f51a428dc4d403d1d099bf02f56ea9fa15c3d095f5c1324cd1c10d85260ad10e

                            SHA512

                            5577d6795af07bc2982f8d730873a01e5b2d614484135b4c385b5b7a883e94cd2f2b95ef8e4d1fa27f0b80f9c0b0ddbf5dfac8033047321a4113b2d3ca5a1852

                          • C:\Users\Admin\AppData\Local\Temp\64cb5b56-1f47-420b-9331-2bccc5bab3eb.vbs
                            Filesize

                            709B

                            MD5

                            0b9c3f7eabbdb141a7572758dd3e00fb

                            SHA1

                            a950ea3f2b5e24900e1323d6ab6c4636a750d320

                            SHA256

                            65f138258d3bf2620de9b3111eab543ada3661e85518af18010038476627851d

                            SHA512

                            7170be6a4e72d7895a2865e716f6a25571db7b3199fc9ba79bab6d4c4031da6dd8ff6a5f1020436ea14dfeb376a2bb1d00f1ba966423410d22f4d1326d16d18c

                          • C:\Users\Admin\AppData\Local\Temp\6bb09c01-b2e9-4840-a999-6997e487c985.vbs
                            Filesize

                            709B

                            MD5

                            162262297695eb62a52acb98ba0293c3

                            SHA1

                            81d12045244e44f11ea7edec40e1eeb5a3cdbb9a

                            SHA256

                            524e503d69608f6e8dd00056de4aac696f1a634ee9b614f6e26954f913fe6836

                            SHA512

                            52c1066c0de5aba378d142ad5419939250dc07bc28c36fc11b13462582676f7c968ae1a7aea3f282e85b3f7961ddcde0d6c0221187cd29fdcb31542dbdf49adc

                          • C:\Users\Admin\AppData\Local\Temp\amzpk88eS2.bat
                            Filesize

                            198B

                            MD5

                            afca0a3c12ee421409a0dba3b012a62f

                            SHA1

                            ee3121cd358dbfd2d3461e75f74a868140348f7b

                            SHA256

                            6e9b7090dbb447303ea65325fae1b8721f067759401867a46ab7ff00ab056d32

                            SHA512

                            ed2b9cc246104da371e62b128df80513e4960b3ba1ea838af48e87b528c0ca73c38cd78132807aa7212530c38a0b6e6a4887dc8042764e927add3c801e2365bd

                          • C:\Users\Admin\AppData\Local\Temp\cc8ce5d3-02b0-46c1-bf65-df9be6394706.vbs
                            Filesize

                            485B

                            MD5

                            94dda34c2855e1a15b328328f51a3d36

                            SHA1

                            3929e7f3a1b705e63ff7878b8608e07cd1b14e4d

                            SHA256

                            1efe274b27b072f862140078c2884ab897582e5bac31d008456ca2cb3d568f01

                            SHA512

                            7125ceca454c4700eeced97e9097fc87a114488ea456e9b9d12ae3b5ffba3f365ea8a9741a89ae7763f37e2e8d93ebea1074cc91f5bba61804e5db714863cdd9

                          • C:\Users\Admin\AppData\Local\Temp\cdeb7455-c130-4c82-a3e0-cc4e71904698.vbs
                            Filesize

                            709B

                            MD5

                            364f318b796511a6a0060ee2f243b8fc

                            SHA1

                            61435bc199b46f923fe3af7c718f29dcd14edac5

                            SHA256

                            19de93005aa774653891cf5b37c035be071013c0b2b229d54874dffbd7d39ef9

                            SHA512

                            e261ee8ce3e7a41c11308410bfb59494ce3e0c7c7a11f5c4ef757afad079c2b67a67779e9640b4fd532cb43c8e5f8da20e6ff1942d97cbbcc421e65ee0f2359e

                          • C:\Users\Admin\AppData\Local\Temp\dafdeb52-16a6-479b-a42e-cffe1ca646b1.vbs
                            Filesize

                            709B

                            MD5

                            4e627f79a0787bf93235f1e3d99107fe

                            SHA1

                            b3e869ee10c79e370b26fcfb531864ef10cc8d14

                            SHA256

                            bc2587e065a33973174b6f2a5b2312478e0cb9db97cbd3caef4de1d5fa130659

                            SHA512

                            6a1066b68ba6aa1849cfafc4af98b377188d0fe97a5398d809a0e501b0748f95f6a58b2edfa60272442764e57b2e9126fc750f738e86e167b25e557342e1859a

                          • C:\Users\Admin\AppData\Local\Temp\dc987819-2fb8-44d5-a2fa-94e1136871c6.vbs
                            Filesize

                            708B

                            MD5

                            e161af3ae928577738c580ef19c2b5b3

                            SHA1

                            03ecbeb0a9db87065aac0542c6098382d4de7692

                            SHA256

                            4d36ab8d6a72634f45be78601c74681c2e82f9abe136fc5985f0902e472d0976

                            SHA512

                            7d187f54995ba04ca2543850156dd9a1e15b8e143e255fee001fb11aaa7501e071016513ba095f9495c7882870c8d9dafd3ee7e64a01a360b8d6ac571cfddba0

                          • memory/3628-98-0x000000001C3F0000-0x000000001C402000-memory.dmp
                            Filesize

                            72KB

                          • memory/3704-143-0x000000001C5F0000-0x000000001C602000-memory.dmp
                            Filesize

                            72KB

                          • memory/4960-166-0x000000001BFF0000-0x000000001C002000-memory.dmp
                            Filesize

                            72KB

                          • memory/5020-18-0x00000000019E0000-0x00000000019F0000-memory.dmp
                            Filesize

                            64KB

                          • memory/5020-27-0x0000000002090000-0x000000000209A000-memory.dmp
                            Filesize

                            40KB

                          • memory/5020-28-0x00000000020A0000-0x00000000020AE000-memory.dmp
                            Filesize

                            56KB

                          • memory/5020-29-0x000000001C350000-0x000000001C358000-memory.dmp
                            Filesize

                            32KB

                          • memory/5020-26-0x0000000001BE0000-0x0000000001BEC000-memory.dmp
                            Filesize

                            48KB

                          • memory/5020-25-0x0000000001BD0000-0x0000000001BDC000-memory.dmp
                            Filesize

                            48KB

                          • memory/5020-24-0x000000001C680000-0x000000001CBA8000-memory.dmp
                            Filesize

                            5.2MB

                          • memory/5020-23-0x0000000001BA0000-0x0000000001BB2000-memory.dmp
                            Filesize

                            72KB

                          • memory/5020-22-0x0000000001A20000-0x0000000001A2C000-memory.dmp
                            Filesize

                            48KB

                          • memory/5020-21-0x0000000001A10000-0x0000000001A1A000-memory.dmp
                            Filesize

                            40KB

                          • memory/5020-17-0x00000000015C0000-0x00000000015C8000-memory.dmp
                            Filesize

                            32KB

                          • memory/5020-20-0x0000000001B90000-0x0000000001BA0000-memory.dmp
                            Filesize

                            64KB

                          • memory/5020-19-0x00000000019F0000-0x00000000019F8000-memory.dmp
                            Filesize

                            32KB

                          • memory/5020-16-0x000000001C100000-0x000000001C150000-memory.dmp
                            Filesize

                            320KB

                          • memory/5020-15-0x00000000019C0000-0x00000000019DC000-memory.dmp
                            Filesize

                            112KB

                          • memory/5020-14-0x00000000015B0000-0x00000000015BE000-memory.dmp
                            Filesize

                            56KB

                          • memory/5020-13-0x0000000000BD0000-0x0000000000D72000-memory.dmp
                            Filesize

                            1.6MB

                          • memory/5020-12-0x00007FFB9C413000-0x00007FFB9C415000-memory.dmp
                            Filesize

                            8KB