Malware Analysis Report

2024-10-10 13:05

Sample ID 240621-xrle7sterq
Target Solara.zip
SHA256 1e9a334f54c0a6364e0d9b7b8cfbc45723ad6e9581bbf76f3476d5c25e908b77
Tags
dcrat evasion infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1e9a334f54c0a6364e0d9b7b8cfbc45723ad6e9581bbf76f3476d5c25e908b77

Threat Level: Known bad

The file Solara.zip was found to be: Known bad.

Malicious Activity Summary

dcrat evasion infostealer rat trojan

DCRat payload

Process spawned unexpected child process

DcRat

UAC bypass

Dcrat family

DCRat payload

Disables Task Manager via registry modification

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

Modifies registry key

Suspicious behavior: GetForegroundWindowSpam

Uses Volume Shadow Copy service COM API

Uses Task Scheduler COM API

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-21 19:05

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-21 19:05

Reported

2024-06-21 19:09

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\en-US\fontdrvhost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\en-US\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\fontdrvhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Defender\uk-UA\SearchApp.exe C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
File created C:\Program Files (x86)\Windows Defender\uk-UA\38384e6a620884 C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\en-US\fontdrvhost.exe C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
File created C:\Windows\en-US\5b884080fd4f94 C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\en-US\fontdrvhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\en-US\fontdrvhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\en-US\fontdrvhost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5048 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe C:\Windows\SysWOW64\WScript.exe
PID 5048 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe C:\Windows\SysWOW64\WScript.exe
PID 5048 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe C:\Windows\SysWOW64\WScript.exe
PID 3980 wrote to memory of 368 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3980 wrote to memory of 368 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3980 wrote to memory of 368 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 368 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\SavesRuntimecrtmonitorCommon\reviewinto.exe
PID 368 wrote to memory of 1004 N/A C:\Windows\SysWOW64\cmd.exe C:\SavesRuntimecrtmonitorCommon\reviewinto.exe
PID 1004 wrote to memory of 3332 N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe C:\Windows\System32\cmd.exe
PID 1004 wrote to memory of 3332 N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe C:\Windows\System32\cmd.exe
PID 368 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 368 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 368 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3332 wrote to memory of 4416 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3332 wrote to memory of 4416 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3332 wrote to memory of 4396 N/A C:\Windows\System32\cmd.exe C:\Windows\en-US\fontdrvhost.exe
PID 3332 wrote to memory of 4396 N/A C:\Windows\System32\cmd.exe C:\Windows\en-US\fontdrvhost.exe
PID 4396 wrote to memory of 436 N/A C:\Windows\en-US\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4396 wrote to memory of 436 N/A C:\Windows\en-US\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4396 wrote to memory of 4428 N/A C:\Windows\en-US\fontdrvhost.exe C:\Windows\System32\WScript.exe
PID 4396 wrote to memory of 4428 N/A C:\Windows\en-US\fontdrvhost.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\en-US\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\en-US\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\en-US\fontdrvhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\SavesRuntimecrtmonitorCommon\jlhL2OmdnM.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\SavesRuntimecrtmonitorCommon\4ZsCcJGcA5WhDRgpe0Cmw.bat" "

C:\SavesRuntimecrtmonitorCommon\reviewinto.exe

"C:\SavesRuntimecrtmonitorCommon\reviewinto.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\MoUsoCoreWorker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Users\Default\Desktop\MoUsoCoreWorker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Desktop\MoUsoCoreWorker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\en-US\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\en-US\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Windows\en-US\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\uk-UA\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KKlGe0JO2v.bat"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\en-US\fontdrvhost.exe

"C:\Windows\en-US\fontdrvhost.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1882064e-db7e-44de-b67e-c3cccd85c4ce.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7d6cf0c6-385f-4a93-966d-38d02ddc725b.vbs"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1428 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 a0998797.xsph.ru udp
RU 141.8.195.33:80 a0998797.xsph.ru tcp
RU 141.8.195.33:80 a0998797.xsph.ru tcp
US 8.8.8.8:53 33.195.8.141.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
RU 141.8.195.33:80 a0998797.xsph.ru tcp

Files

C:\SavesRuntimecrtmonitorCommon\jlhL2OmdnM.vbe

MD5 4defbf69b7ac7cd48d5d28019164fc15
SHA1 475d6ef458c0505261f6e058b84d602dd55a792a
SHA256 0b66c2ddaca8e3a1be3a5a7543d480993ab71bf4b8308fff4ebe3754ea22f47f
SHA512 6eadacef630be325097a307e115fac9e960b6bdb2460dff8c2058a78d92b46d1a6845d36b2d1ed0794d1b64694bb60cd12f71be2e4f5634f023506962161d2fe

C:\SavesRuntimecrtmonitorCommon\4ZsCcJGcA5WhDRgpe0Cmw.bat

MD5 aa1ca164a728084ffd5e22bcf41ef9fb
SHA1 a46fc620937abf7e82d6c97e728530549c74805f
SHA256 c98facc1c471936575f62d9bdafd6614f5a66477c33c3a53ab41688a4917750d
SHA512 71dda5b7b13809823069eada39a0b6c3ebb26377125b6b4f1e7a283dfcee4139732b5b456fcba91bfaaf29a38929fb8adc5c17b18bf7733457e4db878df0a9e4

C:\SavesRuntimecrtmonitorCommon\reviewinto.exe

MD5 c3d7d94a09a4a29ddc66ba84508d559f
SHA1 8bdcdd488649b311182622b7b07ea526bfd021c8
SHA256 dee994f94e8e98b45fa47215e4593157d13a39f87ca2de6208614a61208c7b5c
SHA512 ae1a238b5cbd08a6b4db092390fd22bb3f0970ed1bc744d676e357e38f2ac182025e01abd8d7da9771f154df378e972c27e324608da29d0c0cbb9db606e9e0d0

memory/1004-12-0x00007FFD76643000-0x00007FFD76645000-memory.dmp

memory/1004-13-0x00000000004F0000-0x0000000000692000-memory.dmp

memory/1004-14-0x00000000027B0000-0x00000000027BE000-memory.dmp

memory/1004-15-0x0000000002700000-0x000000000271C000-memory.dmp

memory/1004-16-0x0000000002820000-0x0000000002870000-memory.dmp

memory/1004-17-0x0000000002720000-0x0000000002728000-memory.dmp

memory/1004-18-0x0000000002730000-0x0000000002740000-memory.dmp

memory/1004-19-0x00000000027D0000-0x00000000027D8000-memory.dmp

memory/1004-20-0x00000000027E0000-0x00000000027F0000-memory.dmp

memory/1004-21-0x00000000027F0000-0x00000000027FA000-memory.dmp

memory/1004-22-0x0000000002800000-0x000000000280C000-memory.dmp

memory/1004-23-0x0000000002810000-0x0000000002822000-memory.dmp

memory/1004-24-0x000000001BF80000-0x000000001C4A8000-memory.dmp

memory/1004-25-0x0000000002890000-0x000000000289C000-memory.dmp

memory/1004-26-0x00000000028A0000-0x00000000028AC000-memory.dmp

memory/1004-28-0x000000001B3A0000-0x000000001B3AE000-memory.dmp

memory/1004-27-0x00000000028B0000-0x00000000028BA000-memory.dmp

memory/1004-29-0x000000001B3B0000-0x000000001B3B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KKlGe0JO2v.bat

MD5 ca588823d919b2c368bbe0abd91b4d4c
SHA1 498ce3983860bdf5b7db789aabda875bb829a4e9
SHA256 463f9623efa5410bcc500deb60bc7bae514f71e0e204b6cf6ca98b227fb0d2bc
SHA512 11b29f7b6c82be653a1f74cfeb6205402ad2900ea4d0615f4b98ef4608bba728cdf8dadd44f39763eedc43bdde29d8f09a1ba3fdc8930f09add24dc959e85349

memory/4396-45-0x000000001B7F0000-0x000000001B802000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7d6cf0c6-385f-4a93-966d-38d02ddc725b.vbs

MD5 e58bbf8a443357deec120118e9012cda
SHA1 13ccf73017b1c75fb1c195e0eeb1c43a91b27755
SHA256 5a5fa79e436ef958414a57805b27386fbc1bff0408daa4ec5eb1c45ce8a9fd6a
SHA512 0d9300a67e8f0cf63067f82fd9524d98bbbdeb08ae7e7c4bfb603f05005fedcc5e16bc5d87618dbaf48c6b67af9a2f309c154ba063356acfefe537b91ab8fa1b

C:\Users\Admin\AppData\Local\Temp\1882064e-db7e-44de-b67e-c3cccd85c4ce.vbs

MD5 3e85d8f871cc9b054a968320ba4534b2
SHA1 15bd42cdd8ef9089e07f3172c95ee58b0f8f013e
SHA256 70efb8cb1f8dc8a41f0b62af4b1aa224fa1ffa444603a52a01e2026706d99df8
SHA512 9dfcd1c03883e395b4df952268b7e191c552c0fce09872ca635d7ddd1cbab82ee0d480b7228b05ada7c2e213b1bade082028e518db6d8a0991c183fe8714a954

memory/4396-55-0x000000001C480000-0x000000001C4CB000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-21 19:05

Reported

2024-06-21 19:09

Platform

win11-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\5b884080fd4f94 C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\microsoft.system.package.metadata\cc11b995f2a76d C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Recovery\WindowsRE\wininit.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\fontdrvhost.exe C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\5b884080fd4f94 C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\unsecapp.exe C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\29c1c3cc0f7685 C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
File created C:\Program Files (x86)\Google\24dbde2999530e C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
File created C:\Program Files\Windows Photo Viewer\en-US\b1200e0ac9bfc0 C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
File created C:\Program Files (x86)\Google\Update\Offline\SppExtComObj.exe C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\fontdrvhost.exe C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
File created C:\Program Files\Windows Photo Viewer\en-US\reviewinto.exe C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
File created C:\Program Files (x86)\Google\Update\Offline\e1ef82546f0b02 C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
File created C:\Program Files (x86)\Google\WmiPrvSE.exe C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\microsoft.system.package.metadata\winlogon.exe C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\microsoft.system.package.metadata\cc11b995f2a76d C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Recovery\WindowsRE\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Recovery\WindowsRE\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Recovery\WindowsRE\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Recovery\WindowsRE\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Recovery\WindowsRE\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Recovery\WindowsRE\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Recovery\WindowsRE\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Recovery\WindowsRE\wininit.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings C:\Recovery\WindowsRE\wininit.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A
N/A N/A C:\Recovery\WindowsRE\wininit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Token: SeDebugPrivilege N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\wininit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1856 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe C:\Windows\SysWOW64\WScript.exe
PID 1856 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe C:\Windows\SysWOW64\WScript.exe
PID 1856 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe C:\Windows\SysWOW64\WScript.exe
PID 3880 wrote to memory of 1384 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3880 wrote to memory of 1384 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3880 wrote to memory of 1384 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1384 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\SavesRuntimecrtmonitorCommon\reviewinto.exe
PID 1384 wrote to memory of 5020 N/A C:\Windows\SysWOW64\cmd.exe C:\SavesRuntimecrtmonitorCommon\reviewinto.exe
PID 5020 wrote to memory of 4852 N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe C:\SavesRuntimecrtmonitorCommon\reviewinto.exe
PID 5020 wrote to memory of 4852 N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe C:\SavesRuntimecrtmonitorCommon\reviewinto.exe
PID 1384 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1384 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1384 wrote to memory of 1156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4852 wrote to memory of 3588 N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe C:\Windows\System32\cmd.exe
PID 4852 wrote to memory of 3588 N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe C:\Windows\System32\cmd.exe
PID 3588 wrote to memory of 2080 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3588 wrote to memory of 2080 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3588 wrote to memory of 1960 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\wininit.exe
PID 3588 wrote to memory of 1960 N/A C:\Windows\System32\cmd.exe C:\Recovery\WindowsRE\wininit.exe
PID 1960 wrote to memory of 4712 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 1960 wrote to memory of 4712 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 1960 wrote to memory of 1172 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 1960 wrote to memory of 1172 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 4712 wrote to memory of 4780 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 4712 wrote to memory of 4780 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 4780 wrote to memory of 4028 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 4780 wrote to memory of 4028 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 4780 wrote to memory of 4364 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 4780 wrote to memory of 4364 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 4028 wrote to memory of 3628 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 4028 wrote to memory of 3628 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 3628 wrote to memory of 3776 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 3628 wrote to memory of 3776 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 3628 wrote to memory of 4884 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 3628 wrote to memory of 4884 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 3776 wrote to memory of 1944 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 3776 wrote to memory of 1944 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 1944 wrote to memory of 1596 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 1944 wrote to memory of 1596 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 1944 wrote to memory of 1456 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 1944 wrote to memory of 1456 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 1596 wrote to memory of 460 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 1596 wrote to memory of 460 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 460 wrote to memory of 4592 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 460 wrote to memory of 4592 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 460 wrote to memory of 800 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 460 wrote to memory of 800 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 4592 wrote to memory of 3944 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 4592 wrote to memory of 3944 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 3944 wrote to memory of 3324 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 3944 wrote to memory of 3324 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 3944 wrote to memory of 3392 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 3944 wrote to memory of 3392 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 3324 wrote to memory of 3704 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 3324 wrote to memory of 3704 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 3704 wrote to memory of 4956 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 3704 wrote to memory of 4956 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 3704 wrote to memory of 1104 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 3704 wrote to memory of 1104 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 4956 wrote to memory of 4608 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 4956 wrote to memory of 4608 N/A C:\Windows\System32\WScript.exe C:\Recovery\WindowsRE\wininit.exe
PID 4608 wrote to memory of 4148 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 4608 wrote to memory of 4148 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe
PID 4608 wrote to memory of 4876 N/A C:\Recovery\WindowsRE\wininit.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Recovery\WindowsRE\wininit.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Recovery\WindowsRE\wininit.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\SavesRuntimecrtmonitorCommon\jlhL2OmdnM.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\SavesRuntimecrtmonitorCommon\4ZsCcJGcA5WhDRgpe0Cmw.bat" "

C:\SavesRuntimecrtmonitorCommon\reviewinto.exe

"C:\SavesRuntimecrtmonitorCommon\reviewinto.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\microsoft.system.package.metadata\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\microsoft.system.package.metadata\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\SystemApps\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy\microsoft.system.package.metadata\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\SavesRuntimecrtmonitorCommon\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\SavesRuntimecrtmonitorCommon\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\SavesRuntimecrtmonitorCommon\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\SavesRuntimecrtmonitorCommon\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\SavesRuntimecrtmonitorCommon\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\SavesRuntimecrtmonitorCommon\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\SavesRuntimecrtmonitorCommon\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\SavesRuntimecrtmonitorCommon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\SavesRuntimecrtmonitorCommon\dllhost.exe'" /rl HIGHEST /f

C:\SavesRuntimecrtmonitorCommon\reviewinto.exe

"C:\SavesRuntimecrtmonitorCommon\reviewinto.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "reviewintor" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\USOShared\Logs\reviewinto.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "reviewinto" /sc ONLOGON /tr "'C:\Users\All Users\USOShared\Logs\reviewinto.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "reviewintor" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\USOShared\Logs\reviewinto.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\SavesRuntimecrtmonitorCommon\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\SavesRuntimecrtmonitorCommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\SavesRuntimecrtmonitorCommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "reviewintor" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\en-US\reviewinto.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "reviewinto" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\reviewinto.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "reviewintor" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\en-US\reviewinto.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\Offline\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Offline\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\Offline\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\amzpk88eS2.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\WindowsRE\wininit.exe

"C:\Recovery\WindowsRE\wininit.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dafdeb52-16a6-479b-a42e-cffe1ca646b1.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cc8ce5d3-02b0-46c1-bf65-df9be6394706.vbs"

C:\Recovery\WindowsRE\wininit.exe

C:\Recovery\WindowsRE\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04b9f0f5-78d2-4d43-9395-a68671996323.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\810e0e39-f556-4a52-b5ba-dc955298d315.vbs"

C:\Recovery\WindowsRE\wininit.exe

C:\Recovery\WindowsRE\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bb09c01-b2e9-4840-a999-6997e487c985.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d567250a-6961-43ed-8dd2-a8e94f5c07af.vbs"

C:\Recovery\WindowsRE\wininit.exe

C:\Recovery\WindowsRE\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c0f8ca1-9f8c-4c31-b96f-fc9a96406e79.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\695c9034-022c-4d67-9327-4517fd5d74c2.vbs"

C:\Recovery\WindowsRE\wininit.exe

C:\Recovery\WindowsRE\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc987819-2fb8-44d5-a2fa-94e1136871c6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6070b8d-e090-4e33-82ca-b92321ae8794.vbs"

C:\Recovery\WindowsRE\wininit.exe

C:\Recovery\WindowsRE\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cdeb7455-c130-4c82-a3e0-cc4e71904698.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3073b8a6-bb1b-4a42-b239-ad8211a32748.vbs"

C:\Recovery\WindowsRE\wininit.exe

C:\Recovery\WindowsRE\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64cb5b56-1f47-420b-9331-2bccc5bab3eb.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44b559c9-1740-47f8-abe2-cc59a9d941a9.vbs"

C:\Recovery\WindowsRE\wininit.exe

C:\Recovery\WindowsRE\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2171fe72-002b-4241-821f-ad96e9b3a260.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76c4140a-d1da-480f-90dc-7e6b8490c807.vbs"

C:\Recovery\WindowsRE\wininit.exe

C:\Recovery\WindowsRE\wininit.exe

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2485f83f-a81a-42b4-8051-6632daddfda6.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3a87fa1-3dc6-4c9b-94c6-5d41fe02c2b5.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0998797.xsph.ru udp
US 8.8.8.8:53 a0998797.xsph.ru udp
US 8.8.8.8:53 a0998797.xsph.ru udp
US 8.8.8.8:53 a0998797.xsph.ru udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 a0998797.xsph.ru udp
US 8.8.8.8:53 a0998797.xsph.ru udp
US 8.8.8.8:53 a0998797.xsph.ru udp
US 8.8.8.8:53 a0998797.xsph.ru udp
US 8.8.8.8:53 a0998797.xsph.ru udp
US 8.8.8.8:53 a0998797.xsph.ru udp

Files

C:\SavesRuntimecrtmonitorCommon\jlhL2OmdnM.vbe

MD5 4defbf69b7ac7cd48d5d28019164fc15
SHA1 475d6ef458c0505261f6e058b84d602dd55a792a
SHA256 0b66c2ddaca8e3a1be3a5a7543d480993ab71bf4b8308fff4ebe3754ea22f47f
SHA512 6eadacef630be325097a307e115fac9e960b6bdb2460dff8c2058a78d92b46d1a6845d36b2d1ed0794d1b64694bb60cd12f71be2e4f5634f023506962161d2fe

C:\SavesRuntimecrtmonitorCommon\4ZsCcJGcA5WhDRgpe0Cmw.bat

MD5 aa1ca164a728084ffd5e22bcf41ef9fb
SHA1 a46fc620937abf7e82d6c97e728530549c74805f
SHA256 c98facc1c471936575f62d9bdafd6614f5a66477c33c3a53ab41688a4917750d
SHA512 71dda5b7b13809823069eada39a0b6c3ebb26377125b6b4f1e7a283dfcee4139732b5b456fcba91bfaaf29a38929fb8adc5c17b18bf7733457e4db878df0a9e4

C:\SavesRuntimecrtmonitorCommon\reviewinto.exe

MD5 c3d7d94a09a4a29ddc66ba84508d559f
SHA1 8bdcdd488649b311182622b7b07ea526bfd021c8
SHA256 dee994f94e8e98b45fa47215e4593157d13a39f87ca2de6208614a61208c7b5c
SHA512 ae1a238b5cbd08a6b4db092390fd22bb3f0970ed1bc744d676e357e38f2ac182025e01abd8d7da9771f154df378e972c27e324608da29d0c0cbb9db606e9e0d0

memory/5020-12-0x00007FFB9C413000-0x00007FFB9C415000-memory.dmp

memory/5020-13-0x0000000000BD0000-0x0000000000D72000-memory.dmp

memory/5020-14-0x00000000015B0000-0x00000000015BE000-memory.dmp

memory/5020-15-0x00000000019C0000-0x00000000019DC000-memory.dmp

memory/5020-16-0x000000001C100000-0x000000001C150000-memory.dmp

memory/5020-19-0x00000000019F0000-0x00000000019F8000-memory.dmp

memory/5020-18-0x00000000019E0000-0x00000000019F0000-memory.dmp

memory/5020-20-0x0000000001B90000-0x0000000001BA0000-memory.dmp

memory/5020-17-0x00000000015C0000-0x00000000015C8000-memory.dmp

memory/5020-21-0x0000000001A10000-0x0000000001A1A000-memory.dmp

memory/5020-22-0x0000000001A20000-0x0000000001A2C000-memory.dmp

memory/5020-23-0x0000000001BA0000-0x0000000001BB2000-memory.dmp

memory/5020-24-0x000000001C680000-0x000000001CBA8000-memory.dmp

memory/5020-25-0x0000000001BD0000-0x0000000001BDC000-memory.dmp

memory/5020-26-0x0000000001BE0000-0x0000000001BEC000-memory.dmp

memory/5020-29-0x000000001C350000-0x000000001C358000-memory.dmp

memory/5020-28-0x00000000020A0000-0x00000000020AE000-memory.dmp

memory/5020-27-0x0000000002090000-0x000000000209A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\reviewinto.exe.log

MD5 311f1926e60b4f85bf8140299ca70235
SHA1 9b700a28d63b5dae143da22bf642c67f3bb0af49
SHA256 aaa667e50ce82f1cc798b5aacf93f14ef83632c20bea6655d66f631ce6f0c70b
SHA512 e58bcdcd64b52b68cf88c7e92932665a196a35b5a0b3c483179b69389553669607e443c33ffb40ec02b506ee353522e973b58292215697fc430226e79dcb7f24

C:\Users\Admin\AppData\Local\Temp\amzpk88eS2.bat

MD5 afca0a3c12ee421409a0dba3b012a62f
SHA1 ee3121cd358dbfd2d3461e75f74a868140348f7b
SHA256 6e9b7090dbb447303ea65325fae1b8721f067759401867a46ab7ff00ab056d32
SHA512 ed2b9cc246104da371e62b128df80513e4960b3ba1ea838af48e87b528c0ca73c38cd78132807aa7212530c38a0b6e6a4887dc8042764e927add3c801e2365bd

C:\Users\Admin\AppData\Local\Temp\cc8ce5d3-02b0-46c1-bf65-df9be6394706.vbs

MD5 94dda34c2855e1a15b328328f51a3d36
SHA1 3929e7f3a1b705e63ff7878b8608e07cd1b14e4d
SHA256 1efe274b27b072f862140078c2884ab897582e5bac31d008456ca2cb3d568f01
SHA512 7125ceca454c4700eeced97e9097fc87a114488ea456e9b9d12ae3b5ffba3f365ea8a9741a89ae7763f37e2e8d93ebea1074cc91f5bba61804e5db714863cdd9

C:\Users\Admin\AppData\Local\Temp\dafdeb52-16a6-479b-a42e-cffe1ca646b1.vbs

MD5 4e627f79a0787bf93235f1e3d99107fe
SHA1 b3e869ee10c79e370b26fcfb531864ef10cc8d14
SHA256 bc2587e065a33973174b6f2a5b2312478e0cb9db97cbd3caef4de1d5fa130659
SHA512 6a1066b68ba6aa1849cfafc4af98b377188d0fe97a5398d809a0e501b0748f95f6a58b2edfa60272442764e57b2e9126fc750f738e86e167b25e557342e1859a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

MD5 b058942fe750846925da0c79dbad94ec
SHA1 338efbdf7514f23e73dac4e69c6e9b979b0c902f
SHA256 de170e04a6f6e8c23b3c293a4c9386ec929f3ab0b79d0051fbe285a894edb559
SHA512 bcfa26f2dc24237eefd8070714735a0ebde5a3f83845f31ea412807e98b61f93ea96b6f1166d21e0bcec948483347790b2238151caceadcb0ec353dd877f375e

C:\Users\Admin\AppData\Local\Temp\04b9f0f5-78d2-4d43-9395-a68671996323.vbs

MD5 2a156be74157db09718b96a557e8cc9a
SHA1 3705b0a31b96db84a756754002d537e602817355
SHA256 72de03e93c20d79982fcbd2b0153c14cdd769a937d72231c8184f3ca2f72b330
SHA512 55e1076c0aca7ae8808674e2a302ae3e07f4c9e9b94345c5aa2dad6f549e0b3f02486217e2e67c0687db3a59d5ab14a27f29fdee1d07d3bafa8955b376553739

memory/3628-98-0x000000001C3F0000-0x000000001C402000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6bb09c01-b2e9-4840-a999-6997e487c985.vbs

MD5 162262297695eb62a52acb98ba0293c3
SHA1 81d12045244e44f11ea7edec40e1eeb5a3cdbb9a
SHA256 524e503d69608f6e8dd00056de4aac696f1a634ee9b614f6e26954f913fe6836
SHA512 52c1066c0de5aba378d142ad5419939250dc07bc28c36fc11b13462582676f7c968ae1a7aea3f282e85b3f7961ddcde0d6c0221187cd29fdcb31542dbdf49adc

C:\Users\Admin\AppData\Local\Temp\4c0f8ca1-9f8c-4c31-b96f-fc9a96406e79.vbs

MD5 5f30ea31e5a61f485eb33da65e13d6db
SHA1 6c031884c83811b924fdf77cb00449d9baceabd5
SHA256 f51a428dc4d403d1d099bf02f56ea9fa15c3d095f5c1324cd1c10d85260ad10e
SHA512 5577d6795af07bc2982f8d730873a01e5b2d614484135b4c385b5b7a883e94cd2f2b95ef8e4d1fa27f0b80f9c0b0ddbf5dfac8033047321a4113b2d3ca5a1852

C:\Users\Admin\AppData\Local\Temp\dc987819-2fb8-44d5-a2fa-94e1136871c6.vbs

MD5 e161af3ae928577738c580ef19c2b5b3
SHA1 03ecbeb0a9db87065aac0542c6098382d4de7692
SHA256 4d36ab8d6a72634f45be78601c74681c2e82f9abe136fc5985f0902e472d0976
SHA512 7d187f54995ba04ca2543850156dd9a1e15b8e143e255fee001fb11aaa7501e071016513ba095f9495c7882870c8d9dafd3ee7e64a01a360b8d6ac571cfddba0

C:\Users\Admin\AppData\Local\Temp\cdeb7455-c130-4c82-a3e0-cc4e71904698.vbs

MD5 364f318b796511a6a0060ee2f243b8fc
SHA1 61435bc199b46f923fe3af7c718f29dcd14edac5
SHA256 19de93005aa774653891cf5b37c035be071013c0b2b229d54874dffbd7d39ef9
SHA512 e261ee8ce3e7a41c11308410bfb59494ce3e0c7c7a11f5c4ef757afad079c2b67a67779e9640b4fd532cb43c8e5f8da20e6ff1942d97cbbcc421e65ee0f2359e

memory/3704-143-0x000000001C5F0000-0x000000001C602000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\64cb5b56-1f47-420b-9331-2bccc5bab3eb.vbs

MD5 0b9c3f7eabbdb141a7572758dd3e00fb
SHA1 a950ea3f2b5e24900e1323d6ab6c4636a750d320
SHA256 65f138258d3bf2620de9b3111eab543ada3661e85518af18010038476627851d
SHA512 7170be6a4e72d7895a2865e716f6a25571db7b3199fc9ba79bab6d4c4031da6dd8ff6a5f1020436ea14dfeb376a2bb1d00f1ba966423410d22f4d1326d16d18c

C:\Users\Admin\AppData\Local\Temp\2171fe72-002b-4241-821f-ad96e9b3a260.vbs

MD5 bb9bcc13a26dce61d2b6a83cf364dcd4
SHA1 ecfebb95b0346edc74ad48c45adcb06f514d79ef
SHA256 eeddaef6b765dab401f0d08e78f44ae7363b6fb181d691f3fe9daa39916010fe
SHA512 11970ab7fbf0f3733471a52405e98e5567e2d04940024ee43ad9ebd02863f2e4c62378290ae2ea9642d907fab6d822b8a27bbc94051b5f558c3b2d8b16ed1c20

memory/4960-166-0x000000001BFF0000-0x000000001C002000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2485f83f-a81a-42b4-8051-6632daddfda6.vbs

MD5 a24f797a58443914b50d58fa55739094
SHA1 91d3ed5521444eec0a1140f8ecd00f7503e083f7
SHA256 eb82d6e774d0ed4d34b310ae74adade9db452c68a1f25d4eed874e3378d3a6f6
SHA512 5f55fe8e4f50266c16a658567641c4e84366e8d2c80093dc31b4fafa885f72551cbac2840b30c90c422db62880ef625b90ad0d7242740de390fc7abe870f71ac

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 19:05

Reported

2024-06-21 19:09

Platform

win10-20240404-en

Max time kernel

134s

Max time network

136s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Solara.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Solara.zip

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 19:05

Reported

2024-06-21 19:09

Platform

win10v2004-20240226-en

Max time kernel

137s

Max time network

143s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Solara.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Solara.zip

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4144 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-21 19:05

Reported

2024-06-21 19:09

Platform

win11-20240508-en

Max time kernel

146s

Max time network

150s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Solara.zip

Signatures

N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Solara.zip

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-21 19:05

Reported

2024-06-21 19:09

Platform

win10-20240404-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\de-DE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\de-DE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\de-DE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\de-DE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\de-DE\explorer.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\browser\b1200e0ac9bfc0 C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\sysmon.exe C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
File created C:\Program Files\Windows Defender Advanced Threat Protection\ja-JP\spoolsv.exe C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\sihost.exe C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\66fc9ff0ee96c2 C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
File created C:\Program Files\Windows Defender Advanced Threat Protection\ja-JP\f3b6ecef712a24 C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\f3b6ecef712a24 C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\reviewinto.exe C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\121e5b5079f7c0 C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\de-DE\explorer.exe C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
File created C:\Windows\de-DE\7a0fd90576e088 C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings C:\Windows\de-DE\explorer.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A
N/A N/A C:\Windows\de-DE\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\de-DE\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\de-DE\explorer.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1396 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe C:\Windows\SysWOW64\WScript.exe
PID 1396 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe C:\Windows\SysWOW64\WScript.exe
PID 1396 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe C:\Windows\SysWOW64\WScript.exe
PID 4608 wrote to memory of 3988 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4608 wrote to memory of 3988 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4608 wrote to memory of 3988 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3988 wrote to memory of 4896 N/A C:\Windows\SysWOW64\cmd.exe C:\SavesRuntimecrtmonitorCommon\reviewinto.exe
PID 3988 wrote to memory of 4896 N/A C:\Windows\SysWOW64\cmd.exe C:\SavesRuntimecrtmonitorCommon\reviewinto.exe
PID 4896 wrote to memory of 3236 N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe C:\Windows\System32\cmd.exe
PID 4896 wrote to memory of 3236 N/A C:\SavesRuntimecrtmonitorCommon\reviewinto.exe C:\Windows\System32\cmd.exe
PID 3988 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3988 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3988 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3236 wrote to memory of 2236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3236 wrote to memory of 2236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3236 wrote to memory of 4644 N/A C:\Windows\System32\cmd.exe C:\Windows\de-DE\explorer.exe
PID 3236 wrote to memory of 4644 N/A C:\Windows\System32\cmd.exe C:\Windows\de-DE\explorer.exe
PID 4644 wrote to memory of 4812 N/A C:\Windows\de-DE\explorer.exe C:\Windows\System32\WScript.exe
PID 4644 wrote to memory of 4812 N/A C:\Windows\de-DE\explorer.exe C:\Windows\System32\WScript.exe
PID 4644 wrote to memory of 868 N/A C:\Windows\de-DE\explorer.exe C:\Windows\System32\WScript.exe
PID 4644 wrote to memory of 868 N/A C:\Windows\de-DE\explorer.exe C:\Windows\System32\WScript.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\de-DE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\de-DE\explorer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\SavesRuntimecrtmonitorCommon\reviewinto.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\de-DE\explorer.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\Solara\SolaraBootstrapper.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\SavesRuntimecrtmonitorCommon\jlhL2OmdnM.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\SavesRuntimecrtmonitorCommon\4ZsCcJGcA5WhDRgpe0Cmw.bat" "

C:\SavesRuntimecrtmonitorCommon\reviewinto.exe

"C:\SavesRuntimecrtmonitorCommon\reviewinto.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\de-DE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\de-DE\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "reviewintor" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\browser\reviewinto.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "reviewinto" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\reviewinto.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "reviewintor" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\browser\reviewinto.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\sysmon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\sysmon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\SavesRuntimecrtmonitorCommon\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\SavesRuntimecrtmonitorCommon\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\SavesRuntimecrtmonitorCommon\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\SavesRuntimecrtmonitorCommon\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\SavesRuntimecrtmonitorCommon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\SavesRuntimecrtmonitorCommon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\SavesRuntimecrtmonitorCommon\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\SavesRuntimecrtmonitorCommon\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\SavesRuntimecrtmonitorCommon\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\ja-JP\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\ja-JP\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender Advanced Threat Protection\ja-JP\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\ShellExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\ShellExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\ShellExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZhjKPAlWJ0.bat"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\de-DE\explorer.exe

"C:\Windows\de-DE\explorer.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\626051b2-1ddd-4bbd-b1f3-6acf1b847e1e.vbs"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5453d5f-cf98-4f5e-b151-0ba95bc4a58e.vbs"

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 a0998797.xsph.ru udp
RU 141.8.195.33:80 a0998797.xsph.ru tcp
RU 141.8.195.33:80 a0998797.xsph.ru tcp
US 8.8.8.8:53 33.195.8.141.in-addr.arpa udp
RU 141.8.195.33:80 a0998797.xsph.ru tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 141.8.195.33:80 a0998797.xsph.ru tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

C:\SavesRuntimecrtmonitorCommon\jlhL2OmdnM.vbe

MD5 4defbf69b7ac7cd48d5d28019164fc15
SHA1 475d6ef458c0505261f6e058b84d602dd55a792a
SHA256 0b66c2ddaca8e3a1be3a5a7543d480993ab71bf4b8308fff4ebe3754ea22f47f
SHA512 6eadacef630be325097a307e115fac9e960b6bdb2460dff8c2058a78d92b46d1a6845d36b2d1ed0794d1b64694bb60cd12f71be2e4f5634f023506962161d2fe

C:\SavesRuntimecrtmonitorCommon\4ZsCcJGcA5WhDRgpe0Cmw.bat

MD5 aa1ca164a728084ffd5e22bcf41ef9fb
SHA1 a46fc620937abf7e82d6c97e728530549c74805f
SHA256 c98facc1c471936575f62d9bdafd6614f5a66477c33c3a53ab41688a4917750d
SHA512 71dda5b7b13809823069eada39a0b6c3ebb26377125b6b4f1e7a283dfcee4139732b5b456fcba91bfaaf29a38929fb8adc5c17b18bf7733457e4db878df0a9e4

C:\SavesRuntimecrtmonitorCommon\reviewinto.exe

MD5 c3d7d94a09a4a29ddc66ba84508d559f
SHA1 8bdcdd488649b311182622b7b07ea526bfd021c8
SHA256 dee994f94e8e98b45fa47215e4593157d13a39f87ca2de6208614a61208c7b5c
SHA512 ae1a238b5cbd08a6b4db092390fd22bb3f0970ed1bc744d676e357e38f2ac182025e01abd8d7da9771f154df378e972c27e324608da29d0c0cbb9db606e9e0d0

memory/4896-14-0x00000000004C0000-0x0000000000662000-memory.dmp

memory/4896-15-0x0000000002920000-0x000000000292E000-memory.dmp

memory/4896-16-0x0000000002930000-0x000000000294C000-memory.dmp

memory/4896-17-0x000000001B1E0000-0x000000001B230000-memory.dmp

memory/4896-18-0x000000001B160000-0x000000001B168000-memory.dmp

memory/4896-19-0x000000001B170000-0x000000001B180000-memory.dmp

memory/4896-20-0x000000001B190000-0x000000001B198000-memory.dmp

memory/4896-21-0x000000001B1B0000-0x000000001B1C0000-memory.dmp

memory/4896-22-0x000000001B1A0000-0x000000001B1AA000-memory.dmp

memory/4896-23-0x000000001B1C0000-0x000000001B1CC000-memory.dmp

memory/4896-24-0x000000001B1D0000-0x000000001B1E2000-memory.dmp

memory/4896-25-0x000000001BEB0000-0x000000001C3D6000-memory.dmp

memory/4896-26-0x000000001B250000-0x000000001B25C000-memory.dmp

memory/4896-27-0x000000001B260000-0x000000001B26C000-memory.dmp

memory/4896-29-0x000000001B990000-0x000000001B99E000-memory.dmp

memory/4896-28-0x000000001B980000-0x000000001B98A000-memory.dmp

memory/4896-30-0x000000001B9A0000-0x000000001B9A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ZhjKPAlWJ0.bat

MD5 267ec0e7133262a9921581e0ad459516
SHA1 c1d0c91f71b136126c58efd1f796d461480746e7
SHA256 1c12c2666ef5c6c818841163e20b01ead6d8471e06269840b60d03feae048f76
SHA512 05086a72866d6c9c5e460b2b2a83213efeecffaa36ec19630d871273f257e1e42f0878476782c8e6d76f406a48a1c76716650336a4eaf55d5d70ae638d14f2c7

memory/4644-68-0x0000000002F20000-0x0000000002F32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c5453d5f-cf98-4f5e-b151-0ba95bc4a58e.vbs

MD5 5c8323fa4a7ed8b39fb3f036d758373f
SHA1 30f3313e88663b0b57f89c4b65387af8bcfdb8ff
SHA256 75f50c25311cab1dc7ae48c162590b3469095112a4496f3b73ce91c9366b0988
SHA512 941132fd68325995ba52a515e28a526079946cd567f316153ee7886dbe051c4e1d0851102b563ce3a1b692d526664fb0842d1c98cf085eb5f081fe0c00aa6f0d

C:\Users\Admin\AppData\Local\Temp\626051b2-1ddd-4bbd-b1f3-6acf1b847e1e.vbs

MD5 6ed116302b66b8a06a42a3f0a42e71a8
SHA1 2cc4abb154dfee00ac5aa51497c9ce680ee23145
SHA256 0fb53438b3d6cc1a466305c71feaaf5989d75a47667db4341bef94f742988d17
SHA512 77207b1e7e0c6077cfcd2331184d052131aaad66d4da9db87ad78879b50759c9b598be8f76d9341d84f94d6af209b261ed5f68dd27e0b8e5b7d82d9e663356a4