Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
59s -
max time network
57s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30/06/2024, 07:13
Static task
static1
Behavioral task
behavioral1
Sample
SolaraB/Solara/SolaraBootstrapper.exe
Resource
win7-20240611-en
General
-
Target
SolaraB/Solara/SolaraBootstrapper.exe
-
Size
3.6MB
-
MD5
1084103f4bd706bf885d41afea903c6d
-
SHA1
13d1b69e8d5beb8da4a7064dba7d170d1a038659
-
SHA256
a79d06166220bed4b1f1db64c211e0b8ae442d053ad3428cb7bc4a802bcb0c18
-
SHA512
9affc2ce5813e810d686bd5f4faf70e3b4062a07da470ce8ea1214b11b078fd4c41a8c59bd49bb64505ac209b3bb91ed32ee49e8cc69617178701e6ed8390ff4
-
SSDEEP
98304:ZqwBaxdtHuWZIJ0iDZkTBo2UYndDXJzATh:Zqw0xdtHutJ08uTBZUYnpQ
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 36 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1196 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3152 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4656 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3536 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3548 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2028 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4688 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4632 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3368 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3228 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2904 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2956 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1484 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2240 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3312 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4412 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1108 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4488 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4880 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4740 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1600 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3280 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2832 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4216 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3224 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4736 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4028 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4556 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4504 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5056 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4516 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3772 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3100 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2032 5048 schtasks.exe 85 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 5048 schtasks.exe 85 -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bridgebrowserFont.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bridgebrowserFont.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bridgebrowserFont.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe -
resource yara_rule behavioral2/files/0x0009000000023410-6.dat dcrat behavioral2/files/0x0007000000023416-1495.dat dcrat behavioral2/memory/2148-1498-0x00000000001C0000-0x000000000053E000-memory.dmp dcrat -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cd57e4c171d6e8f5ea8b8f824a6a7316.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion cd57e4c171d6e8f5ea8b8f824a6a7316.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion cd57e4c171d6e8f5ea8b8f824a6a7316.exe -
Checks computer location settings 2 TTPs 10 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Idle.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Idle.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation DCRatBuild.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation SolaraBootstrapper.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation bridgebrowserFont.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Idle.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation SolaraBootstrapper.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Idle.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Idle.exe -
Executes dropped EXE 13 IoCs
pid Process 1704 DCRatBuild.exe 2076 SolaraBootstrapper.exe 1520 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 2148 bridgebrowserFont.exe 2100 Idle.exe 4400 Idle.exe 1424 Idle.exe 4040 Idle.exe 4232 Idle.exe 4656 Idle.exe 4664 Idle.exe 4044 Idle.exe 4312 Idle.exe -
Loads dropped DLL 5 IoCs
pid Process 1520 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1520 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1520 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1520 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1520 cd57e4c171d6e8f5ea8b8f824a6a7316.exe -
resource yara_rule behavioral2/files/0x000700000002342b-1554.dat themida behavioral2/memory/1520-1561-0x0000000180000000-0x0000000180B0D000-memory.dmp themida behavioral2/memory/1520-1581-0x0000000180000000-0x0000000180B0D000-memory.dmp themida -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bridgebrowserFont.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA bridgebrowserFont.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cd57e4c171d6e8f5ea8b8f824a6a7316.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
flow ioc 20 raw.githubusercontent.com 36 pastebin.com 37 pastebin.com 19 raw.githubusercontent.com 31 raw.githubusercontent.com 33 raw.githubusercontent.com 41 pastebin.com 53 pastebin.com 54 pastebin.com -
Drops file in System32 directory 11 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1520 cd57e4c171d6e8f5ea8b8f824a6a7316.exe -
Drops file in Program Files directory 13 IoCs
description ioc Process File created C:\Program Files\Java\jre-1.8\bin\server\RuntimeBroker.exe bridgebrowserFont.exe File created C:\Program Files\Windows Portable Devices\Registry.exe bridgebrowserFont.exe File created C:\Program Files (x86)\WindowsPowerShell\lsass.exe bridgebrowserFont.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\lsass.exe bridgebrowserFont.exe File created C:\Program Files\VideoLAN\VLC\e6c9b481da804f bridgebrowserFont.exe File created C:\Program Files (x86)\Windows Multimedia Platform\5b884080fd4f94 bridgebrowserFont.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe bridgebrowserFont.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\56085415360792 bridgebrowserFont.exe File created C:\Program Files\VideoLAN\VLC\OfficeClickToRun.exe bridgebrowserFont.exe File created C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe bridgebrowserFont.exe File created C:\Program Files (x86)\WindowsPowerShell\6203df4a6bafc7 bridgebrowserFont.exe File created C:\Program Files\Java\jre-1.8\bin\server\9e8d7a4ca61bd9 bridgebrowserFont.exe File created C:\Program Files\Windows Portable Devices\ee2ad38f3d4382 bridgebrowserFont.exe -
Drops file in Windows directory 6 IoCs
description ioc Process File created C:\Windows\addins\MoUsoCoreWorker.exe bridgebrowserFont.exe File created C:\Windows\addins\1f93f77a7f4778 bridgebrowserFont.exe File created C:\Windows\RemotePackages\RemoteDesktops\explorer.exe bridgebrowserFont.exe File created C:\Windows\RemotePackages\RemoteDesktops\7a0fd90576e088 bridgebrowserFont.exe File created C:\Windows\Migration\WTR\spoolsv.exe bridgebrowserFont.exe File created C:\Windows\Migration\WTR\f3b6ecef712a24 bridgebrowserFont.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 8 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings bridgebrowserFont.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings mspaint.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings Idle.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings DCRatBuild.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3312 schtasks.exe 4656 schtasks.exe 4632 schtasks.exe 1624 schtasks.exe 2956 schtasks.exe 5056 schtasks.exe 1484 schtasks.exe 1108 schtasks.exe 4736 schtasks.exe 2028 schtasks.exe 4688 schtasks.exe 1600 schtasks.exe 3224 schtasks.exe 4880 schtasks.exe 4740 schtasks.exe 3280 schtasks.exe 3100 schtasks.exe 3548 schtasks.exe 4488 schtasks.exe 3536 schtasks.exe 2032 schtasks.exe 2904 schtasks.exe 2240 schtasks.exe 4556 schtasks.exe 4504 schtasks.exe 1196 schtasks.exe 3152 schtasks.exe 4412 schtasks.exe 2832 schtasks.exe 4216 schtasks.exe 4028 schtasks.exe 4516 schtasks.exe 2652 schtasks.exe 3368 schtasks.exe 3228 schtasks.exe 3772 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2076 SolaraBootstrapper.exe 2076 SolaraBootstrapper.exe 2148 bridgebrowserFont.exe 2148 bridgebrowserFont.exe 2148 bridgebrowserFont.exe 2148 bridgebrowserFont.exe 2148 bridgebrowserFont.exe 2148 bridgebrowserFont.exe 2148 bridgebrowserFont.exe 2148 bridgebrowserFont.exe 1520 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1520 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1520 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 2100 Idle.exe 1520 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1520 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1520 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 1520 cd57e4c171d6e8f5ea8b8f824a6a7316.exe 4400 Idle.exe 1424 Idle.exe 4656 Idle.exe 1840 mspaint.exe 1840 mspaint.exe 4044 Idle.exe 4044 Idle.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 2076 SolaraBootstrapper.exe Token: SeDebugPrivilege 2148 bridgebrowserFont.exe Token: SeDebugPrivilege 1520 cd57e4c171d6e8f5ea8b8f824a6a7316.exe Token: SeDebugPrivilege 2100 Idle.exe Token: SeDebugPrivilege 4400 Idle.exe Token: SeDebugPrivilege 1424 Idle.exe Token: SeDebugPrivilege 4232 Idle.exe Token: SeDebugPrivilege 4040 Idle.exe Token: SeDebugPrivilege 4656 Idle.exe Token: SeDebugPrivilege 4664 Idle.exe Token: SeDebugPrivilege 4044 Idle.exe Token: SeDebugPrivilege 4312 Idle.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1840 mspaint.exe 4880 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2396 wrote to memory of 1704 2396 SolaraBootstrapper.exe 86 PID 2396 wrote to memory of 1704 2396 SolaraBootstrapper.exe 86 PID 2396 wrote to memory of 1704 2396 SolaraBootstrapper.exe 86 PID 2396 wrote to memory of 2076 2396 SolaraBootstrapper.exe 88 PID 2396 wrote to memory of 2076 2396 SolaraBootstrapper.exe 88 PID 2396 wrote to memory of 2076 2396 SolaraBootstrapper.exe 88 PID 1704 wrote to memory of 4316 1704 DCRatBuild.exe 91 PID 1704 wrote to memory of 4316 1704 DCRatBuild.exe 91 PID 1704 wrote to memory of 4316 1704 DCRatBuild.exe 91 PID 2076 wrote to memory of 1520 2076 SolaraBootstrapper.exe 94 PID 2076 wrote to memory of 1520 2076 SolaraBootstrapper.exe 94 PID 4316 wrote to memory of 2160 4316 WScript.exe 95 PID 4316 wrote to memory of 2160 4316 WScript.exe 95 PID 4316 wrote to memory of 2160 4316 WScript.exe 95 PID 2160 wrote to memory of 2148 2160 cmd.exe 97 PID 2160 wrote to memory of 2148 2160 cmd.exe 97 PID 2148 wrote to memory of 868 2148 bridgebrowserFont.exe 134 PID 2148 wrote to memory of 868 2148 bridgebrowserFont.exe 134 PID 868 wrote to memory of 4292 868 cmd.exe 136 PID 868 wrote to memory of 4292 868 cmd.exe 136 PID 868 wrote to memory of 2100 868 cmd.exe 137 PID 868 wrote to memory of 2100 868 cmd.exe 137 PID 2100 wrote to memory of 1080 2100 Idle.exe 138 PID 2100 wrote to memory of 1080 2100 Idle.exe 138 PID 2100 wrote to memory of 836 2100 Idle.exe 139 PID 2100 wrote to memory of 836 2100 Idle.exe 139 PID 2100 wrote to memory of 3736 2100 Idle.exe 143 PID 2100 wrote to memory of 3736 2100 Idle.exe 143 PID 3736 wrote to memory of 2416 3736 cmd.exe 145 PID 3736 wrote to memory of 2416 3736 cmd.exe 145 PID 1080 wrote to memory of 4400 1080 WScript.exe 146 PID 1080 wrote to memory of 4400 1080 WScript.exe 146 PID 4400 wrote to memory of 1472 4400 Idle.exe 148 PID 4400 wrote to memory of 1472 4400 Idle.exe 148 PID 4400 wrote to memory of 3580 4400 Idle.exe 149 PID 4400 wrote to memory of 3580 4400 Idle.exe 149 PID 4400 wrote to memory of 4312 4400 Idle.exe 150 PID 4400 wrote to memory of 4312 4400 Idle.exe 150 PID 4312 wrote to memory of 4556 4312 cmd.exe 152 PID 4312 wrote to memory of 4556 4312 cmd.exe 152 PID 3736 wrote to memory of 1424 3736 cmd.exe 153 PID 3736 wrote to memory of 1424 3736 cmd.exe 153 PID 1424 wrote to memory of 440 1424 Idle.exe 155 PID 1424 wrote to memory of 440 1424 Idle.exe 155 PID 1424 wrote to memory of 2912 1424 Idle.exe 156 PID 1424 wrote to memory of 2912 1424 Idle.exe 156 PID 4312 wrote to memory of 4040 4312 cmd.exe 157 PID 4312 wrote to memory of 4040 4312 cmd.exe 157 PID 1472 wrote to memory of 4232 1472 WScript.exe 158 PID 1472 wrote to memory of 4232 1472 WScript.exe 158 PID 1424 wrote to memory of 2496 1424 Idle.exe 159 PID 1424 wrote to memory of 2496 1424 Idle.exe 159 PID 2496 wrote to memory of 2076 2496 cmd.exe 161 PID 2496 wrote to memory of 2076 2496 cmd.exe 161 PID 440 wrote to memory of 4656 440 WScript.exe 163 PID 440 wrote to memory of 4656 440 WScript.exe 163 PID 4656 wrote to memory of 5084 4656 Idle.exe 165 PID 4656 wrote to memory of 5084 4656 Idle.exe 165 PID 4656 wrote to memory of 4688 4656 Idle.exe 166 PID 4656 wrote to memory of 4688 4656 Idle.exe 166 PID 2496 wrote to memory of 4664 2496 cmd.exe 167 PID 2496 wrote to memory of 4664 2496 cmd.exe 167 PID 4656 wrote to memory of 4632 4656 Idle.exe 171 PID 4656 wrote to memory of 4632 4656 Idle.exe 171 -
System policy modification 1 TTPs 18 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" bridgebrowserFont.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" bridgebrowserFont.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" bridgebrowserFont.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Idle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" Idle.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SolaraB\Solara\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraB\Solara\SolaraBootstrapper.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\bridgeChainsvc\ynBPrYHpb0rGVZHVTyIGwU9XZ.vbe"3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\bridgeChainsvc\nDhZWkZlJyEO.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\bridgeChainsvc\bridgebrowserFont.exe"C:\bridgeChainsvc\bridgebrowserFont.exe"5⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2148 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TQCIBmL527.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:4292
-
-
C:\Users\Admin\Saved Games\Idle.exe"C:\Users\Admin\Saved Games\Idle.exe"7⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2100 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e13df84e-abd8-435a-80b2-067ec8c16492.vbs"8⤵
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Users\Admin\Saved Games\Idle.exe"C:\Users\Admin\Saved Games\Idle.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4400 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8218a83b-2988-4f7e-b0a9-091c7c7601ce.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Users\Admin\Saved Games\Idle.exe"C:\Users\Admin\Saved Games\Idle.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4232
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5457a3b6-11f7-4aff-9a1b-deeca8d7ccf4.vbs"10⤵PID:3580
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tA3KztjMoN.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:4556
-
-
C:\Users\Admin\Saved Games\Idle.exe"C:\Users\Admin\Saved Games\Idle.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4040
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c35b61c7-f095-4b3a-98a8-3c3c907f02ed.vbs"8⤵PID:836
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xAFUrPKKMy.bat"8⤵
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2416
-
-
C:\Users\Admin\Saved Games\Idle.exe"C:\Users\Admin\Saved Games\Idle.exe"9⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1424 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef732983-4cf3-44fb-ae2c-3f78f9d56828.vbs"10⤵
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Users\Admin\Saved Games\Idle.exe"C:\Users\Admin\Saved Games\Idle.exe"11⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4656 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83a8ff88-15e2-43a7-92a8-67387157f4ac.vbs"12⤵PID:5084
-
C:\Users\Admin\Saved Games\Idle.exe"C:\Users\Admin\Saved Games\Idle.exe"13⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4044 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a4fee81-79a5-47e3-bd4d-5f165f1e0f2e.vbs"14⤵PID:1720
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9070fd1-e6e5-41cc-848e-45bae0ca6d78.vbs"14⤵PID:4844
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6d8a7fe9-dbb2-48eb-a0f8-96911f97ad45.vbs"12⤵PID:4688
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat"12⤵PID:4632
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:1928
-
-
C:\Users\Admin\Saved Games\Idle.exe"C:\Users\Admin\Saved Games\Idle.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4312
-
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b65bcc87-431a-4f9f-a16f-97537da1f799.vbs"10⤵PID:2912
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat"10⤵
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2076
-
-
C:\Users\Admin\Saved Games\Idle.exe"C:\Users\Admin\Saved Games\Idle.exe"11⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4664
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\WindowsPowerShell\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\WindowsPowerShell\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre-1.8\bin\server\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3536
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Java\jre-1.8\bin\server\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre-1.8\bin\server\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Saved Games\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Saved Games\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\MoUsoCoreWorker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorker" /sc ONLOGON /tr "'C:\Windows\addins\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "MoUsoCoreWorkerM" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\MoUsoCoreWorker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\RemotePackages\RemoteDesktops\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\RemotePackages\RemoteDesktops\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\Registry.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\Registry.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4216
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3360
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\ConvertUpdate.jpeg" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1840
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
PID:3928
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:4880
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD54a667f150a4d1d02f53a9f24d89d53d1
SHA1306e125c9edce66f28fdb63e6c4ca5c9ad6e8c97
SHA256414659decfd237dde09625a49811e03b5b30ee06ee2ee97ea8bcfac394d281fd
SHA5124edd8e73ce03488a6d92750a782cd4042fbb54a5b3f8d8ba3ea227fda0653c2cd84f0c5d64976c7cdc1f518a2fdc8ff10e2a015ec7acf3cd01b0d62bc98542d8
-
Filesize
711B
MD55471f73c6c2b50c48d60354989750557
SHA164ad1a391e3e6ee25e4a025401447f0860b31f58
SHA2562c6cd55dc17c2e0497026a3dbde4706ec59396eaed909953d62f689e0e63d232
SHA5122d5b02755b53cb190854b8cded2168625d7954b572dce0c636257a8210cb8a3d0c1394e6fc4ed47e45daaf9472d213c779b96c62f1f41e7b2eeb849bc5661b64
-
Filesize
711B
MD548761047e736ccf9f9348beba25f16d6
SHA1fcb595d6bbcc2506b9eec9e76c6e22fde202f89f
SHA256fbd88ad24b723decf2250c003535c75c6745a92dc27394c5c3cd0885e53842c3
SHA512aa26786e764d69d8d2c397178ba2b456771d6190463c44a669319a66786e4dbc282c0c29bc49466d67775462439eea4cf9f2fd8203f4499a953016a02c5ad395
-
Filesize
711B
MD5412020e434bfaf49090f75df5d563290
SHA1181448ec97b5d621560913376aa662e44499222a
SHA256cc43433000044c32712e20d252ececa798d0b3a367eeed8bb1d87d1980d23144
SHA5127ee7b6a5d1d6b3a9b04e9a603ee874d7719b4f3f7fd0e525248cf4e92e1235e2bdd0536e20c80c1a5b5c8291bc1ae2cdb8d7f308adaf04d1a55312cb85882abf
-
Filesize
3.8MB
MD5ac7ea6f1952a9c6ffded545097f283e2
SHA11fb8cc03c0f6492ada6d85efc02050bff041398a
SHA2561b11cc0e9e5b2805295211c1511687fb909c349bcfe5b98a705dd18820b89704
SHA512964c000d6ad3e7a74ca1123e230bb4ce79b19cacb6195b8728d791081ca6fd2ac0b483ed0ccee7e43fa19a566de6943f88a8274946eb4f795a33f4a622a586ef
-
Filesize
488KB
MD5851fee9a41856b588847cf8272645f58
SHA1ee185a1ff257c86eb19d30a191bf0695d5ac72a1
SHA2565e7faee6b8230ca3b97ce9542b914db3abbbd1cb14fd95a39497aaad4c1094ca
SHA512cf5c70984cf33e12cf57116da1f282a5bd6433c570831c185253d13463b0b9a0b9387d4d1bf4dddab3292a5d9ba96d66b6812e9d7ebc5eb35cb96eea2741348f
-
Filesize
37KB
MD54cf94ffa50fd9bdc0bb93cceaede0629
SHA13e30eca720f4c2a708ec53fd7f1ba9e778b4f95f
SHA25650b2e46c99076f6fa9c33e0a98f0fe3a2809a7c647bb509066e58f4c7685d7e6
SHA512dc400518ef2f68920d90f1ce66fbb8f4dde2294e0efeecd3d9329aa7a66e1ab53487b120e13e15f227ea51784f90208c72d7fbfa9330d9b71dd9a1a727d11f98
-
Filesize
43KB
MD534ec990ed346ec6a4f14841b12280c20
SHA16587164274a1ae7f47bdb9d71d066b83241576f0
SHA2561e987b22cd011e4396a0805c73539586b67df172df75e3dded16a77d31850409
SHA512b565015ca4b11b79ecbc8127f1fd40c986948050f1caefdd371d34ed2136af0aabf100863dc6fd16d67e3751d44ee13835ea9bf981ac0238165749c4987d1ae0
-
Filesize
139B
MD5d0104f79f0b4f03bbcd3b287fa04cf8c
SHA154f9d7adf8943cb07f821435bb269eb4ba40ccc2
SHA256997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a
SHA512daf9b5445cfc02397f398adfa0258f2489b70699dfec6ca7e5b85afe5671fdcabe59edee332f718f5e5778feb1e301778dffe93bb28c1c0914f669659bad39c6
-
Filesize
43B
MD5c28b0fe9be6e306cc2ad30fe00e3db10
SHA1af79c81bd61c9a937fca18425dd84cdf8317c8b9
SHA2560694050195fc694c5846b0a2a66b437ac775da988f0a779c55fb892597f7f641
SHA512e3eca17804522ffa4f41e836e76e397a310a20e8261a38115b67e8b644444153039d04198fb470f45be2997d2c7a72b15bd4771a02c741b3cbc072ea6ef432e9
-
Filesize
216B
MD5c2ab942102236f987048d0d84d73d960
SHA195462172699187ac02eaec6074024b26e6d71cff
SHA256948366fea3b423a46366326d0bb2e54b08abd1cf0b243678ba6625740c40da5a
SHA512e36b20c16ceeb090750f3865efc8d7fd983ae4e8b41c30cc3865d2fd4925bf5902627e1f1ed46c0ff2453f076ef9de34be899ef57754b29cd158440071318479
-
Filesize
1KB
MD513babc4f212ce635d68da544339c962b
SHA14881ad2ec8eb2470a7049421047c6d076f48f1de
SHA256bd47ce7b88c7759630d1e2b9fcfa170a0f1fde522be09e13fb1581a79d090400
SHA51240e30174433408e0e2ed46d24373b12def47f545d9183b7bce28d4ddd8c8bb528075c7f20e118f37661db9f1bba358999d81a14425eb3e0a4a20865dfcb53182
-
Filesize
695KB
MD5195ffb7167db3219b217c4fd439eedd6
SHA11e76e6099570ede620b76ed47cf8d03a936d49f8
SHA256e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
SHA51256eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
-
Filesize
133KB
MD5a0bd0d1a66e7c7f1d97aedecdafb933f
SHA1dd109ac34beb8289030e4ec0a026297b793f64a3
SHA25679d7e45f8631e8d2541d01bfb5a49a3a090be72b3d465389a2d684680fee2e36
SHA5122a50ae5c7234a44b29f82ebc2e3cfed37bf69294eb00b2dc8905c61259975b2f3a059c67aeab862f002752454d195f7191d9b82b056f6ef22d6e1b0bb3673d50
-
Filesize
5.2MB
MD5aead90ab96e2853f59be27c4ec1e4853
SHA143cdedde26488d3209e17efff9a51e1f944eb35f
SHA25646cfbe804b29c500ebc0b39372e64c4c8b4f7a8e9b220b5f26a9adf42fcb2aed
SHA512f5044f2ee63906287460b9adabfcf3c93c60b51c86549e33474c4d7f81c4f86cd03cd611df94de31804c53006977874b8deb67c4bf9ea1c2b70c459b3a44b38d
-
Filesize
34B
MD50e2184f1c7464b6617329fb18f107b4f
SHA16f22f98471e33c9db10d6f6f1728e98852e25b8f
SHA256dbf5f44e1b84a298dbbcad3c31a617d2f6cfa08eb5d16e05a5c28726c574d4eb
SHA5128e745c0215d52e15702551f29efb882a5eba97b5f279ccc29293b1a9b1b8661bf71b548569f9a99fa35c35a15d1b6b288d3c381c1292418c36dc89e2fa0b3a37
-
Filesize
4.2MB
MD5f71b342220b8f8935abe5ea0b1e5f30c
SHA1a70d41dbc456d548e790af717575b1f83e3f38b5
SHA256dec8c51c89452b183201e58e4cfceffb0924c4c1f7729841a739086711ff021f
SHA512d6ba2d0eecb2bd70ea727c7bd86cce75fe535e4a7688eb6fc6334e30f568d24d0b6661b8873ddb88c1bb75dbf772fae215b101545ff85e6461a2b05b85dfe05f
-
Filesize
90KB
MD5d84e7f79f4f0d7074802d2d6e6f3579e
SHA1494937256229ef022ff05855c3d410ac3e7df721
SHA256dcfc2b4fa3185df415855ec54395d9c36612f68100d046d8c69659da01f7d227
SHA512ed7b0ac098c8184b611b83158eaa86619001e74dba079d398b34ac694ce404ba133c2baf43051840132d6a3a089a375550072543b9fab2549d57320d13502260
-
Filesize
522KB
MD5e31f5136d91bad0fcbce053aac798a30
SHA1ee785d2546aec4803bcae08cdebfd5d168c42337
SHA256ee94e2201870536522047e6d7fe7b903a63cd2e13e20c8fffc86d0e95361e671
SHA512a1543eb1d10d25efb44f9eaa0673c82bfac5173055d04c0f3be4792984635a7c774df57a8e289f840627754a4e595b855d299070d469e0f1e637c3f35274abe6
-
Filesize
99KB
MD57a2b8cfcd543f6e4ebca43162b67d610
SHA1c1c45a326249bf0ccd2be2fbd412f1a62fb67024
SHA2567d7ca28235fba5603a7f40514a552ac7efaa67a5d5792bb06273916aa8565c5f
SHA512e38304fb9c5af855c1134f542adf72cde159fab64385533eafa5bb6e374f19b5a29c0cb5516fc5da5c0b5ac47c2f6420792e0ac8ddff11e749832a7b7f3eb5c8
-
Filesize
113KB
MD575365924730b0b2c1a6ee9028ef07685
SHA1a10687c37deb2ce5422140b541a64ac15534250f
SHA256945e7f5d09938b7769a4e68f4ef01406e5af9f40db952cba05ddb3431dd1911b
SHA512c1e31c18903e657203ae847c9af601b1eb38efa95cb5fa7c1b75f84a2cba9023d08f1315c9bb2d59b53256dfdb3bac89930252138475491b21749471adc129a1
-
Filesize
13KB
MD56557bd5240397f026e675afb78544a26
SHA1839e683bf68703d373b6eac246f19386bb181713
SHA256a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239
SHA512f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97
-
Filesize
200B
MD5b3b5ed925c7ecd79002f3dd29f0e01f1
SHA1c951817da294b42acfa76c4d3a558df2ac55e089
SHA2563de6992dd5afb5aa98e9f7cc79af034d00e18ce295d972f036dad548ea8ba9ab
SHA512315f1ac2169b40332b417494d5cbb3f535b7c219aefef19b42abce83c370a51796168808ea309881a449dc81017b6130f25c3639c926e496b2a8b2779fba5c5d
-
Filesize
487B
MD54ce81cc859b3b25c344b6825a7dbce12
SHA11940e75e511d2326daf042c936022f758b5964f0
SHA256585155355da6bc3f2d0830fa5b6fc118d82027a6f58fa42dcc64ff79b93fe949
SHA51203f79305a14c1019dbb350ca5a8fbf9141fc2555450b9a411bbe1f182f0b7900c2128cfd294034b4de6d8e6f303913083e1e17d94771f921cce14bc969b6b8ec
-
Filesize
711B
MD50f5893f7246fe44be025c9cc75181a7e
SHA1dad989a1277b0755c0df10fab98ac86dd08ca1ab
SHA256fa1584a7385bb0588750cd110af9c1e272b10b737744484e2b3d9edfcce347ab
SHA512a9da85deb0dd69ad7ffbc0c2df78dac67bb3752f85fc21250fc944b4590cb94408f61ec180756bcfc33085a02667a957c6fd2ad8527ad5c51bcdbfddcb52d14e
-
Filesize
711B
MD5bdbd524e40e955ee5bbec1b327d796b9
SHA1361298b120e999cfeefffdc11d4c97bc7253a5af
SHA2562df74e9513f4a9a584005c752f2645f5c7006f477d0ad7da5ccbdc52834df086
SHA51253ac7721c33de1831a4d1557d2291fa357cc2be9f418a9d6d6a3ccd6a9fcad8be420a236175349126c3a57dee2b4b15a5bf57a6683dff1394369182ab6bc9d6b
-
Filesize
200B
MD59d916e08116f4974b147e2bf334905c3
SHA1cada6e5bb84a60679b90d28eb5cc50ade1c4d3b8
SHA256211222d82217c76ddf8ccc3d41a3efce1415c90d9e0d0680cd6d3dc5a5a6c6dd
SHA51243cd986ee69c5ec42ca492fc8487af264e199de6b1cf9d439cf3ebcbc52739f6e6b3fb0bf252cc757b4e573045d213e2cf18c82e1889ca363ac254c0a3484eb5
-
Filesize
200B
MD5423a749790ca69e98ca385ae0478073a
SHA17436de94b38a3958b0bc6550ebf9f1d92103f498
SHA25683cb7230328b7792258678a48cd65c92261e1cc66c12e1bce100c2b49f932d76
SHA5128b3f5d804b1e9895f034476fad322f5baf67681bcb3215abe2d712320e94e7dfdde523fe49fede410e4aba5dfdc96b756180426f156c1583ed47c9329805a261
-
Filesize
200B
MD5080b1c08eb3d3e3c2d181e36e5b2a5aa
SHA1198319923426003ac51f1702a642debd4285b635
SHA2568f5ed1595f5cfd012cc0ca404e348b6f260eafb900b03c2277d7d764d2ca296d
SHA512fd583d29136df07780ef1ddcbd35aba8dfe90232611440f0298c55261d4fc570a2eac1d5d47b747234ba11b4fa791e8cc784353b00d59eaf2a122f3af7437084
-
Filesize
200B
MD54ddb953176a81eb25406bc0899918baa
SHA1a0121fc7f9468bc2549d73c0fd01be679400b2a1
SHA256b16b1a8cf7be570d1fd56fd7e2bce1f0567b22a10aa99d8cf2fbbc88627be989
SHA512385e1d0d6ff585676dcecf5152e5ccc0da169cbe4ba92ee514121ecf1e7fce557c94783e44167933ff6d3907360f8198d659477b4a82119ede83a24829666a10
-
Filesize
3.5MB
MD5465620a95a01b3dec2415522ec5177a8
SHA154318e9baafead2d79d33b1486f7cd766dae4574
SHA256765d071ffdca507a3d8d95077b36133051bc0177b9928cc02daddc3bd216cea3
SHA5129ba068ddc64c7eb15eedf628eba23196ccf6a11efc1ee13de95a29477820509beff96a49c2d92207f0501f66f1bc413955e2de48bc12d81b57fa70c5bc27de27
-
Filesize
41B
MD54061dbe3e62277593371c237a23a7d47
SHA18a5cedfa5f14dfb48d037b0aaf8b2985113b7d8e
SHA256d80ee6aed5b1fab9709e19cfa35c071859ce80f58021d4389b0a751e6f78dd22
SHA512cb16bfa29fe059d1d771c53bd7e3e24ecebb38044b8642ac043e052843e46c27ec3988c8a6b7ecae65b8095a33de35009512514f48762ff2bc23cbef396605cf
-
Filesize
203B
MD5b8859a57b36802480a471ea20554a2f5
SHA10296f757bf7e952d7bff605bd2e0237bb13ecb59
SHA256c30fc00d5cc6a249fa1e8179d06a8aa4c278936c8f6d8bc6ac17ad8b0a019d16
SHA512084f06faf410869285161912ac77ab29b62a7ebfa777d2cf5c3bf51252dc875f93c847b56a22cf02ffcacff878516cad2a5869954153474d5da1e2c3d37d5b8b