Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

bb378eeb65...2d.exe

windows7-x64

10

bb378eeb65...2d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230621-en
  • resource tags

    arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
  • submitted
    03/07/2023, 15:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bb378eeb6557e9441a1b77daaf259b2d.exe

  • Size

    1.3MB

  • MD5

    bb378eeb6557e9441a1b77daaf259b2d

  • SHA1

    d70dbe4af5e6f910c842bd71683bcb7e7a6b3e70

  • SHA256

    9eaab4bb7e5d22ea0c333513a0516b9535b45feeaf05cbc6714fbf8823cbcbbc

  • SHA512

    7fd54487ee6529dec1a2a50bb9d60af79c64e1f9a0aab3d0fbb1772185524cb6444a906cb3022183e17c2aa4a0897e8d2e163536c4fded5ffe742ad2b0b77bca

  • SSDEEP

    24576:FZXxCOFbh94+AkAUewXW4DFfepe8YT3f6j7ynSS52qs:FPCOFU+ewJfeg8Y2j2nh52

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat 64 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 25 IoCs
    persistence
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 6 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 50 IoCs
    persistence
  • Drops file in Program Files directory 25 IoCs
  • Drops file in Windows directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb378eeb6557e9441a1b77daaf259b2d.exe
    "C:\Users\Admin\AppData\Local\Temp\bb378eeb6557e9441a1b77daaf259b2d.exe"
    1⤵
    • DcRat
    • Modifies WinLogon for persistence
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1308
    • C:\Users\Admin\AppData\Local\Temp\bb378eeb6557e9441a1b77daaf259b2d.exe
      "C:\Users\Admin\AppData\Local\Temp\bb378eeb6557e9441a1b77daaf259b2d.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1568
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\DigitalLocker\en-US\csrss.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1940
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\csrss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1392
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\en-US\csrss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1844
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1552
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    PID:1068
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1576
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\lsm.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:980
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Google\lsm.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    PID:1412
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\lsm.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:524
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Favorites\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:308
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:840
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Favorites\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    PID:1328
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1340
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:964
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1708
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:880
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1976
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    PID:1416
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\en-US\csrss.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1640
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\csrss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1160
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\en-US\csrss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:876
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1300
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\es-ES\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:328
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\es-ES\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:908
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\ehome\wow\ja-JP\csrss.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1508
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ehome\wow\ja-JP\csrss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1768
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\ehome\wow\ja-JP\csrss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1596
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1344
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:296
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1576
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\WmiPrvSE.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1068
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\DESIGNER\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1108
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    PID:1840
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:568
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1308
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1500
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\291e1a42-1054-11ee-8655-fabf500b3286\smss.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1956
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\291e1a42-1054-11ee-8655-fabf500b3286\smss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    PID:1676
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\291e1a42-1054-11ee-8655-fabf500b3286\smss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:524
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\explorer.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1976
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\explorer.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1684
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\explorer.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1160
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\WmiPrvSE.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    PID:1632
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\MSBuild\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:908
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1780
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\sppsvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    PID:1636
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    PID:864
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1156
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\CRMLog\WmiPrvSE.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    PID:860
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:840
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\CRMLog\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1344
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\wininit.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1576
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\addins\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:836
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\wininit.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:296
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\fr-FR\explorer.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:568
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\explorer.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1328
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\fr-FR\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1300
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\sppsvc.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:332
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1704
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1100
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\Corporate\winlogon.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1996
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Help\Corporate\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1676
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\Corporate\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1748
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\WmiPrvSE.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1544
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Creates scheduled task(s)
    PID:2040
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Creates scheduled task(s)
    PID:1632
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
    1⤵
    • DcRat
    • Creates scheduled task(s)
    PID:1232
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Creates scheduled task(s)
    PID:316
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Creates scheduled task(s)
    PID:2000
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\291e1a42-1054-11ee-8655-fabf500b3286\WmiPrvSE.exe'" /f
    1⤵
    • Creates scheduled task(s)
    PID:996
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\291e1a42-1054-11ee-8655-fabf500b3286\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Creates scheduled task(s)
    PID:1292
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\291e1a42-1054-11ee-8655-fabf500b3286\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Creates scheduled task(s)
    PID:2024
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\lsass.exe'" /f
    1⤵
    • DcRat
    • Creates scheduled task(s)
    PID:1068
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\lsass.exe'" /rl HIGHEST /f
    1⤵
      PID:876
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\lsass.exe'" /rl HIGHEST /f
      1⤵
      • DcRat
      • Creates scheduled task(s)
      PID:840

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe
      Filesize

      1.3MB

      MD5

      bb378eeb6557e9441a1b77daaf259b2d

      SHA1

      d70dbe4af5e6f910c842bd71683bcb7e7a6b3e70

      SHA256

      9eaab4bb7e5d22ea0c333513a0516b9535b45feeaf05cbc6714fbf8823cbcbbc

      SHA512

      7fd54487ee6529dec1a2a50bb9d60af79c64e1f9a0aab3d0fbb1772185524cb6444a906cb3022183e17c2aa4a0897e8d2e163536c4fded5ffe742ad2b0b77bca

      Download Submit

    • C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wininit.exe
      Filesize

      1.3MB

      MD5

      bb378eeb6557e9441a1b77daaf259b2d

      SHA1

      d70dbe4af5e6f910c842bd71683bcb7e7a6b3e70

      SHA256

      9eaab4bb7e5d22ea0c333513a0516b9535b45feeaf05cbc6714fbf8823cbcbbc

      SHA512

      7fd54487ee6529dec1a2a50bb9d60af79c64e1f9a0aab3d0fbb1772185524cb6444a906cb3022183e17c2aa4a0897e8d2e163536c4fded5ffe742ad2b0b77bca

      Download Submit

    • C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe
      Filesize

      1.3MB

      MD5

      bb378eeb6557e9441a1b77daaf259b2d

      SHA1

      d70dbe4af5e6f910c842bd71683bcb7e7a6b3e70

      SHA256

      9eaab4bb7e5d22ea0c333513a0516b9535b45feeaf05cbc6714fbf8823cbcbbc

      SHA512

      7fd54487ee6529dec1a2a50bb9d60af79c64e1f9a0aab3d0fbb1772185524cb6444a906cb3022183e17c2aa4a0897e8d2e163536c4fded5ffe742ad2b0b77bca

      Download Submit

    • memory/1308-58-0x000000001A920000-0x000000001A9A0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1308-57-0x0000000000460000-0x0000000000472000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1308-59-0x0000000000580000-0x000000000058E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1308-54-0x0000000000C90000-0x0000000000DE0000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1308-56-0x00000000008C0000-0x00000000008D6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/1308-55-0x00000000003C0000-0x00000000003DC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1568-118-0x0000000000F60000-0x00000000010B0000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1568-119-0x00000000001C0000-0x00000000001D2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1568-120-0x000000001AF50000-0x000000001AFD0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1568-121-0x000000001AF50000-0x000000001AFD0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1764-76-0x0000000000440000-0x0000000000452000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1764-77-0x000000001AFE0000-0x000000001B060000-memory.dmp

      Filesize

      512KB

      Download