Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

f554f85e09...22.exe

windows7-x64

10

f554f85e09...22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2023, 13:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f554f85e09589b01fd0b4280b8446e4c28300e699676ca4c1a1bac3342b48522.exe

  • Size

    2.5MB

  • MD5

    e71b100ba4895671392bebdb6940b58a

  • SHA1

    3f0cc8aad3fa8041b5ba40ac4c3e9d9d2d909d25

  • SHA256

    f554f85e09589b01fd0b4280b8446e4c28300e699676ca4c1a1bac3342b48522

  • SHA512

    24d99c32e2b275aa2554225932e73c319169cbe87811ab4d08861e44a43f0e7984690e1e83200405321062680d7ec679eea7ab7d09b633700b1edcf73dc68191

  • SSDEEP

    49152:UbA30JB27p9ftg4mUnKbgHns5D6RL1gVHrl+ZraG9LOgwddVyB7pe:Ub3a9fmbgMN8qLYxasqDncq

Score
10/10
dcratinfostealerrat

Malware Config

Signatures

  • DcRat 64 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 64 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 11 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 16 IoCs
  • Drops file in Windows directory 10 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\f554f85e09589b01fd0b4280b8446e4c28300e699676ca4c1a1bac3342b48522.exe
    "C:\Users\Admin\AppData\Local\Temp\f554f85e09589b01fd0b4280b8446e4c28300e699676ca4c1a1bac3342b48522.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2452
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Webreviewcrt\ipDh6jR2mcTwtep.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Webreviewcrt\kcPcB.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2656
        • C:\Webreviewcrt\bridgeComComponent.exe
          "C:\Webreviewcrt\bridgeComComponent.exe"
          4⤵
          • DcRat
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2912
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jPdVSuzNYv.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1488
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1872
              • C:\Webreviewcrt\bridgeComComponent.exe
                "C:\Webreviewcrt\bridgeComComponent.exe"
                6⤵
                • Executes dropped EXE
                • Drops file in Program Files directory
                • Drops file in Windows directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:1464
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zO3ul9mHmD.bat"
                  7⤵
                  • Suspicious use of WriteProcessMemory
                  PID:560
                  • C:\Windows\system32\w32tm.exe
                    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
                    8⤵
                      PID:1928
                    • C:\Users\Default User\WmiPrvSE.exe
                      "C:\Users\Default User\WmiPrvSE.exe"
                      8⤵
                      • Executes dropped EXE
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1624
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Webreviewcrt\file.vbs"
          2⤵
            PID:2816
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Webreviewcrt\sppsvc.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2580
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Webreviewcrt\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:3028
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Webreviewcrt\sppsvc.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1192
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\smss.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:1652
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\smss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2692
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\smss.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          PID:2848
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Games\More Games\es-ES\conhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:2160
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\More Games\es-ES\conhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1620
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\More Games\es-ES\conhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1900
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1644
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\taskhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1624
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:880
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\twain_32\taskhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:660
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\twain_32\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:304
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\twain_32\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:2572
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\dwm.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1312
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\dwm.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:772
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\dwm.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2236
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          PID:2592
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:1756
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2888
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\conhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:2284
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\conhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2276
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\conhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1992
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2868
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2272
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:2600
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\AppCompat\Idle.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1776
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\AppCompat\Idle.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:624
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\AppCompat\Idle.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:440
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\taskhost.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:2348
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2404
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\taskhost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:344
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\conhost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2924
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\conhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:940
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\conhost.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1808
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3036
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:892
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1340
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1380
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2408
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:3068
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Webreviewcrt\winlogon.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2976
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Webreviewcrt\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3012
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Webreviewcrt\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2456
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Documents\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:460
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Documents\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1712
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:1728
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Videos\System.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3052
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Videos\System.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          PID:2984
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Videos\System.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2184
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\SoftwareDistribution\csrss.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2716
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2872
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2676
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\en-US\csrss.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2996
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1200
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\en-US\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2836
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2980
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1052
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1936
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\DigitalLocker\es-ES\winlogon.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2708
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\es-ES\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:972
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\DigitalLocker\es-ES\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:3000
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\smss.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1204
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\smss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          PID:2844
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\5ccd98e2-489c-11ee-919d-62b3d3f2749b\smss.exe'" /rl HIGHEST /f
          1⤵
          • Creates scheduled task(s)
          PID:1184
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Webreviewcrt\Idle.exe'" /f
          1⤵
          • Creates scheduled task(s)
          PID:2100
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Webreviewcrt\Idle.exe'" /rl HIGHEST /f
          1⤵
            PID:540
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Webreviewcrt\Idle.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            • Creates scheduled task(s)
            PID:1956
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /f
            1⤵
            • Creates scheduled task(s)
            PID:1884
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
            1⤵
            • DcRat
            PID:1800
          • C:\Windows\system32\schtasks.exe
            schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
            1⤵
              PID:1752
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /f
              1⤵
              • DcRat
              • Creates scheduled task(s)
              PID:2848
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /rl HIGHEST /f
              1⤵
              • DcRat
              • Creates scheduled task(s)
              PID:1164
            • C:\Windows\system32\schtasks.exe
              schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /rl HIGHEST /f
              1⤵
                PID:1548
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Webreviewcrt\WmiPrvSE.exe'" /f
                1⤵
                • DcRat
                • Creates scheduled task(s)
                PID:1652
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Webreviewcrt\WmiPrvSE.exe'" /rl HIGHEST /f
                1⤵
                • DcRat
                • Creates scheduled task(s)
                PID:276
              • C:\Windows\system32\schtasks.exe
                schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Webreviewcrt\WmiPrvSE.exe'" /rl HIGHEST /f
                1⤵
                  PID:1952
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /f
                  1⤵
                  • Creates scheduled task(s)
                  PID:1368
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
                  1⤵
                  • Creates scheduled task(s)
                  PID:2512
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Creates scheduled task(s)
                  PID:2908
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Webreviewcrt\csrss.exe'" /f
                  1⤵
                  • DcRat
                  • Creates scheduled task(s)
                  PID:2360
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Webreviewcrt\csrss.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  PID:2660
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Webreviewcrt\csrss.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  PID:1756
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Cookies\WmiPrvSE.exe'" /f
                  1⤵
                  • DcRat
                  PID:624
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Cookies\WmiPrvSE.exe'" /rl HIGHEST /f
                  1⤵
                  • DcRat
                  • Creates scheduled task(s)
                  PID:2280
                • C:\Windows\system32\schtasks.exe
                  schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Cookies\WmiPrvSE.exe'" /rl HIGHEST /f
                  1⤵
                    PID:1776

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files\Microsoft Games\More Games\es-ES\conhost.exe
                    Filesize

                    2.2MB

                    MD5

                    3905ef3502b9ddbda1c2b244450b672a

                    SHA1

                    73ab0e08aae09d3248d47d387b5c971a72e46abd

                    SHA256

                    8c7e3ca7aac4dde3e7716fc99e598ac064ddf35825d626047d4f0536460aee16

                    SHA512

                    8cce2524b997cf9231c37f07c257238d8e0c7547a1fad8a4fa8d0c4cb0cec4276db327a200a34a15926e563e0a79df910639f3f0ec14e7a2b127f91dc975c648

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\CabF7D.tmp
                    Filesize

                    61KB

                    MD5

                    f3441b8572aae8801c04f3060b550443

                    SHA1

                    4ef0a35436125d6821831ef36c28ffaf196cda15

                    SHA256

                    6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

                    SHA512

                    5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\TarF9F.tmp
                    Filesize

                    163KB

                    MD5

                    9441737383d21192400eca82fda910ec

                    SHA1

                    725e0d606a4fc9ba44aa8ffde65bed15e65367e4

                    SHA256

                    bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

                    SHA512

                    7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\jPdVSuzNYv.bat
                    Filesize

                    203B

                    MD5

                    d07efab75877877a538691b284da1950

                    SHA1

                    473b03888b4b81de64496ab13650ca44d0975e59

                    SHA256

                    1a4c0cb612c475e8e4a4e38259d87766f092fb49406da5c3c2dec685c96c893c

                    SHA512

                    ab1225a10769318514d79bc02cc8a1394066ad40be4e631968479db1d27d0e570df59633a0d34d34bb8aef08ecf309dc8f45390e5fbda2b502b80eacb3c2d4a1

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\zO3ul9mHmD.bat
                    Filesize

                    199B

                    MD5

                    80a6e70afaeac7df5e9019743e33d729

                    SHA1

                    9819a67870c5b6af8541121dc522ecf7b458e53c

                    SHA256

                    7e6a15dd863ccdbc84bc94492158ac97bcbdbbfa17ce2a4a77c9478fb41e6d24

                    SHA512

                    1c3fa03360ea8c364c2d1be8dba4d4b613228407bff3a0a587fd048152638b19c461491e6f5cbdc15ee7fb7644e73aa9c8293dcdc263cb45c45cc937c0d55a9c

                    Download Submit

                  • C:\Users\Default User\WmiPrvSE.exe
                    Filesize

                    2.2MB

                    MD5

                    3905ef3502b9ddbda1c2b244450b672a

                    SHA1

                    73ab0e08aae09d3248d47d387b5c971a72e46abd

                    SHA256

                    8c7e3ca7aac4dde3e7716fc99e598ac064ddf35825d626047d4f0536460aee16

                    SHA512

                    8cce2524b997cf9231c37f07c257238d8e0c7547a1fad8a4fa8d0c4cb0cec4276db327a200a34a15926e563e0a79df910639f3f0ec14e7a2b127f91dc975c648

                    Download Submit

                  • C:\Users\Default\WmiPrvSE.exe
                    Filesize

                    2.2MB

                    MD5

                    3905ef3502b9ddbda1c2b244450b672a

                    SHA1

                    73ab0e08aae09d3248d47d387b5c971a72e46abd

                    SHA256

                    8c7e3ca7aac4dde3e7716fc99e598ac064ddf35825d626047d4f0536460aee16

                    SHA512

                    8cce2524b997cf9231c37f07c257238d8e0c7547a1fad8a4fa8d0c4cb0cec4276db327a200a34a15926e563e0a79df910639f3f0ec14e7a2b127f91dc975c648

                    Download Submit

                  • C:\Webreviewcrt\bridgeComComponent.exe
                    Filesize

                    2.2MB

                    MD5

                    3905ef3502b9ddbda1c2b244450b672a

                    SHA1

                    73ab0e08aae09d3248d47d387b5c971a72e46abd

                    SHA256

                    8c7e3ca7aac4dde3e7716fc99e598ac064ddf35825d626047d4f0536460aee16

                    SHA512

                    8cce2524b997cf9231c37f07c257238d8e0c7547a1fad8a4fa8d0c4cb0cec4276db327a200a34a15926e563e0a79df910639f3f0ec14e7a2b127f91dc975c648

                    Download Submit

                  • C:\Webreviewcrt\bridgeComComponent.exe
                    Filesize

                    2.2MB

                    MD5

                    3905ef3502b9ddbda1c2b244450b672a

                    SHA1

                    73ab0e08aae09d3248d47d387b5c971a72e46abd

                    SHA256

                    8c7e3ca7aac4dde3e7716fc99e598ac064ddf35825d626047d4f0536460aee16

                    SHA512

                    8cce2524b997cf9231c37f07c257238d8e0c7547a1fad8a4fa8d0c4cb0cec4276db327a200a34a15926e563e0a79df910639f3f0ec14e7a2b127f91dc975c648

                    Download Submit

                  • C:\Webreviewcrt\bridgeComComponent.exe
                    Filesize

                    2.2MB

                    MD5

                    3905ef3502b9ddbda1c2b244450b672a

                    SHA1

                    73ab0e08aae09d3248d47d387b5c971a72e46abd

                    SHA256

                    8c7e3ca7aac4dde3e7716fc99e598ac064ddf35825d626047d4f0536460aee16

                    SHA512

                    8cce2524b997cf9231c37f07c257238d8e0c7547a1fad8a4fa8d0c4cb0cec4276db327a200a34a15926e563e0a79df910639f3f0ec14e7a2b127f91dc975c648

                    Download Submit

                  • C:\Webreviewcrt\file.vbs
                    Filesize

                    34B

                    MD5

                    677cc4360477c72cb0ce00406a949c61

                    SHA1

                    b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

                    SHA256

                    f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

                    SHA512

                    7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

                    Download Submit

                  • C:\Webreviewcrt\ipDh6jR2mcTwtep.vbe
                    Filesize

                    194B

                    MD5

                    fc850c6d24758438279181729066a815

                    SHA1

                    f3145e372180f4116efb393aee5dd529c726fb52

                    SHA256

                    0b23b06e5c8bc58f169f794bf9730566ce19ec5be3194bd38fd153493e7f6bc6

                    SHA512

                    9a094a0bf414279ffe512ab2926c5bd6250ce5832534297138b468ea238355b30f1928ff062bf5f1a0bd17f97750276c7fde4eba2dda575f09df7570492362d4

                    Download Submit

                  • C:\Webreviewcrt\kcPcB.bat
                    Filesize

                    40B

                    MD5

                    5fa60759170284b04b907dede9ec02fc

                    SHA1

                    a642c3173654b61888e6d523a16406201054964d

                    SHA256

                    738a5ee2597722bce53cc2137b528873aee86a3b52ccc162de3ac4e8f234f99c

                    SHA512

                    19ced211450f2201611f4b56ff3f29426f5173444791ddec7e87b1a32e089cffd5540c319371aa01b6fff0ee37151e41be0afb7c2923869bfda525e1edd6a585

                    Download Submit

                  • \Webreviewcrt\bridgeComComponent.exe
                    Filesize

                    2.2MB

                    MD5

                    3905ef3502b9ddbda1c2b244450b672a

                    SHA1

                    73ab0e08aae09d3248d47d387b5c971a72e46abd

                    SHA256

                    8c7e3ca7aac4dde3e7716fc99e598ac064ddf35825d626047d4f0536460aee16

                    SHA512

                    8cce2524b997cf9231c37f07c257238d8e0c7547a1fad8a4fa8d0c4cb0cec4276db327a200a34a15926e563e0a79df910639f3f0ec14e7a2b127f91dc975c648

                    Download Submit

                  • \Webreviewcrt\bridgeComComponent.exe
                    Filesize

                    2.2MB

                    MD5

                    3905ef3502b9ddbda1c2b244450b672a

                    SHA1

                    73ab0e08aae09d3248d47d387b5c971a72e46abd

                    SHA256

                    8c7e3ca7aac4dde3e7716fc99e598ac064ddf35825d626047d4f0536460aee16

                    SHA512

                    8cce2524b997cf9231c37f07c257238d8e0c7547a1fad8a4fa8d0c4cb0cec4276db327a200a34a15926e563e0a79df910639f3f0ec14e7a2b127f91dc975c648

                    Download Submit

                  • memory/1464-100-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/1464-62-0x000007FEF53D0000-0x000007FEF5DBC000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/1464-64-0x000000001AF20000-0x000000001AFA0000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/1464-63-0x0000000000320000-0x0000000000558000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/1624-104-0x000000001B410000-0x000000001B490000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/1624-103-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/1624-141-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/1624-106-0x000000001B410000-0x000000001B490000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/1624-105-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/2912-23-0x00000000005E0000-0x0000000000636000-memory.dmp

                    Filesize

                    344KB

                    Download

                  • memory/2912-21-0x00000000003B0000-0x00000000003CC000-memory.dmp

                    Filesize

                    112KB

                    Download

                  • memory/2912-20-0x000000001B230000-0x000000001B2B0000-memory.dmp

                    Filesize

                    512KB

                    Download

                  • memory/2912-22-0x0000000000430000-0x0000000000446000-memory.dmp

                    Filesize

                    88KB

                    Download

                  • memory/2912-26-0x0000000000630000-0x0000000000638000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/2912-24-0x00000000003D0000-0x00000000003DE000-memory.dmp

                    Filesize

                    56KB

                    Download

                  • memory/2912-25-0x0000000000450000-0x0000000000458000-memory.dmp

                    Filesize

                    32KB

                    Download

                  • memory/2912-19-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

                    Filesize

                    9.9MB

                    Download

                  • memory/2912-18-0x0000000000A00000-0x0000000000C38000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/2912-60-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

                    Filesize

                    9.9MB

                    Download