Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

NeverCry.exe

windows7-x64

10

NeverCry.exe

windows10-2004-x64

10

Resubmissions

15/06/2024, 10:59

240615-m3p8es1hnj 10

Analysis

  • max time kernel
    92s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/06/2024, 10:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NeverCry.exe

  • Size

    1.6MB

  • MD5

    7d90121240d8da918d6370c81f6649f7

  • SHA1

    d3e344ce25305e9168790f462698d9cbc90b23d3

  • SHA256

    689100d4db441ae245b7b6edc85cb739c15ab3a972653483c122ba174032b2db

  • SHA512

    d9675eba8aacf2d876400d9d4e22ae4f2af666ee1b72aa21a36b5f7e1518111ccf434e6a5cc08ae3f52fce4855b7baf90037614e358b2df392a2e20f3db9a319

  • SSDEEP

    24576:P2G/nvxW3WY0eWu+KIrnB46Yz5R6jIdQX4FcixLckFcBtcuuGzdxX7p1W0ppwl+b:PbA3cnjB4xZi0NGtcuzdV7pLrA+GkeMB

Score
10/10
dcratevasioninfostealerrattrojan

Malware Config

Signatures

  • DcRat 64 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Process spawned unexpected child process 60 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 9 IoCs
    evasiontrojan
  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Disables Task Manager via registry modification
    evasion
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Drops file in Program Files directory 21 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 60 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • System policy modification 1 TTPs 9 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\NeverCry.exe
    "C:\Users\Admin\AppData\Local\Temp\NeverCry.exe"
    1⤵
    • DcRat
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3676
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\bridgeCrtSvc\bu6kJS9oJYsl2T.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:396
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\bridgeCrtSvc\GTiPrhC1SOxhlaDLKOjzQ7laPK17.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:744
        • C:\bridgeCrtSvc\ProviderDrivercommon.exe
          "C:\bridgeCrtSvc\ProviderDrivercommon.exe"
          4⤵
          • DcRat
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4364
          • C:\bridgeCrtSvc\ProviderDrivercommon.exe
            "C:\bridgeCrtSvc\ProviderDrivercommon.exe"
            5⤵
            • UAC bypass
            • Checks computer location settings
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Drops file in Program Files directory
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2920
            • C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe
              "C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe"
              6⤵
              • UAC bypass
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • System policy modification
              PID:4968
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          4⤵
          • Modifies registry key
          PID:4288
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\winlogon.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4684
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3016
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\winlogon.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2504
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1768
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4020
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:468
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sihost.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3416
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sihost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4164
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\sihost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2936
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\NetHood\services.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5048
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\services.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4700
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\NetHood\services.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2812
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:988
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4788
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1272
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4012
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2900
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4744
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4656
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1348
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4392
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\Adobe\RuntimeBroker.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3668
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3040
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Adobe\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:332
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2732
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3744
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:628
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\System.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2528
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\System.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4264
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\System.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:820
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:528
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4548
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4496
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\lua\extensions\TextInputHost.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5064
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\extensions\TextInputHost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3788
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\lua\extensions\TextInputHost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1984
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Experiences\dllhost.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1896
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Experiences\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4324
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\SystemApps\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\Experiences\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4512
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\sysmon.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1700
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Public\Pictures\sysmon.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1288
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\sysmon.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2564
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\apppatch\en-US\dllhost.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3568
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\apppatch\en-US\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2284
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\apppatch\en-US\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3904
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:2680
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1028
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3536
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\apppatch\en-US\System.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1596
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\apppatch\en-US\System.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4868
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\apppatch\en-US\System.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4964
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Registry.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4372
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Common Files\Registry.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:3200
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\Registry.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:1336
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Saved Games\fontdrvhost.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4400
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:5076
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Saved Games\fontdrvhost.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4048
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe'" /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:524
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:4472
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\RuntimeBroker.exe'" /rl HIGHEST /f
    1⤵
    • DcRat
    • Process spawned unexpected child process
    • Creates scheduled task(s)
    PID:644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ProviderDrivercommon.exe.log
    Filesize

    1KB

    MD5

    7f3c0ae41f0d9ae10a8985a2c327b8fb

    SHA1

    d58622bf6b5071beacf3b35bb505bde2000983e3

    SHA256

    519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

    SHA512

    8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

    Download Submit

  • C:\bridgeCrtSvc\GTiPrhC1SOxhlaDLKOjzQ7laPK17.bat
    Filesize

    154B

    MD5

    8f6eddc9e68bb024acc01c2a7c37dad9

    SHA1

    c9ae400b119f35f83f300cff443d93264b4bb690

    SHA256

    d95e79a6458989d2ab852e27afd0b2f59150e3fc84d088d8cbb7ab5830ff7e92

    SHA512

    7b3db4ffb023c50e0357387b71031c68e5dfa50dfbbb21c71722678f00a87cbd8ecaa2713eb888fd480caa2b8cf9d86732ecc24a0c477e5705dd2ea90f236a4b

    Download Submit

  • C:\bridgeCrtSvc\ProviderDrivercommon.exe
    Filesize

    1.3MB

    MD5

    7c4388597e78e4d04ab3e4ec7f807b28

    SHA1

    b11da9555e2e46c8208f0f29d46fb77c98854304

    SHA256

    18ce4b699fa9cb509c3332d5303fe146551938c502f1c32158efaa04121d54af

    SHA512

    73fedc015eb64426664b673e16b01d8a6d29c8b5e71439fb2d88f0876ea52d4a59e6e54145cc6e070ebc6dcfa0b400dfb07d8ade9d40a9351b5cdcf6dcfc9451

    Download Submit

  • C:\bridgeCrtSvc\bu6kJS9oJYsl2T.vbe
    Filesize

    217B

    MD5

    5319b8577089dc9ecb3447b40ba0cc74

    SHA1

    7d1ac12cd64ac34823d1241398a280d508a58f3d

    SHA256

    773dda731c426cb77049507f2510feb8089ceff036855cc3c45a20a6bb4d14e1

    SHA512

    43abcd455730491a9ea9d4669d00eb881b5a3d4378d60baa2eb4b997ce12e7df9c18bc22835cb34846b5b80d8e892cbdda884188ff97a88a3b3536c8b5cbd205

    Download Submit

  • memory/2920-38-0x000000001AE70000-0x000000001AE82000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4364-17-0x00000000029A0000-0x00000000029B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4364-21-0x000000001B2B0000-0x000000001B2BA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4364-16-0x0000000001070000-0x0000000001078000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4364-14-0x0000000001050000-0x0000000001058000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4364-18-0x00000000029B0000-0x00000000029BC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4364-19-0x0000000002990000-0x0000000002998000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4364-20-0x000000001B2A0000-0x000000001B2B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4364-15-0x0000000002970000-0x0000000002986000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4364-22-0x000000001B2C0000-0x000000001B2CC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4364-23-0x000000001B2D0000-0x000000001B2D8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4364-24-0x000000001B2E0000-0x000000001B2EC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4364-13-0x00000000005E0000-0x0000000000738000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4364-12-0x00007FFB3C223000-0x00007FFB3C225000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4968-79-0x000000001BBF0000-0x000000001BC02000-memory.dmp

    Filesize

    72KB

    Download