dcrat | 1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02

Analysis

max time kernel
140s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2022 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Size

1.2MB
MD5

946561b2f63d2ad390352bcdb1dfc26f
SHA1

e4236fcae840fa1474fc69e1b181710f7cc1bbce
SHA256

1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02
SHA512

52492ef2e416d4034dad425551ddf4bff99e52210ca39babfe7da6844c5dcf8371b35d511f6e9f06ca78889cebe93d6bb1642dddc06c3db8597c210dd1fe00a3
SSDEEP

24576:linPXeVB3y6h9Q7T3UlJkbuIkpcJwOUP49sVz:ry6XxkbnEP1

Score

10^/10

dcrat evasion infostealer persistence rat trojan

Malware Config

Signatures

DcRat 50 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		4868	schtasks.exe
		4904	schtasks.exe
		3068	schtasks.exe
		1116	schtasks.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA		HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
		1624	schtasks.exe
		2748	schtasks.exe
		4912	schtasks.exe
		1844	schtasks.exe
		3180	schtasks.exe
		3540	schtasks.exe
		4084	schtasks.exe
		4160	schtasks.exe
		1748	schtasks.exe
		2140	schtasks.exe
		4992	schtasks.exe
		3964	schtasks.exe
		724	schtasks.exe
		3400	schtasks.exe
		3272	schtasks.exe
		3356	schtasks.exe
		2056	schtasks.exe
		2860	schtasks.exe
		5040	schtasks.exe
		3192	schtasks.exe
		4176	schtasks.exe
		208	schtasks.exe
		1692	schtasks.exe
		5064	schtasks.exe
		3452	schtasks.exe
		2652	schtasks.exe
		220	schtasks.exe
		1684	schtasks.exe
		3040	schtasks.exe
		4932	schtasks.exe
		4816	schtasks.exe
		3524	schtasks.exe
		3592	schtasks.exe
		3368	schtasks.exe
		4224	schtasks.exe
		4964	schtasks.exe
		1036	schtasks.exe
		2340	schtasks.exe
		4876	schtasks.exe
		1792	schtasks.exe
		3556	schtasks.exe
File created	C:\Windows\ja-JP\886983d96e3d3e		HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
		3320	schtasks.exe
		416	schtasks.exe
		3576	schtasks.exe

Modifies WinLogon for persistence 2 TTPs 16 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\ja-JP\\csrss.exe\", \"C:\\odt\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\smss.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\winlogon.exe\", \"C:\\odt\\taskhostw.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Registry.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\ja-JP\\csrss.exe\", \"C:\\odt\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\dllhost.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\ja-JP\\csrss.exe\", \"C:\\odt\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\smss.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\ja-JP\\csrss.exe\", \"C:\\odt\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\smss.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\winlogon.exe\", \"C:\\odt\\taskhostw.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\ja-JP\\csrss.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\ja-JP\\csrss.exe\", \"C:\\odt\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\ja-JP\\csrss.exe\", \"C:\\odt\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\smss.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\winlogon.exe\", \"C:\\odt\\taskhostw.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\wininit.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\ja-JP\\csrss.exe\", \"C:\\odt\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\smss.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\winlogon.exe\", \"C:\\odt\\taskhostw.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\ja-JP\\csrss.exe\", \"C:\\odt\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\smss.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\winlogon.exe\", \"C:\\odt\\taskhostw.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\ja-JP\\csrss.exe\", \"C:\\odt\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\smss.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\winlogon.exe\", \"C:\\odt\\taskhostw.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Registry.exe\", \"C:\\Recovery\\WindowsRE\\Idle.exe\", \"C:\\Users\\All Users\\ssh\\OfficeClickToRun.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\ja-JP\\csrss.exe\", \"C:\\odt\\taskhostw.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\ja-JP\\csrss.exe\", \"C:\\odt\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\ja-JP\\csrss.exe\", \"C:\\odt\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\smss.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\winlogon.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\ja-JP\\csrss.exe\", \"C:\\odt\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\upfc.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\ja-JP\\csrss.exe\", \"C:\\odt\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\smss.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\winlogon.exe\", \"C:\\odt\\taskhostw.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\ja-JP\\csrss.exe\", \"C:\\odt\\taskhostw.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\dllhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\wininit.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\upfc.exe\", \"C:\\Program Files\\Microsoft Office 15\\smss.exe\", \"C:\\Windows\\Performance\\WinSAT\\DataStore\\winlogon.exe\", \"C:\\odt\\taskhostw.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\", \"C:\\Program Files\\VideoLAN\\VLC\\locale\\wininit.exe\", \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\System.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3192	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5064	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3320	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	416	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	724	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4084	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3400	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	1388	schtasks.exe	62
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	1388	schtasks.exe	62

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/4860-132-0x00000000004E0000-0x0000000000616000-memory.dmp	dcrat
behavioral2/files/0x0009000000022e08-165.dat	dcrat
behavioral2/files/0x0009000000022e08-164.dat	dcrat
behavioral2/memory/1896-167-0x00000000004B0000-0x00000000005E6000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
1896	taskhostw.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe

Adds Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\WindowsRE\\System.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Microsoft Office 15\\smss.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\winlogon.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\upfc.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\WindowsRE\\wininit.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\VideoLAN\\VLC\\locale\\wininit.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Recovery\\WindowsRE\\System.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\ja-JP\\csrss.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Media Player\\dllhost.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\Performance\\WinSAT\\DataStore\\winlogon.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Registry.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\All Users\\ssh\\OfficeClickToRun.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Microsoft.NET\\fontdrvhost.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\Idle.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\VideoLAN\\VLC\\locale\\wininit.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\odt\\taskhostw.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\odt\\taskhostw.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Media Player\\dllhost.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\WindowsRE\\Idle.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\All Users\\ssh\\OfficeClickToRun.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\ja-JP\\csrss.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\upfc.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Microsoft Office 15\\smss.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Recovery\\WindowsRE\\wininit.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Registry.exe\""	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office 15\69ddcba757bf72	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wininit.exe	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCX7EB1.tmp	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCX8133.tmp	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RCX81B1.tmp	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files\Microsoft Office 15\RCX8A32.tmp	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files\Microsoft Office 15\smss.exe	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File created	C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wininit.exe	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\RCX9563.tmp	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RCX87B0.tmp	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX92E2.tmp	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File created	C:\Program Files (x86)\Microsoft.NET\5b884080fd4f94	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\upfc.exe	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\6ccacd8608530f	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File created	C:\Program Files\VideoLAN\VLC\locale\56085415360792	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCX9F2D.tmp	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCX9FCB.tmp	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File created	C:\Program Files (x86)\Windows Media Player\dllhost.exe	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Registry.exe	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\ee2ad38f3d4382	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RCX8732.tmp	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\upfc.exe	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ea1d8f6d871115	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File created	C:\Program Files\Microsoft Office 15\smss.exe	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCX7E24.tmp	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\dllhost.exe	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File created	C:\Program Files (x86)\Windows Media Player\5940a34987c991	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files\Microsoft Office 15\RCX8AB0.tmp	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX9254.tmp	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Registry.exe	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\RCX95E1.tmp	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\ja-JP\csrss.exe	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Windows\ja-JP\csrss.exe	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File created	C:\Windows\Performance\WinSAT\DataStore\cc11b995f2a76d	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\winlogon.exe	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File created	C:\Windows\ja-JP\886983d96e3d3e	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File created	C:\Windows\Performance\WinSAT\DataStore\winlogon.exe	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Windows\ja-JP\RCX7834.tmp	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Windows\ja-JP\RCX78A3.tmp	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\RCX8D41.tmp	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\RCX8DBF.tmp	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3180	schtasks.exe
1684	schtasks.exe
2748	schtasks.exe
1116	schtasks.exe
2140	schtasks.exe
3556	schtasks.exe
3540	schtasks.exe
4912	schtasks.exe
4876	schtasks.exe
1792	schtasks.exe
3592	schtasks.exe
4992	schtasks.exe
220	schtasks.exe
1036	schtasks.exe
3192	schtasks.exe
1844	schtasks.exe
3368	schtasks.exe
1748	schtasks.exe
208	schtasks.exe
3964	schtasks.exe
1692	schtasks.exe
1624	schtasks.exe
4816	schtasks.exe
3356	schtasks.exe
3576	schtasks.exe
3068	schtasks.exe
3272	schtasks.exe
4224	schtasks.exe
4964	schtasks.exe
2652	schtasks.exe
4160	schtasks.exe
2340	schtasks.exe
4868	schtasks.exe
3524	schtasks.exe
416	schtasks.exe
3400	schtasks.exe
3040	schtasks.exe
4932	schtasks.exe
2860	schtasks.exe
3320	schtasks.exe
4176	schtasks.exe
3452	schtasks.exe
724	schtasks.exe
4084	schtasks.exe
4904	schtasks.exe
5064	schtasks.exe
2056	schtasks.exe
5040	schtasks.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
1572	powershell.exe
3460	powershell.exe
3460	powershell.exe
4596	powershell.exe
4596	powershell.exe
1292	powershell.exe
1292	powershell.exe
1600	powershell.exe
1600	powershell.exe
2184	powershell.exe
2184	powershell.exe
1072	powershell.exe
1072	powershell.exe
2408	powershell.exe
2408	powershell.exe
4424	powershell.exe
4424	powershell.exe
4072	powershell.exe
4072	powershell.exe
1700	powershell.exe
1700	powershell.exe
3916	powershell.exe
3916	powershell.exe
1468	powershell.exe
1468	powershell.exe
4392	powershell.exe
4392	powershell.exe
4028	powershell.exe
4028	powershell.exe
3508	powershell.exe
3508	powershell.exe
2224	powershell.exe
2224	powershell.exe
4028	powershell.exe
1572	powershell.exe
1572	powershell.exe
1292	powershell.exe
1292	powershell.exe
3460	powershell.exe
3460	powershell.exe
1600	powershell.exe
1600	powershell.exe
4596	powershell.exe
4596	powershell.exe
1072	powershell.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	4596	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	4424	powershell.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeDebugPrivilege	4028	powershell.exe
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	1896	taskhostw.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 1572	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	128
PID 4860 wrote to memory of 1572	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	128
PID 4860 wrote to memory of 4596	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	129
PID 4860 wrote to memory of 4596	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	129
PID 4860 wrote to memory of 3460	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	132
PID 4860 wrote to memory of 3460	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	132
PID 4860 wrote to memory of 1292	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	134
PID 4860 wrote to memory of 1292	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	134
PID 4860 wrote to memory of 2184	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	136
PID 4860 wrote to memory of 2184	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	136
PID 4860 wrote to memory of 1600	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	138
PID 4860 wrote to memory of 1600	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	138
PID 4860 wrote to memory of 1072	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	139
PID 4860 wrote to memory of 1072	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	139
PID 4860 wrote to memory of 2408	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	140
PID 4860 wrote to memory of 2408	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	140
PID 4860 wrote to memory of 4424	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	141
PID 4860 wrote to memory of 4424	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	141
PID 4860 wrote to memory of 4072	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	145
PID 4860 wrote to memory of 4072	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	145
PID 4860 wrote to memory of 1700	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	146
PID 4860 wrote to memory of 1700	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	146
PID 4860 wrote to memory of 1468	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	149
PID 4860 wrote to memory of 1468	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	149
PID 4860 wrote to memory of 3916	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	155
PID 4860 wrote to memory of 3916	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	155
PID 4860 wrote to memory of 4392	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	152
PID 4860 wrote to memory of 4392	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	152
PID 4860 wrote to memory of 3508	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	153
PID 4860 wrote to memory of 3508	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	153
PID 4860 wrote to memory of 4028	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	161
PID 4860 wrote to memory of 4028	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	161
PID 4860 wrote to memory of 2224	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	157
PID 4860 wrote to memory of 2224	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	157
PID 4860 wrote to memory of 1896	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	162
PID 4860 wrote to memory of 1896	4860	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe	162

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	taskhostw.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	taskhostw.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe"
1⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\HEUR-Backdoor.MSIL.DCRat.gen-1d8b7b15c020992d1ab65aea558a2294421752cb67c46248c6af03008d066e02.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\csrss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\taskhostw.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\dllhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\wininit.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\upfc.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\smss.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\winlogon.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\taskhostw.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\locale\wininit.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Registry.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\ssh\OfficeClickToRun.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4028
- C:\odt\taskhostw.exe
  "C:\odt\taskhostw.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\ja-JP\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\upfc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\upfc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office 15\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\WinSAT\DataStore\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 6 /tr "'C:\odt\taskhostw.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\odt\taskhostw.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\locale\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\locale\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\ssh\OfficeClickToRun.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\All Users\ssh\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\ssh\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
61e06aa7c42c7b2a752516bcbb242cc1

SHA1
02c54f8b171ef48cad21819c20b360448418a068

SHA256
5bb0254e8f0220caab64dcc785f432820350471bfcdcb98240c3e0e71a709f5d

SHA512
03731f49999ec895370100a4dfeee674bbe5baa50d82007256e6914c323412eef8936b320d2738774758fbbfd76d4c3d391d9e144e65587eba700d98d0362346

Download Submit
C:\odt\taskhostw.exe

Filesize
1.2MB

MD5
a3e64e9338e1439f43237ae7b6d23d1a

SHA1
4b093c29bf1e77730c534a81dc5f64b906144e20

SHA256
2907337f45f589eed4e35fb469aa003a67342fbaf6b0b0a659128279f4a77647

SHA512
6743be68eb2d66a6e597df2cdb8c8b746f34904afb91d5b08ace3962a2ca7606dd2661075b7167ab6db062ca45a3f8b346fbaa08dcf97b4cc7a848490868e5c4

Download Submit
C:\odt\taskhostw.exe

Filesize
1.2MB

MD5
a3e64e9338e1439f43237ae7b6d23d1a

SHA1
4b093c29bf1e77730c534a81dc5f64b906144e20

SHA256
2907337f45f589eed4e35fb469aa003a67342fbaf6b0b0a659128279f4a77647

SHA512
6743be68eb2d66a6e597df2cdb8c8b746f34904afb91d5b08ace3962a2ca7606dd2661075b7167ab6db062ca45a3f8b346fbaa08dcf97b4cc7a848490868e5c4

Download Submit
memory/1072-192-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/1072-159-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/1292-186-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/1292-156-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/1468-173-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/1468-208-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/1572-154-0x00000193695B0000-0x00000193695D2000-memory.dmp

Filesize
136KB

Download
memory/1572-191-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/1572-150-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/1600-157-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/1600-193-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/1700-200-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/1700-161-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/1896-167-0x00000000004B0000-0x00000000005E6000-memory.dmp

Filesize
1.2MB

Download
memory/1896-175-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/1896-210-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/2184-189-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/2184-158-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/2224-207-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/2224-170-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/2408-171-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/2408-199-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/3460-155-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/3460-196-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/3508-168-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/3508-209-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/3916-162-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/3916-202-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/4028-187-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/4028-166-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/4072-201-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/4072-160-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/4392-203-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/4392-174-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/4424-172-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/4424-197-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/4596-153-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/4596-195-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/4860-132-0x00000000004E0000-0x0000000000616000-memory.dmp

Filesize
1.2MB

Download
memory/4860-169-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/4860-134-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download
memory/4860-133-0x00007FFF3CBB0000-0x00007FFF3D671000-memory.dmp

Filesize
10.8MB

Download