Malware Analysis Report

2024-10-10 13:07

Sample ID 240619-vcgscsyekm
Target Desktop.exe
SHA256 1a6f1c3694f5e3a128245228344423d3e5cfea709f72f5e18afcdab1caed7be2
Tags
dcrat infostealer persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1a6f1c3694f5e3a128245228344423d3e5cfea709f72f5e18afcdab1caed7be2

Threat Level: Known bad

The file Desktop.exe was found to be: Known bad.

Malicious Activity Summary

dcrat infostealer persistence rat spyware stealer

Process spawned unexpected child process

DcRat

Modifies WinLogon for persistence

DCRat payload

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Modifies registry class

Modifies Internet Explorer settings

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Scheduled Task/Job: Scheduled Task

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 16:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 16:50

Reported

2024-06-19 17:00

Platform

win7-20240419-en

Max time kernel

361s

Max time network

363s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Desktop.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\es-ES\088424020bedd6 C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File opened for modification C:\Windows\system32\GDIPFONTCACHEV1.DAT C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\conhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\audiodg.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\conhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\audiodg.exe\", \"C:\\Users\\Public\\Desktop\\wininit.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\conhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\audiodg.exe\", \"C:\\Users\\Public\\Desktop\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\wininit.exe\", \"C:\\Users\\All Users\\Templates\\sppsvc.exe\", \"C:\\Users\\All Users\\Microsoft\\wininit.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\conhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\audiodg.exe\", \"C:\\Users\\Public\\Desktop\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\wininit.exe\", \"C:\\Users\\All Users\\Templates\\sppsvc.exe\", \"C:\\Users\\All Users\\Microsoft\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\taskhost.exe\"" C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default User\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\taskhost.exe\"" C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows NT\\TableTextService\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\taskhost.exe\"" C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Microsoft Analysis Services\\taskhost.exe\"" C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\conhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\conhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\audiodg.exe\", \"C:\\Users\\Public\\Desktop\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\wininit.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\conhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\audiodg.exe\", \"C:\\Users\\Public\\Desktop\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\wininit.exe\", \"C:\\Users\\All Users\\Templates\\sppsvc.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\audiodg.exe\", \"C:\\Users\\Public\\Desktop\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\wininit.exe\", \"C:\\Users\\All Users\\Templates\\sppsvc.exe\", \"C:\\Users\\All Users\\Microsoft\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\taskhost.exe\"" C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\conhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\audiodg.exe\", \"C:\\Users\\Public\\Desktop\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\wininit.exe\", \"C:\\Users\\All Users\\Templates\\sppsvc.exe\", \"C:\\Users\\All Users\\Microsoft\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\audiodg.exe\", \"C:\\Users\\Public\\Desktop\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\wininit.exe\", \"C:\\Users\\All Users\\Templates\\sppsvc.exe\", \"C:\\Users\\All Users\\Microsoft\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\taskhost.exe\"" C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Public\\Desktop\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\wininit.exe\", \"C:\\Users\\All Users\\Templates\\sppsvc.exe\", \"C:\\Users\\All Users\\Microsoft\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\taskhost.exe\"" C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\wininit.exe\", \"C:\\Users\\All Users\\Templates\\sppsvc.exe\", \"C:\\Users\\All Users\\Microsoft\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\taskhost.exe\"" C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\conhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\audiodg.exe\", \"C:\\Users\\Public\\Desktop\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\wininit.exe\", \"C:\\Users\\All Users\\Templates\\sppsvc.exe\", \"C:\\Users\\All Users\\Microsoft\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\sppsvc.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\conhost.exe\", \"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\", \"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\audiodg.exe\", \"C:\\Users\\Public\\Desktop\\wininit.exe\", \"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\wininit.exe\", \"C:\\Users\\All Users\\Templates\\sppsvc.exe\", \"C:\\Users\\All Users\\Microsoft\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\taskhost.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\sppsvc.exe\", \"C:\\Users\\All Users\\Microsoft\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\taskhost.exe\"" C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Microsoft\\wininit.exe\", \"C:\\Users\\Default User\\services.exe\", \"C:\\Program Files\\Windows NT\\TableTextService\\sppsvc.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\taskhost.exe\"" C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Desktop\\wininit.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\All Users\\Microsoft\\wininit.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default User\\services.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\taskhost.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\All Users\\Templates\\sppsvc.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\All Users\\Microsoft\\wininit.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows NT\\TableTextService\\sppsvc.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows NT\\TableTextService\\sppsvc.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\audiodg.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Public\\Desktop\\wininit.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Users\\All Users\\Templates\\sppsvc.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\taskhost.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\es-ES\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Common Files\\spoolsv.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\All Users\\Package Cache\\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\\audiodg.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\wininit.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Photo Viewer\\fr-FR\\wininit.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Default User\\services.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\f3b6ecef712a24 C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
File created C:\Program Files\Windows Photo Viewer\fr-FR\wininit.exe C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\taskhost.exe C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\es-ES\conhost.exe C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\es-ES\conhost.exe C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
File created C:\Program Files\Windows Photo Viewer\fr-FR\56085415360792 C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
File created C:\Program Files\Windows NT\TableTextService\sppsvc.exe C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
File created C:\Program Files\Windows NT\TableTextService\0a1fd5f707cd16 C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\b75386f1303e64 C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\es-ES\088424020bedd6 C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
File created C:\Program Files (x86)\Common Files\spoolsv.exe C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\Desktop.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe
PID 1740 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\Desktop.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe
PID 1740 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\Desktop.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe
PID 1740 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\Desktop.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe
PID 1740 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\Desktop.exe C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe
PID 1740 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\Desktop.exe C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe
PID 1740 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\Desktop.exe C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe
PID 1740 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\Desktop.exe C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe
PID 1732 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe
PID 1732 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe
PID 1732 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe
PID 1732 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe
PID 2260 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe C:\Windows\SysWOW64\WScript.exe
PID 2260 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe C:\Windows\SysWOW64\WScript.exe
PID 2260 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe C:\Windows\SysWOW64\WScript.exe
PID 2260 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe C:\Windows\SysWOW64\WScript.exe
PID 2600 wrote to memory of 3036 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 3036 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 3036 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2600 wrote to memory of 3036 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe
PID 3036 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe
PID 3036 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe
PID 3036 wrote to memory of 2080 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe
PID 2080 wrote to memory of 568 N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe
PID 2080 wrote to memory of 568 N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe
PID 2080 wrote to memory of 568 N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe
PID 568 wrote to memory of 580 N/A C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe C:\Windows\system32\cmd.exe
PID 568 wrote to memory of 580 N/A C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe C:\Windows\system32\cmd.exe
PID 568 wrote to memory of 580 N/A C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe C:\Windows\system32\cmd.exe
PID 580 wrote to memory of 1424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\w32tm.exe
PID 580 wrote to memory of 1424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\w32tm.exe
PID 580 wrote to memory of 1424 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\w32tm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Desktop.exe

"C:\Users\Admin\AppData\Local\Temp\Desktop.exe"

C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe

"C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe"

C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe

"C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe"

C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe

"C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\MNBkvV.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\GRg9f5iKbJVOs6KIXB4m8M.bat" "

C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe

"C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Desktop\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Desktop\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Templates\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\taskhost.exe'" /rl HIGHEST /f

C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe

"C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\audiodg.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "Sessioncrt" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "SessioncrtS" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "conhost" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "conhostc" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "spoolsv" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "spoolsvs" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "audiodg" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "audiodga" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "wininit" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "wininitw" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "wininit" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "wininitw" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "sppsvc" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "sppsvcs" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "wininit" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "wininitw" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "services" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "servicess" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "sppsvc" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "sppsvcs" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "taskhost" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "taskhostt" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "audiodg" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "audiodga" /f

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat" "

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 redscientist.com udp
US 74.208.236.5:80 redscientist.com tcp
US 74.208.236.5:80 redscientist.com tcp
US 8.8.8.8:53 a0997784.xsph.ru udp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp

Files

\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe

MD5 48e1d67ef1b8e21942e80ef139c49ab5
SHA1 f6afc9a69a1f87e4eee7292d24baef715fee9edd
SHA256 e9eefea3acb118651c066d0f2a3aa0af471678d601198025f4a30b8fef810b08
SHA512 34498df32a3d9ee468bc94b046da999d56af25c850f77f817ac1117a60ded8e19ca1194e5d421fddbac2c9a54da71a4e435b88a10a8f04f67ba002b9275793b2

C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe

MD5 cb1929328dea316fcb34f3486697d16e
SHA1 8c2db8d4b4644cb356a9283b2fa7bb6a988a5d7b
SHA256 7a3deffc327b1e49cbc95dc4c41f1f4c0fd55825cc7c18fd06b96a900e0bf5f9
SHA512 90ef1cc19c01c1c0b2b4b802e88d622ff07ffc91273350200cd0589e6acabb63634af2883f6cae554dacab0f401b4294d13291707507c6fa035c282214fc6a28

\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe

MD5 83618e903d98ec133601e89c1a0e1702
SHA1 0eb9e4eb3a1e14db6de7daa2f2adf427ea69b72b
SHA256 3e691c4c223f7f73ec372a89395cb52de8857117e0a89f6add5b047cebb0954a
SHA512 15de670de060e06e3fd292b5b273a587ece2dc1e7d6052501a01ced508f65d2840c485745fb4852fc3edb2b8bbab471f3abaa524d24ef0b3a64b3131ec7977fb

memory/2260-43-0x0000000000BD0000-0x0000000000FD3000-memory.dmp

memory/1732-42-0x0000000003DF0000-0x00000000041F3000-memory.dmp

memory/2784-45-0x0000000001120000-0x00000000011E4000-memory.dmp

memory/2260-54-0x0000000000BD0000-0x0000000000FD3000-memory.dmp

C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\MNBkvV.vbe

MD5 6412c9c4ee86bb8143388e5616d1b7c2
SHA1 9a5ac602a0e3087439260b045c7c590586a6dac1
SHA256 ae456de3284409c2b67cc2d99cde11e00d9947b23ccae05916f3b64ce5759835
SHA512 b4b0d3eb2b3eecef0342013fe19632ac5b9a75cb312a1430a536a8b87b9da1a1ca00a216de450c80ac10ed07b546f1920c36e49c7dddf5b9baf8f0147e305cf1

C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\GRg9f5iKbJVOs6KIXB4m8M.bat

MD5 f96a95d4ab98914fa1240be122d6f93f
SHA1 1cda6eceb85d4b3e5c97bf686a2fbbf506ddbcd5
SHA256 3cc300d7cc5eef9130a8a0fe3b748a2e00b1b57946c5d43df261a211375a5a67
SHA512 a210bc272db00f3f7da096a5a46c1aabf7f045b69eabd8e9d443d1c329005592f2efdaff8132c931d468ce434d099bb3da7d67c51f69b6ef8759b00deb52a179

C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe

MD5 251de4b1e1bd67479d61328ad352fd95
SHA1 c089659cc5f2a8ccb354cc5f2244910fceabcba8
SHA256 507e76a1783eff3690bdf15de7dea88d18087b6713f9db5787d61c1e7fe26890
SHA512 1f9d43bc2d3acbda7e3b9bb63cbae41cbac790a363f0fa5bde2da07c3df913556d377f5dffd57865983df8de0255556b0b093ebb5a4ebb6b48ff04c2696a5cf7

memory/2080-61-0x0000000001150000-0x000000000127C000-memory.dmp

memory/2080-62-0x0000000000630000-0x000000000064C000-memory.dmp

memory/2080-63-0x00000000004A0000-0x00000000004B0000-memory.dmp

memory/2080-64-0x0000000000860000-0x000000000086A000-memory.dmp

memory/2080-65-0x0000000000B10000-0x0000000000B1C000-memory.dmp

memory/568-92-0x0000000000E10000-0x0000000000F3C000-memory.dmp

C:\Program Files (x86)\Windows NT\Accessories\es-ES\088424020bedd6

MD5 cb777c2b8322436f935989c6eeaed36e
SHA1 cd7b67453396ceda1eb97813bed0871b84df14df
SHA256 a050f5cf3292f687fccfac402ac577441ccd46ae4343f6af46859ac092fdf2c1
SHA512 066bd5a7d60b134cab5ba33a2570fd25b58e52d72fd2dbf6e299c581581c4da108563c94894b9401a50933a4cf403cd0f95e6a8439439de62fd77ac2e555a5cf

C:\Program Files (x86)\Common Files\f3b6ecef712a24

MD5 099e8ce823363ebce6b7bd4acb2befc7
SHA1 cfe7f0047b95245023fd0a5cd9afb5ade63c462c
SHA256 9466deb4d83ce9dff323610e8db7e4a73a4d980454048563a13e4f0d8f0353eb
SHA512 d2bf47989ec0638953eb2103adf7fb42d44aba674e80d27339b8cf1866402a851f9f256e3809be4c3a6b9916256dd050c256cd30a5319924560994c074ad3238

C:\Users\Public\Desktop\56085415360792

MD5 625ce673068a61c84b70b8ca8f516e19
SHA1 36c1e639aedfc1780cb07aa7198e9696d7d940ae
SHA256 8c1c332ac8efa7907d655ca3dff297e5327fc765cb7ff7c06fba5d8827b1694c
SHA512 df9138a3ea70022f04c66fb05ec52c8665c83e7439905e12d9ab12a6210b50f980f6607fc7351d8f9f002d0f136c148ed9cf2d085d1c6729831c53c80e8c3a7f

C:\Program Files\Windows Photo Viewer\fr-FR\56085415360792

MD5 692c193cd6b8ae5a576c008f9c4600d5
SHA1 0035236c630cfac40e90363873f2acf587dac8fd
SHA256 5c81755884cb8d32574657f1e77bff8d02d0da285bd7a01e84e81bc308396511
SHA512 accc4dff77795363cd0979b94a5cc4d8bf29ec86436504d009f9651461cd6eb6a64ead53a8b3b1b8d2443d502997735fc8ebff0a5f359ccd73b7d38b27f7a45b

C:\Users\All Users\Templates\0a1fd5f707cd16

MD5 c1fbd389b43ecc03ff7910fb12333bd0
SHA1 9cc65bec965d237880c8c9ef4090415fd0f7d500
SHA256 dc633011026d9870f2e167b6f8ad73484c7a9acad8287a01e5dd7626df69d47a
SHA512 1dbdac523de8612c620e3a30869a1c673b9a5d17b1a119e7373ab7a21eef0ef6b36b14c3816ff0eb498d051aacf337545a1afaaae35a9650f313d4a62e6d0196

C:\Users\All Users\Microsoft\56085415360792

MD5 d03bd774a9b9f159b80a90218e625c22
SHA1 398dea126ae62fc44f5a9204248b40a5664ed8ac
SHA256 daa33c367f13b9ba1d5c5e7429dadebfcad367395270ee8178d55aaabd1c26ea
SHA512 42619b417a6528535aa66587966d36b251fa48dd6af61202031367e4c885a20112d475145521c88e1ff9a4a21c824a7a6fd787666fbb4c642a1cae727336e1a7

C:\Users\Default User\c5b4cb5e9653cc

MD5 adbf41e2f10bf8f05f069ee0ed3b5347
SHA1 15aa311900aaa585b74b8abb98313d5229b8efa1
SHA256 66f6c46e2f12295c4d9a2b5bf18767bf16cc8b8894a89de17b6230bc32d18370
SHA512 ac4c32eb30d92305b510783222dbc94bda4929207d77ac41a1943b8d47880f951ea48990f8d4117dbac2fcabd7210c79e05460be07ed2e8e6c7ce89d6e61c23e

C:\Program Files\Windows NT\TableTextService\0a1fd5f707cd16

MD5 72214c1409291a2c57332d926a5e11a7
SHA1 c3fca473f36724efc1cb5d424b363bd5e7914b92
SHA256 5e0d618f657392b7cbc8be0ca226623e41591eebead4d89f8ef414acd6239439
SHA512 07846048d895064749a296799773eb0083395264a759bed45cf48979323437b0e43caca853de810957fe06e4b46195487f0f22a835c9d0b0b3ad1d986e9c8611

C:\Program Files (x86)\Microsoft Analysis Services\b75386f1303e64

MD5 f099c4d2faac9f25cf1522b17c3c5fda
SHA1 2cca2d8fa69ec30bb34f559bdf23f980f348c271
SHA256 b158dbccd0423f1e3073c56dd745a24b4afa4cfa042268c426a7c8fe513fe769
SHA512 503c3917133ebe524bfc3735941de36015b14047df7a5246f4933cc8eaccf58fd9b5b2942d76a0bd463531ba4089da948aad3e992ca4428f406271c64ad9fce4

C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat

MD5 c24006cc68e3537e0fc7554e9c27061f
SHA1 536502f1214fb8f5f89514c1be7e262d9eb8f2ca
SHA256 8cc0fed86e46c17fe9e4975aeccc69f03693a420af0d459d762b9c786fd52ed6
SHA512 9c4f35cc589c7a1355b1c1a1a2239fb3600cf8e8a197eee6b0d176549178f5a88f56c0036d5e022dae642ac88e4d4ee26c513cef25366bb8c8c24fb45581a332

C:\Users\All Users\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\42af1c969fbb7b

MD5 45519c2f3c73850faab1b2a91d384939
SHA1 c8bd810b3376ee26fe47c0566138c695f86ce2a5
SHA256 26c295b7e05db11be78dd3f3b90ff5a0c2b26309cf1aac70736336d5b6783605
SHA512 5d8320bdfe5c502dc043aa35f27f62dbc8b0ace63ca89e07edd2d3d77f7dff34c44840a8d0fafc13e40c315e7878f3892284f7d8a442a43b5b0cdd3c4a446e30

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 16:50

Reported

2024-06-19 17:00

Platform

win10v2004-20240226-en

Max time kernel

600s

Max time network

606s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Desktop.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Videos\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Videos\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\msedge.exe\", \"C:\\Windows\\bcastdvr\\SppExtComObj.exe\", \"C:\\odt\\services.exe\", \"C:\\Users\\Default User\\WaaSMedicAgent.exe\", \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\dwm.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Videos\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\msedge.exe\", \"C:\\Windows\\bcastdvr\\SppExtComObj.exe\", \"C:\\odt\\services.exe\", \"C:\\Users\\Default User\\WaaSMedicAgent.exe\", \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Videos\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\msedge.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Videos\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\msedge.exe\", \"C:\\Windows\\bcastdvr\\SppExtComObj.exe\", \"C:\\odt\\services.exe\", \"C:\\Users\\Default User\\WaaSMedicAgent.exe\", \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\odt\\spoolsv.exe\", \"C:\\Users\\Default\\Application Data\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Videos\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\msedge.exe\", \"C:\\Windows\\bcastdvr\\SppExtComObj.exe\", \"C:\\odt\\services.exe\", \"C:\\Users\\Default User\\WaaSMedicAgent.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Videos\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\msedge.exe\", \"C:\\Windows\\bcastdvr\\SppExtComObj.exe\", \"C:\\odt\\services.exe\", \"C:\\Users\\Default User\\WaaSMedicAgent.exe\", \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\odt\\spoolsv.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Videos\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\msedge.exe\", \"C:\\Windows\\bcastdvr\\SppExtComObj.exe\", \"C:\\odt\\services.exe\", \"C:\\Users\\Default User\\WaaSMedicAgent.exe\", \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\odt\\spoolsv.exe\", \"C:\\Users\\Default\\Application Data\\conhost.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Videos\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\msedge.exe\", \"C:\\Windows\\bcastdvr\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Videos\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\msedge.exe\", \"C:\\Windows\\bcastdvr\\SppExtComObj.exe\", \"C:\\odt\\services.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\", \"C:\\odt\\Sessioncrt.exe\", \"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\", \"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\", \"C:\\Users\\Default\\Videos\\StartMenuExperienceHost.exe\", \"C:\\Program Files\\Windows Photo Viewer\\msedge.exe\", \"C:\\Windows\\bcastdvr\\SppExtComObj.exe\", \"C:\\odt\\services.exe\", \"C:\\Users\\Default User\\WaaSMedicAgent.exe\", \"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\dwm.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\odt\\spoolsv.exe\", \"C:\\Users\\Default\\Application Data\\conhost.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\RuntimeBroker.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\dllhost.exe\", \"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\", \"C:\\Windows\\ShellComponents\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Desktop.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\Documents\\My Pictures\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files\\Windows Photo Viewer\\msedge.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\bcastdvr\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\dwm.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files\\Windows Photo Viewer\\msedge.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\odt\\services.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\odt\\services.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Default\\AppData\\Roaming\\Microsoft\\Windows\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sessioncrt = "\"C:\\odt\\Sessioncrt.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sessioncrt = "\"C:\\odt\\Sessioncrt.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Default\\Videos\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\ShellComponents\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Public\\Documents\\My Pictures\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default\\Application Data\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\bcastdvr\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\odt\\spoolsv.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default\\Application Data\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\odt\\spoolsv.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Users\\Default User\\WaaSMedicAgent.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Users\\Default User\\WaaSMedicAgent.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\All Users\\regid.1991-06.com.microsoft\\dwm.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\ShellComponents\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WaaSMedicAgent = "\"C:\\Program Files (x86)\\Windows Mail\\WaaSMedicAgent.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Program Files\\Microsoft Office\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Default\\Videos\\StartMenuExperienceHost.exe\"" C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\StartMenuExperienceHost.exe C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\55b276f4edf653 C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
File created C:\Program Files (x86)\Windows Mail\WaaSMedicAgent.exe C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
File created C:\Program Files (x86)\Windows Mail\c82b8037eab33d C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
File created C:\Program Files\Microsoft Office\WmiPrvSE.exe C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
File created C:\Program Files\Microsoft Office\24dbde2999530e C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
File created C:\Program Files\Windows Photo Viewer\msedge.exe C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
File created C:\Program Files\Windows Photo Viewer\61a52ddc9dd915 C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ShellComponents\886983d96e3d3e C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
File created C:\Windows\bcastdvr\SppExtComObj.exe C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
File created C:\Windows\bcastdvr\e1ef82546f0b02 C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
File created C:\Windows\ShellComponents\csrss.exe C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\explorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" C:\Windows\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 1e00718000000000000000000000e4c006bb93d2754f8a90cb05b6477eee0000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f706806ee260aa0d7449371beb064c986830000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000010000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874369" C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "18874385" C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 0c0001008421de39050000000000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\NodeSlot = "8" C:\Windows\explorer.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A
N/A N/A C:\odt\spoolsv.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\odt\spoolsv.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe N/A
Token: SeDebugPrivilege N/A C:\odt\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\odt\services.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\Application Data\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Windows Photo Viewer\msedge.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\odt\spoolsv.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\odt\Sessioncrt.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4768 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\Desktop.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe
PID 4768 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\Desktop.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe
PID 4768 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\Desktop.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe
PID 4768 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\Desktop.exe C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe
PID 4768 wrote to memory of 4812 N/A C:\Users\Admin\AppData\Local\Temp\Desktop.exe C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe
PID 4648 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe
PID 4648 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe
PID 4648 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe
PID 5004 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe C:\Windows\SysWOW64\WScript.exe
PID 5004 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe C:\Windows\SysWOW64\WScript.exe
PID 5004 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe C:\Windows\SysWOW64\WScript.exe
PID 3384 wrote to memory of 3660 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3384 wrote to memory of 3660 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3384 wrote to memory of 3660 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3660 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe
PID 3660 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe
PID 1828 wrote to memory of 672 N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe C:\odt\spoolsv.exe
PID 1828 wrote to memory of 672 N/A C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe C:\odt\spoolsv.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Desktop.exe

"C:\Users\Admin\AppData\Local\Temp\Desktop.exe"

C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe

"C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe"

C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe

"C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe"

C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe

"C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\MNBkvV.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\GRg9f5iKbJVOs6KIXB4m8M.bat" "

C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe

"C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Windows\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Windows\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\AppData\Roaming\Microsoft\Windows\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\ShellComponents\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ShellComponents\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\ShellComponents\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SessioncrtS" /sc MINUTE /mo 14 /tr "'C:\odt\Sessioncrt.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Sessioncrt" /sc ONLOGON /tr "'C:\odt\Sessioncrt.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SessioncrtS" /sc MINUTE /mo 9 /tr "'C:\odt\Sessioncrt.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Videos\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\Videos\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Videos\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\msedge.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedgem" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Windows\bcastdvr\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\bcastdvr\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Windows\bcastdvr\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\odt\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\odt\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Users\Default User\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\odt\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\odt\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Application Data\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Application Data\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Application Data\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\odt\spoolsv.exe

"C:\odt\spoolsv.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\odt\services.exe

C:\odt\services.exe

C:\Users\Default\Application Data\conhost.exe

"C:\Users\Default\Application Data\conhost.exe"

C:\Recovery\WindowsRE\csrss.exe

C:\Recovery\WindowsRE\csrss.exe

C:\Program Files\Windows Photo Viewer\msedge.exe

"C:\Program Files\Windows Photo Viewer\msedge.exe"

C:\Users\Default\dllhost.exe

C:\Users\Default\dllhost.exe

C:\odt\spoolsv.exe

C:\odt\spoolsv.exe

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3944 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe

"C:\Users\Public\Documents\My Pictures\RuntimeBroker.exe"

C:\odt\Sessioncrt.exe

C:\odt\Sessioncrt.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 redscientist.com udp
US 74.208.236.5:80 redscientist.com tcp
US 74.208.236.5:80 redscientist.com tcp
US 8.8.8.8:53 5.236.208.74.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 a0997784.xsph.ru udp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
US 8.8.8.8:53 6.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
US 8.8.8.8:53 17.173.189.20.in-addr.arpa udp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
US 8.8.8.8:53 a0997784.xsph.ru udp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.212.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.212.58.216.in-addr.arpa udp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
NL 52.142.223.178:80 tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp
RU 141.8.192.6:80 a0997784.xsph.ru tcp

Files

C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.sfx.exe

MD5 48e1d67ef1b8e21942e80ef139c49ab5
SHA1 f6afc9a69a1f87e4eee7292d24baef715fee9edd
SHA256 e9eefea3acb118651c066d0f2a3aa0af471678d601198025f4a30b8fef810b08
SHA512 34498df32a3d9ee468bc94b046da999d56af25c850f77f817ac1117a60ded8e19ca1194e5d421fddbac2c9a54da71a4e435b88a10a8f04f67ba002b9275793b2

C:\Users\Admin\AppData\Roaming\RTC_Launcher11.exe

MD5 cb1929328dea316fcb34f3486697d16e
SHA1 8c2db8d4b4644cb356a9283b2fa7bb6a988a5d7b
SHA256 7a3deffc327b1e49cbc95dc4c41f1f4c0fd55825cc7c18fd06b96a900e0bf5f9
SHA512 90ef1cc19c01c1c0b2b4b802e88d622ff07ffc91273350200cd0589e6acabb63634af2883f6cae554dacab0f401b4294d13291707507c6fa035c282214fc6a28

memory/4812-21-0x00007FFA05C73000-0x00007FFA05C75000-memory.dmp

memory/4812-24-0x000002210DE00000-0x000002210DEC4000-memory.dmp

C:\Users\Admin\AppData\Roaming\DCRatBuild_protected.exe

MD5 83618e903d98ec133601e89c1a0e1702
SHA1 0eb9e4eb3a1e14db6de7daa2f2adf427ea69b72b
SHA256 3e691c4c223f7f73ec372a89395cb52de8857117e0a89f6add5b047cebb0954a
SHA512 15de670de060e06e3fd292b5b273a587ece2dc1e7d6052501a01ced508f65d2840c485745fb4852fc3edb2b8bbab471f3abaa524d24ef0b3a64b3131ec7977fb

memory/5004-32-0x0000000000950000-0x0000000000D53000-memory.dmp

memory/4812-33-0x00007FFA05C70000-0x00007FFA06731000-memory.dmp

memory/5004-41-0x0000000000950000-0x0000000000D53000-memory.dmp

C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\MNBkvV.vbe

MD5 6412c9c4ee86bb8143388e5616d1b7c2
SHA1 9a5ac602a0e3087439260b045c7c590586a6dac1
SHA256 ae456de3284409c2b67cc2d99cde11e00d9947b23ccae05916f3b64ce5759835
SHA512 b4b0d3eb2b3eecef0342013fe19632ac5b9a75cb312a1430a536a8b87b9da1a1ca00a216de450c80ac10ed07b546f1920c36e49c7dddf5b9baf8f0147e305cf1

C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\GRg9f5iKbJVOs6KIXB4m8M.bat

MD5 f96a95d4ab98914fa1240be122d6f93f
SHA1 1cda6eceb85d4b3e5c97bf686a2fbbf506ddbcd5
SHA256 3cc300d7cc5eef9130a8a0fe3b748a2e00b1b57946c5d43df261a211375a5a67
SHA512 a210bc272db00f3f7da096a5a46c1aabf7f045b69eabd8e9d443d1c329005592f2efdaff8132c931d468ce434d099bb3da7d67c51f69b6ef8759b00deb52a179

C:\Users\Admin\AppData\Roaming\blockComReviewhostsvc\Sessioncrt.exe

MD5 251de4b1e1bd67479d61328ad352fd95
SHA1 c089659cc5f2a8ccb354cc5f2244910fceabcba8
SHA256 507e76a1783eff3690bdf15de7dea88d18087b6713f9db5787d61c1e7fe26890
SHA512 1f9d43bc2d3acbda7e3b9bb63cbae41cbac790a363f0fa5bde2da07c3df913556d377f5dffd57865983df8de0255556b0b093ebb5a4ebb6b48ff04c2696a5cf7

memory/1828-47-0x0000000000720000-0x000000000084C000-memory.dmp

memory/1828-48-0x00000000027E0000-0x00000000027FC000-memory.dmp

memory/1828-49-0x000000001BB10000-0x000000001BB60000-memory.dmp

memory/1828-50-0x00000000027C0000-0x00000000027D0000-memory.dmp

memory/1828-51-0x000000001B990000-0x000000001B99A000-memory.dmp

memory/1828-52-0x000000001B9A0000-0x000000001B9AC000-memory.dmp

memory/4812-98-0x00007FFA05C73000-0x00007FFA05C75000-memory.dmp

memory/4812-99-0x00007FFA05C70000-0x00007FFA06731000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dllhost.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Sessioncrt.exe.log

MD5 7800fca2323a4130444c572374a030f4
SHA1 40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa
SHA256 29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e
SHA512 c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554