dcrat | d9cbcae95ae824014b6d2fd6d3269b00b09ab84ed44b45b21c0b1842e7cdc132

Resubmissions

16-11-2024 10:34

241116-ml8y7sylen 10

16-11-2024 10:32

15-11-2024 09:16

30-10-2024 05:17

21-07-2024 18:09

21-07-2024 14:26

Analysis

max time kernel
422s
max time network
424s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21-07-2024 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DCRatBuild.exe
Size

1.1MB
MD5

7ef93a29c05d412dd2dc432e1aac54a9
SHA1

776cc5c36f370a7e1fa840a21c13f2278723409e
SHA256

d9cbcae95ae824014b6d2fd6d3269b00b09ab84ed44b45b21c0b1842e7cdc132
SHA512

26e00619e47a130fb768b91074915c8a69f8690ac12465f21c1bd7e69f94ae6db9a238ff3c510a719cf1a318a07c80a543212c200b2b2152934a1ad154d13ab6
SSDEEP

12288:URZ+IoG/n9IQxW3OBseUUT+tcYbv+RK+UfXST5/rKMyFckcb8M41AT0z/GAFPz3m:u2G/nvxW3WieC7STuMMATKPTVgxr4q

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 17 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Bridgewebsvc.exeTextInputHost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\PortproviderRuntime\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\", \"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\""	Bridgewebsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\PortproviderRuntime\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\", \"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\""	TextInputHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\""	TextInputHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\""	Bridgewebsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\PortproviderRuntime\\fontdrvhost.exe\""	Bridgewebsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\""	TextInputHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\PortproviderRuntime\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\""	Bridgewebsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PortproviderRuntime\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\", \"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\""	TextInputHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\", \"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\""	TextInputHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\""	TextInputHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\PortproviderRuntime\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\", \"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\""	Bridgewebsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\PortproviderRuntime\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\", \"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\""	Bridgewebsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\""	TextInputHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\""	TextInputHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	TextInputHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\PortproviderRuntime\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\", \"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	Bridgewebsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\PortproviderRuntime\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\", \"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\""	Bridgewebsvc.exe

Process spawned unexpected child process 44 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4660	184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4148	184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3468	184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	184	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	3408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	3408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4492	3408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	3408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3636	3408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	3408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	3408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	3408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	3408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	3408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	3408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4564	3408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	3408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	3408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	3408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	3408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4720	3408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3532	3408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	3408	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	3408	schtasks.exe

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\PortproviderRuntime\Bridgewebsvc.exe	dcrat
behavioral1/memory/1148-12-0x0000000000D10000-0x0000000000DE6000-memory.dmp	dcrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DCRatBuild.exeWScript.exeBridgewebsvc.exeTextInputHost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	Bridgewebsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	TextInputHost.exe

Executes dropped EXE 2 IoCs

Processes:

Bridgewebsvc.exeTextInputHost.exe

pid process

1148 Bridgewebsvc.exe
4932 TextInputHost.exe

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Bridgewebsvc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\""	Bridgewebsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\""	Bridgewebsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	Bridgewebsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\""	Bridgewebsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\PortproviderRuntime\\fontdrvhost.exe\""	Bridgewebsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\""	Bridgewebsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\""	Bridgewebsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\""	Bridgewebsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\""	Bridgewebsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	Bridgewebsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\""	Bridgewebsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	Bridgewebsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\""	Bridgewebsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\PortproviderRuntime\\fontdrvhost.exe\""	Bridgewebsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\""	Bridgewebsvc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\""	Bridgewebsvc.exe

Drops file in Program Files directory 8 IoCs

Processes:

Bridgewebsvc.exe

description	ioc	process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\fontdrvhost.exe	Bridgewebsvc.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\5b884080fd4f94	Bridgewebsvc.exe
File created	C:\Program Files (x86)\Windows Defender\dllhost.exe	Bridgewebsvc.exe
File created	C:\Program Files (x86)\Windows Defender\5940a34987c991	Bridgewebsvc.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe	Bridgewebsvc.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\22eafd247d37c3	Bridgewebsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\sppsvc.exe	Bridgewebsvc.exe
File created	C:\Program Files\Windows Multimedia Platform\0a1fd5f707cd16	Bridgewebsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

Bridgewebsvc.exe

description	ioc	process
File created	C:\Windows\Help\Windows\ContentStore\en-US\SearchApp.exe	Bridgewebsvc.exe
File created	C:\Windows\Help\Windows\ContentStore\en-US\38384e6a620884	Bridgewebsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

DCRatBuild.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings DCRatBuild.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	DCRatBuild.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	process
2640	schtasks.exe
1536	schtasks.exe
4120	schtasks.exe
2396	schtasks.exe
4148	schtasks.exe
1156	schtasks.exe
2732	schtasks.exe
1388	schtasks.exe
836	schtasks.exe
3996	schtasks.exe
2324	schtasks.exe
4480	schtasks.exe
3384	schtasks.exe
804	schtasks.exe
208	schtasks.exe
3580	schtasks.exe
1356	schtasks.exe
2040	schtasks.exe
4888	schtasks.exe
4660	schtasks.exe
752	schtasks.exe
3468	schtasks.exe
3724	schtasks.exe
4648	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

Bridgewebsvc.exeTextInputHost.exe

pid	process
1148	Bridgewebsvc.exe
1148	Bridgewebsvc.exe
1148	Bridgewebsvc.exe
1148	Bridgewebsvc.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe
4932	TextInputHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

TextInputHost.exe

pid process

4932 TextInputHost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Bridgewebsvc.exeTextInputHost.exe

description pid process

Token: SeDebugPrivilege 1148 Bridgewebsvc.exe
Token: SeDebugPrivilege 4932 TextInputHost.exe

pid	process
4932	TextInputHost.exe

description	pid	process
Token: SeDebugPrivilege	1148	Bridgewebsvc.exe
Token: SeDebugPrivilege	4932	TextInputHost.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

DCRatBuild.exeWScript.execmd.exeBridgewebsvc.exeTextInputHost.execmd.exe

description	pid	process	target process
PID 3788 wrote to memory of 3976	3788	DCRatBuild.exe	WScript.exe
PID 3788 wrote to memory of 3976	3788	DCRatBuild.exe	WScript.exe
PID 3788 wrote to memory of 3976	3788	DCRatBuild.exe	WScript.exe
PID 3976 wrote to memory of 4524	3976	WScript.exe	cmd.exe
PID 3976 wrote to memory of 4524	3976	WScript.exe	cmd.exe
PID 3976 wrote to memory of 4524	3976	WScript.exe	cmd.exe
PID 4524 wrote to memory of 1148	4524	cmd.exe	Bridgewebsvc.exe
PID 4524 wrote to memory of 1148	4524	cmd.exe	Bridgewebsvc.exe
PID 1148 wrote to memory of 4932	1148	Bridgewebsvc.exe	TextInputHost.exe
PID 1148 wrote to memory of 4932	1148	Bridgewebsvc.exe	TextInputHost.exe
PID 4932 wrote to memory of 668	4932	TextInputHost.exe	cmd.exe
PID 4932 wrote to memory of 668	4932	TextInputHost.exe	cmd.exe
PID 668 wrote to memory of 3512	668	cmd.exe	w32tm.exe
PID 668 wrote to memory of 3512	668	cmd.exe	w32tm.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\PortproviderRuntime\2jiE6dDNxF2hUpVE5Z.vbe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\PortproviderRuntime\OI2YygSphQCiiCNA7ofzvo.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\PortproviderRuntime\Bridgewebsvc.exe
      "C:\PortproviderRuntime\Bridgewebsvc.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1148
    - - C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe
        
        "C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4932
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\PortproviderRuntime\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\PortproviderRuntime\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\PortproviderRuntime\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\Windows\ContentStore\en-US\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Help\Windows\ContentStore\en-US\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\Windows\ContentStore\en-US\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "Bridgewebsvc" /f
1⤵
- Process spawned unexpected child process
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "BridgewebsvcB" /f
1⤵
- Process spawned unexpected child process
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dllhost" /f
1⤵
- Process spawned unexpected child process
PID:4492

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dllhostd" /f
1⤵
- Process spawned unexpected child process
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "fontdrvhost" /f
1⤵
- Process spawned unexpected child process
PID:3636

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "fontdrvhostf" /f
1⤵
- Process spawned unexpected child process
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "fontdrvhost" /f
1⤵
- Process spawned unexpected child process
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "fontdrvhostf" /f
1⤵
- Process spawned unexpected child process
PID:3876

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "SearchApp" /f
1⤵
- Process spawned unexpected child process
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "SearchAppS" /f
1⤵
- Process spawned unexpected child process
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dllhost" /f
1⤵
- Process spawned unexpected child process
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dllhostd" /f
1⤵
- Process spawned unexpected child process
PID:4564

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBroker" /f
1⤵
- Process spawned unexpected child process
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBrokerR" /f
1⤵
- Process spawned unexpected child process
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "TextInputHost" /f
1⤵
- Process spawned unexpected child process
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "TextInputHostT" /f
1⤵
- Process spawned unexpected child process
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "sppsvc" /f
1⤵
- Process spawned unexpected child process
PID:4720

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "sppsvcs" /f
1⤵
- Process spawned unexpected child process
PID:3532

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "TextInputHost" /f
1⤵
- Process spawned unexpected child process
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "TextInputHostT" /f
1⤵
- Process spawned unexpected child process
PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PortproviderRuntime\2jiE6dDNxF2hUpVE5Z.vbe

Filesize
218B

MD5
413767cf51f36f7f50d9430d73ea0bb1

SHA1
4469733bce94a114c836ea3591dccb3e689782c7

SHA256
2e118668b3c63457b924aafd6b402e105477030d6157e3d66ba8ba7acad58dcf

SHA512
3c12a46412227f57f8aa815b0b7820ca54eb3fa7a033ea7baa7efad7526755db7998d843a6790880efa87b841e9c6085b793930ae865c2694c8385e5937ee900

Download Submit
C:\PortproviderRuntime\5b884080fd4f94

Filesize
814B

MD5
bc28d612f8eeed4d9d7a0bf27e9e6b4f

SHA1
94a830bbba8821dffdead5c5c840575b954780c0

SHA256
0cd161abb3c2a5c493d216ce5ca9ed9d66688126ab209952fe9e020c54b78d24

SHA512
483c4ffd5de31c1f6de5b0324684e3de57b33e2a070ce9a2ebfa8c02ff107d9633e90a8bd0a19898408d201593ba8da433017676a3967891b21691e9849c840e

Download Submit
C:\PortproviderRuntime\Bridgewebsvc.exe

Filesize
828KB

MD5
fddea23e803e9e5de212e4c0475c8f93

SHA1
c4426bf36ce54917155da2bfbec1508c5a799664

SHA256
f014b4dd1600fb5ecd92de55165573415c2d7ee184a4f70f2f975ee7909150f6

SHA512
05459fc75998ee306e8de7e544aaf744e5c6e1930dcb7e02b94a566a7ad6e874a9fe50a78a1da50b4e7110282e49353f8ced586117d772b600b84d09ee070591

Download Submit
C:\PortproviderRuntime\OI2YygSphQCiiCNA7ofzvo.bat

Filesize
41B

MD5
863d81db66a0a5864890665ea50c23c5

SHA1
f5a584f4ee5e390b667eaa5e5d9332251388fa7e

SHA256
d4fa2e3203a21efd9f46fd9ea5fcedbabe13bd9a2bc93d0169070507380bbf9b

SHA512
ecb8ff338e0febcfe8965516a58dcdcd63420592467ce1c281f7ccacf7a2ca02bd7a73d52208e98edec3e73ea69477f3ccaa4ddf4b0608e5598a92e110e5d3b0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\5b884080fd4f94

Filesize
930B

MD5
154414ab43721c18e0465efe910de669

SHA1
5c70339a1d4cf8164cc159800ac6119e136305da

SHA256
585a91980209df23d11c757f2c67892c2e30a45dfb9fb8c084d9598d3cf9f19a

SHA512
69913c5f0efb3cbb241ea9faac5dd68cce97d9e1dca51e274f2bcb6647c334b5d7354083e95d3c6911b3b17c9ee1105d311a64f13fbfb0ac86e7e68a35e2995b

Download Submit
C:\Program Files (x86)\Windows Defender\5940a34987c991

Filesize
303B

MD5
ae5f5ba42eec3860d89674f440ea0f78

SHA1
361f33bc98205d1feb2b5034370664238356d143

SHA256
fec8fa57a79497e5f7bbe2d06d799fbdf8ef7b6c4677073adcc988d0a6c6ad94

SHA512
771bc1516b3b6408b963b43303c1e542a56f4c2617170e7c5525cbceb9f1208c89374ba5b4b0d91be9d305bd4aec9f833da5ddda16aa9ef8a28e352972f66dec

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\22eafd247d37c3

Filesize
248B

MD5
d6e28b534af6d035cf931530e53dbdf8

SHA1
502a7f927ea89645bcbe2f2965e401cdd5177ad7

SHA256
c08d10c9a199e52a1813379f6ecfdef5b6020cb1197fc03f8ffcfc42a7148522

SHA512
1469fff880437eafcc0fc98082d148e549caf15e4c9280c4638d82ac4db2df09361c9db9747e077d8255b3c1ec87e0ba18af82d1dea7840ae594ca5e20d1e7fc

Download Submit
C:\Program Files\Windows Multimedia Platform\0a1fd5f707cd16

Filesize
779B

MD5
41b0b1f8666e8aeeb51c8ec9a859daf6

SHA1
ffab8e577ca0ce67e94108b2492e105476bad05d

SHA256
3abfbcef4f4f73a3c73ca25a5cf3b9012a16f47e9ab577be33506fa0cc79d990

SHA512
202c5b6227822f357db7bd289a5d836728b6b08d767475f312fa290f4910a35eeefd652d4f4289b6b0a8bd228e1e12094ecf10354e721d9babe0fbd1b22bcb37

Download Submit
C:\Recovery\WindowsRE\5940a34987c991

Filesize
98B

MD5
33d88ed4a43c6d5d4c8bb1c78cc6b359

SHA1
3e35f739aa99cab16903b8bfefad4b124aae8faa

SHA256
c664e9f7859be9f82648b8ee4da7100d7b86ea3f9ab01cebfdd6b7ce4148414a

SHA512
43ea5380394bbe002115d8d05c6f2d5029f1789193335d06cacc1bc379595d8ea073cfe011e1b9b6418221c4d51fa180b5f30d0564af623ba816e6deeb04816a

Download Submit
C:\Recovery\WindowsRE\9e8d7a4ca61bd9

Filesize
684B

MD5
2ba4bd9b8b8edeec349665252f25cbdc

SHA1
32d5c5bff1a383e3ead42e79f45c7fff21129110

SHA256
81cf0c57c9cdcbec7275daec4b6e6a9c664ace6726697d0894a8c22f9a9aa0b8

SHA512
9fc685f59ee54f54761e93d342fbd308dcf700f5dcede6f8a022362e52844c382c890e6f2c404165047eea056f6d6d88b2a1404baeff45b655c8d5c7cd8c5061

Download Submit
C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat

Filesize
419B

MD5
ccb4c9d12a15778ca4d9393023ad16dc

SHA1
fdd20c0602c31e602a7df55799758888ce7e3366

SHA256
e1940ae025a954bb2b98e6f9c219fd274277b0a36d49199a1e6a4cee58d32da8

SHA512
cebdf9d569f6fbabaf975f2e66250ec659e92733135dfe232a019e8610e8550b92c1fbdea23de3241e0b518d89147a48fbf2a6e538eefc17a0cc5faa45d5c5a1

Download Submit
C:\Windows\Help\Windows\ContentStore\en-US\38384e6a620884

Filesize
754B

MD5
5d5cce74aee3f39e892f05d3b37a0a8e

SHA1
b1d61b3d5fa323ae9ac5207dde1ef0932bd75036

SHA256
2aa01cc51cf19018824fe9da4957c3f2d5dc0ce99c9b6e1e610ad4ee36d1b50f

SHA512
40c3db623f42b341bd1a80da72f140f672611b6acfb25f7a97e34627ae4b0a4612e0e299b59e0de9c633203be7afac428ac0e95b420ac740707d42ccf2a809e6

Download Submit
memory/1148-41-0x00007FFF73CF0000-0x00007FFF73FB9000-memory.dmp

Filesize
2.8MB

Download
memory/1148-13-0x00007FFF73CF0000-0x00007FFF73FB9000-memory.dmp

Filesize
2.8MB

Download
memory/1148-12-0x0000000000D10000-0x0000000000DE6000-memory.dmp

Filesize
856KB

Download
memory/4932-42-0x0000000000FF0000-0x0000000001006000-memory.dmp

Filesize
88KB

Download