Malware Analysis Report

2024-11-15 05:53

Sample ID 240721-rsar7svhpj
Target DCRatBuild.exe
SHA256 d9cbcae95ae824014b6d2fd6d3269b00b09ab84ed44b45b21c0b1842e7cdc132
Tags
rat dcrat infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d9cbcae95ae824014b6d2fd6d3269b00b09ab84ed44b45b21c0b1842e7cdc132

Threat Level: Known bad

The file DCRatBuild.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer persistence

DcRat

DCRat payload

Dcrat family

Process spawned unexpected child process

Modifies WinLogon for persistence

DCRat payload

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Scheduled Task/Job: Scheduled Task

Modifies registry class

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-21 14:26

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-21 14:26

Reported

2024-07-21 14:34

Platform

win10v2004-20240709-en

Max time kernel

422s

Max time network

424s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

Signatures

DcRat

rat infostealer dcrat

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\PortproviderRuntime\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\", \"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\PortproviderRuntime\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\", \"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\"" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\"" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\PortproviderRuntime\\fontdrvhost.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\"" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\PortproviderRuntime\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PortproviderRuntime\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\", \"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\"" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\", \"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\"" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\"" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\PortproviderRuntime\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\", \"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\PortproviderRuntime\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\", \"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\"" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\"" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\PortproviderRuntime\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\", \"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\PortproviderRuntime\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\", \"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\PortproviderRuntime\\fontdrvhost.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\PortproviderRuntime\\fontdrvhost.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\fontdrvhost.exe C:\PortproviderRuntime\Bridgewebsvc.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\5b884080fd4f94 C:\PortproviderRuntime\Bridgewebsvc.exe N/A
File created C:\Program Files (x86)\Windows Defender\dllhost.exe C:\PortproviderRuntime\Bridgewebsvc.exe N/A
File created C:\Program Files (x86)\Windows Defender\5940a34987c991 C:\PortproviderRuntime\Bridgewebsvc.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe C:\PortproviderRuntime\Bridgewebsvc.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\22eafd247d37c3 C:\PortproviderRuntime\Bridgewebsvc.exe N/A
File created C:\Program Files\Windows Multimedia Platform\sppsvc.exe C:\PortproviderRuntime\Bridgewebsvc.exe N/A
File created C:\Program Files\Windows Multimedia Platform\0a1fd5f707cd16 C:\PortproviderRuntime\Bridgewebsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Help\Windows\ContentStore\en-US\SearchApp.exe C:\PortproviderRuntime\Bridgewebsvc.exe N/A
File created C:\Windows\Help\Windows\ContentStore\en-US\38384e6a620884 C:\PortproviderRuntime\Bridgewebsvc.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
N/A N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
N/A N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
N/A N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3788 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 3788 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 3788 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 3976 wrote to memory of 4524 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3976 wrote to memory of 4524 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3976 wrote to memory of 4524 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4524 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\PortproviderRuntime\Bridgewebsvc.exe
PID 4524 wrote to memory of 1148 N/A C:\Windows\SysWOW64\cmd.exe C:\PortproviderRuntime\Bridgewebsvc.exe
PID 1148 wrote to memory of 4932 N/A C:\PortproviderRuntime\Bridgewebsvc.exe C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe
PID 1148 wrote to memory of 4932 N/A C:\PortproviderRuntime\Bridgewebsvc.exe C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe
PID 4932 wrote to memory of 668 N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe C:\Windows\system32\cmd.exe
PID 4932 wrote to memory of 668 N/A C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe C:\Windows\system32\cmd.exe
PID 668 wrote to memory of 3512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\w32tm.exe
PID 668 wrote to memory of 3512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\w32tm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\PortproviderRuntime\2jiE6dDNxF2hUpVE5Z.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\PortproviderRuntime\OI2YygSphQCiiCNA7ofzvo.bat" "

C:\PortproviderRuntime\Bridgewebsvc.exe

"C:\PortproviderRuntime\Bridgewebsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\PortproviderRuntime\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\PortproviderRuntime\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\PortproviderRuntime\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\Windows\ContentStore\en-US\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Help\Windows\ContentStore\en-US\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\Windows\ContentStore\en-US\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe

"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "Bridgewebsvc" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "BridgewebsvcB" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "dllhost" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "dllhostd" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "fontdrvhost" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "fontdrvhostf" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "fontdrvhost" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "fontdrvhostf" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "SearchApp" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "SearchAppS" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "dllhost" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "dllhostd" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "RuntimeBroker" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "RuntimeBrokerR" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "TextInputHost" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "TextInputHostT" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "sppsvc" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "sppsvcs" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "TextInputHost" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /delete /tn "TextInputHostT" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat" "

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 f1008885.xsph.ru udp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
US 8.8.8.8:53 151.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp

Files

C:\PortproviderRuntime\2jiE6dDNxF2hUpVE5Z.vbe

MD5 413767cf51f36f7f50d9430d73ea0bb1
SHA1 4469733bce94a114c836ea3591dccb3e689782c7
SHA256 2e118668b3c63457b924aafd6b402e105477030d6157e3d66ba8ba7acad58dcf
SHA512 3c12a46412227f57f8aa815b0b7820ca54eb3fa7a033ea7baa7efad7526755db7998d843a6790880efa87b841e9c6085b793930ae865c2694c8385e5937ee900

C:\PortproviderRuntime\OI2YygSphQCiiCNA7ofzvo.bat

MD5 863d81db66a0a5864890665ea50c23c5
SHA1 f5a584f4ee5e390b667eaa5e5d9332251388fa7e
SHA256 d4fa2e3203a21efd9f46fd9ea5fcedbabe13bd9a2bc93d0169070507380bbf9b
SHA512 ecb8ff338e0febcfe8965516a58dcdcd63420592467ce1c281f7ccacf7a2ca02bd7a73d52208e98edec3e73ea69477f3ccaa4ddf4b0608e5598a92e110e5d3b0

C:\PortproviderRuntime\Bridgewebsvc.exe

MD5 fddea23e803e9e5de212e4c0475c8f93
SHA1 c4426bf36ce54917155da2bfbec1508c5a799664
SHA256 f014b4dd1600fb5ecd92de55165573415c2d7ee184a4f70f2f975ee7909150f6
SHA512 05459fc75998ee306e8de7e544aaf744e5c6e1930dcb7e02b94a566a7ad6e874a9fe50a78a1da50b4e7110282e49353f8ced586117d772b600b84d09ee070591

memory/1148-12-0x0000000000D10000-0x0000000000DE6000-memory.dmp

memory/1148-13-0x00007FFF73CF0000-0x00007FFF73FB9000-memory.dmp

memory/1148-41-0x00007FFF73CF0000-0x00007FFF73FB9000-memory.dmp

memory/4932-42-0x0000000000FF0000-0x0000000001006000-memory.dmp

C:\Recovery\WindowsRE\5940a34987c991

MD5 33d88ed4a43c6d5d4c8bb1c78cc6b359
SHA1 3e35f739aa99cab16903b8bfefad4b124aae8faa
SHA256 c664e9f7859be9f82648b8ee4da7100d7b86ea3f9ab01cebfdd6b7ce4148414a
SHA512 43ea5380394bbe002115d8d05c6f2d5029f1789193335d06cacc1bc379595d8ea073cfe011e1b9b6418221c4d51fa180b5f30d0564af623ba816e6deeb04816a

C:\PortproviderRuntime\5b884080fd4f94

MD5 bc28d612f8eeed4d9d7a0bf27e9e6b4f
SHA1 94a830bbba8821dffdead5c5c840575b954780c0
SHA256 0cd161abb3c2a5c493d216ce5ca9ed9d66688126ab209952fe9e020c54b78d24
SHA512 483c4ffd5de31c1f6de5b0324684e3de57b33e2a070ce9a2ebfa8c02ff107d9633e90a8bd0a19898408d201593ba8da433017676a3967891b21691e9849c840e

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\5b884080fd4f94

MD5 154414ab43721c18e0465efe910de669
SHA1 5c70339a1d4cf8164cc159800ac6119e136305da
SHA256 585a91980209df23d11c757f2c67892c2e30a45dfb9fb8c084d9598d3cf9f19a
SHA512 69913c5f0efb3cbb241ea9faac5dd68cce97d9e1dca51e274f2bcb6647c334b5d7354083e95d3c6911b3b17c9ee1105d311a64f13fbfb0ac86e7e68a35e2995b

C:\Windows\Help\Windows\ContentStore\en-US\38384e6a620884

MD5 5d5cce74aee3f39e892f05d3b37a0a8e
SHA1 b1d61b3d5fa323ae9ac5207dde1ef0932bd75036
SHA256 2aa01cc51cf19018824fe9da4957c3f2d5dc0ce99c9b6e1e610ad4ee36d1b50f
SHA512 40c3db623f42b341bd1a80da72f140f672611b6acfb25f7a97e34627ae4b0a4612e0e299b59e0de9c633203be7afac428ac0e95b420ac740707d42ccf2a809e6

C:\Program Files (x86)\Windows Defender\5940a34987c991

MD5 ae5f5ba42eec3860d89674f440ea0f78
SHA1 361f33bc98205d1feb2b5034370664238356d143
SHA256 fec8fa57a79497e5f7bbe2d06d799fbdf8ef7b6c4677073adcc988d0a6c6ad94
SHA512 771bc1516b3b6408b963b43303c1e542a56f4c2617170e7c5525cbceb9f1208c89374ba5b4b0d91be9d305bd4aec9f833da5ddda16aa9ef8a28e352972f66dec

C:\Recovery\WindowsRE\9e8d7a4ca61bd9

MD5 2ba4bd9b8b8edeec349665252f25cbdc
SHA1 32d5c5bff1a383e3ead42e79f45c7fff21129110
SHA256 81cf0c57c9cdcbec7275daec4b6e6a9c664ace6726697d0894a8c22f9a9aa0b8
SHA512 9fc685f59ee54f54761e93d342fbd308dcf700f5dcede6f8a022362e52844c382c890e6f2c404165047eea056f6d6d88b2a1404baeff45b655c8d5c7cd8c5061

C:\Program Files\Windows Multimedia Platform\0a1fd5f707cd16

MD5 41b0b1f8666e8aeeb51c8ec9a859daf6
SHA1 ffab8e577ca0ce67e94108b2492e105476bad05d
SHA256 3abfbcef4f4f73a3c73ca25a5cf3b9012a16f47e9ab577be33506fa0cc79d990
SHA512 202c5b6227822f357db7bd289a5d836728b6b08d767475f312fa290f4910a35eeefd652d4f4289b6b0a8bd228e1e12094ecf10354e721d9babe0fbd1b22bcb37

C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat

MD5 ccb4c9d12a15778ca4d9393023ad16dc
SHA1 fdd20c0602c31e602a7df55799758888ce7e3366
SHA256 e1940ae025a954bb2b98e6f9c219fd274277b0a36d49199a1e6a4cee58d32da8
SHA512 cebdf9d569f6fbabaf975f2e66250ec659e92733135dfe232a019e8610e8550b92c1fbdea23de3241e0b518d89147a48fbf2a6e538eefc17a0cc5faa45d5c5a1

C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\22eafd247d37c3

MD5 d6e28b534af6d035cf931530e53dbdf8
SHA1 502a7f927ea89645bcbe2f2965e401cdd5177ad7
SHA256 c08d10c9a199e52a1813379f6ecfdef5b6020cb1197fc03f8ffcfc42a7148522
SHA512 1469fff880437eafcc0fc98082d148e549caf15e4c9280c4638d82ac4db2df09361c9db9747e077d8255b3c1ec87e0ba18af82d1dea7840ae594ca5e20d1e7fc