Analysis Overview
SHA256
d9cbcae95ae824014b6d2fd6d3269b00b09ab84ed44b45b21c0b1842e7cdc132
Threat Level: Known bad
The file DCRatBuild.exe was found to be: Known bad.
Malicious Activity Summary
DcRat
DCRat payload
Dcrat family
Process spawned unexpected child process
Modifies WinLogon for persistence
DCRat payload
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Scheduled Task/Job: Scheduled Task
Modifies registry class
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-21 14:26
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-21 14:26
Reported
2024-07-21 14:34
Platform
win10v2004-20240709-en
Max time kernel
422s
Max time network
424s
Command Line
Signatures
DcRat
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\PortproviderRuntime\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\", \"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\"" | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\PortproviderRuntime\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\", \"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\"" | C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\"" | C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\PortproviderRuntime\\fontdrvhost.exe\"" | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\"" | C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\PortproviderRuntime\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\"" | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\PortproviderRuntime\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\", \"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\"" | C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\", \"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\"" | C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\"" | C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\PortproviderRuntime\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\", \"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\"" | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\PortproviderRuntime\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\", \"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\"" | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\"" | C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\"" | C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe" | C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\PortproviderRuntime\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\", \"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\PortproviderRuntime\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\", \"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\", \"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\"" | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation | C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\"" | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\"" | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\"" | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\PortproviderRuntime\\fontdrvhost.exe\"" | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\"" | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\UIThemes\\fontdrvhost.exe\"" | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\"" | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\Help\\Windows\\ContentStore\\en-US\\SearchApp.exe\"" | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\"" | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files\\Windows Multimedia Platform\\sppsvc.exe\"" | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\PortproviderRuntime\\fontdrvhost.exe\"" | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files (x86)\\Windows Defender\\dllhost.exe\"" | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Program Files\\Microsoft Office\\Updates\\Download\\PackageFiles\\CABD97C1-51E2-44A0-88FD-F08955086650\\TextInputHost.exe\"" | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\fontdrvhost.exe | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\5b884080fd4f94 | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\dllhost.exe | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\5940a34987c991 | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\22eafd247d37c3 | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| File created | C:\Program Files\Windows Multimedia Platform\sppsvc.exe | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| File created | C:\Program Files\Windows Multimedia Platform\0a1fd5f707cd16 | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Help\Windows\ContentStore\en-US\SearchApp.exe | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| File created | C:\Windows\Help\Windows\ContentStore\en-US\38384e6a620884 | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\PortproviderRuntime\Bridgewebsvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\PortproviderRuntime\2jiE6dDNxF2hUpVE5Z.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\PortproviderRuntime\OI2YygSphQCiiCNA7ofzvo.bat" "
C:\PortproviderRuntime\Bridgewebsvc.exe
"C:\PortproviderRuntime\Bridgewebsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\PortproviderRuntime\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\PortproviderRuntime\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\PortproviderRuntime\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\fontdrvhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\fontdrvhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\Windows\ContentStore\en-US\SearchApp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Help\Windows\ContentStore\en-US\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\Windows\ContentStore\en-US\SearchApp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Multimedia Platform\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Multimedia Platform\sppsvc.exe'" /rl HIGHEST /f
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe
"C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\TextInputHost.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "Bridgewebsvc" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "BridgewebsvcB" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dllhost" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dllhostd" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "fontdrvhost" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "fontdrvhostf" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "fontdrvhost" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "fontdrvhostf" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "SearchApp" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "SearchAppS" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dllhost" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dllhostd" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBroker" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "RuntimeBrokerR" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "TextInputHost" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "TextInputHostT" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "sppsvc" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "sppsvcs" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "TextInputHost" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "TextInputHostT" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat" "
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | f1008885.xsph.ru | udp |
| RU | 141.8.192.151:80 | f1008885.xsph.ru | tcp |
| RU | 141.8.192.151:80 | f1008885.xsph.ru | tcp |
| US | 8.8.8.8:53 | 151.192.8.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| RU | 141.8.192.151:80 | f1008885.xsph.ru | tcp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
| RU | 141.8.192.151:80 | f1008885.xsph.ru | tcp |
| RU | 141.8.192.151:80 | f1008885.xsph.ru | tcp |
| RU | 141.8.192.151:80 | f1008885.xsph.ru | tcp |
| RU | 141.8.192.151:80 | f1008885.xsph.ru | tcp |
| RU | 141.8.192.151:80 | f1008885.xsph.ru | tcp |
| RU | 141.8.192.151:80 | f1008885.xsph.ru | tcp |
| RU | 141.8.192.151:80 | f1008885.xsph.ru | tcp |
| RU | 141.8.192.151:80 | f1008885.xsph.ru | tcp |
| RU | 141.8.192.151:80 | f1008885.xsph.ru | tcp |
| RU | 141.8.192.151:80 | f1008885.xsph.ru | tcp |
Files
C:\PortproviderRuntime\2jiE6dDNxF2hUpVE5Z.vbe
| MD5 | 413767cf51f36f7f50d9430d73ea0bb1 |
| SHA1 | 4469733bce94a114c836ea3591dccb3e689782c7 |
| SHA256 | 2e118668b3c63457b924aafd6b402e105477030d6157e3d66ba8ba7acad58dcf |
| SHA512 | 3c12a46412227f57f8aa815b0b7820ca54eb3fa7a033ea7baa7efad7526755db7998d843a6790880efa87b841e9c6085b793930ae865c2694c8385e5937ee900 |
C:\PortproviderRuntime\OI2YygSphQCiiCNA7ofzvo.bat
| MD5 | 863d81db66a0a5864890665ea50c23c5 |
| SHA1 | f5a584f4ee5e390b667eaa5e5d9332251388fa7e |
| SHA256 | d4fa2e3203a21efd9f46fd9ea5fcedbabe13bd9a2bc93d0169070507380bbf9b |
| SHA512 | ecb8ff338e0febcfe8965516a58dcdcd63420592467ce1c281f7ccacf7a2ca02bd7a73d52208e98edec3e73ea69477f3ccaa4ddf4b0608e5598a92e110e5d3b0 |
C:\PortproviderRuntime\Bridgewebsvc.exe
| MD5 | fddea23e803e9e5de212e4c0475c8f93 |
| SHA1 | c4426bf36ce54917155da2bfbec1508c5a799664 |
| SHA256 | f014b4dd1600fb5ecd92de55165573415c2d7ee184a4f70f2f975ee7909150f6 |
| SHA512 | 05459fc75998ee306e8de7e544aaf744e5c6e1930dcb7e02b94a566a7ad6e874a9fe50a78a1da50b4e7110282e49353f8ced586117d772b600b84d09ee070591 |
memory/1148-12-0x0000000000D10000-0x0000000000DE6000-memory.dmp
memory/1148-13-0x00007FFF73CF0000-0x00007FFF73FB9000-memory.dmp
memory/1148-41-0x00007FFF73CF0000-0x00007FFF73FB9000-memory.dmp
memory/4932-42-0x0000000000FF0000-0x0000000001006000-memory.dmp
C:\Recovery\WindowsRE\5940a34987c991
| MD5 | 33d88ed4a43c6d5d4c8bb1c78cc6b359 |
| SHA1 | 3e35f739aa99cab16903b8bfefad4b124aae8faa |
| SHA256 | c664e9f7859be9f82648b8ee4da7100d7b86ea3f9ab01cebfdd6b7ce4148414a |
| SHA512 | 43ea5380394bbe002115d8d05c6f2d5029f1789193335d06cacc1bc379595d8ea073cfe011e1b9b6418221c4d51fa180b5f30d0564af623ba816e6deeb04816a |
C:\PortproviderRuntime\5b884080fd4f94
| MD5 | bc28d612f8eeed4d9d7a0bf27e9e6b4f |
| SHA1 | 94a830bbba8821dffdead5c5c840575b954780c0 |
| SHA256 | 0cd161abb3c2a5c493d216ce5ca9ed9d66688126ab209952fe9e020c54b78d24 |
| SHA512 | 483c4ffd5de31c1f6de5b0324684e3de57b33e2a070ce9a2ebfa8c02ff107d9633e90a8bd0a19898408d201593ba8da433017676a3967891b21691e9849c840e |
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\5b884080fd4f94
| MD5 | 154414ab43721c18e0465efe910de669 |
| SHA1 | 5c70339a1d4cf8164cc159800ac6119e136305da |
| SHA256 | 585a91980209df23d11c757f2c67892c2e30a45dfb9fb8c084d9598d3cf9f19a |
| SHA512 | 69913c5f0efb3cbb241ea9faac5dd68cce97d9e1dca51e274f2bcb6647c334b5d7354083e95d3c6911b3b17c9ee1105d311a64f13fbfb0ac86e7e68a35e2995b |
C:\Windows\Help\Windows\ContentStore\en-US\38384e6a620884
| MD5 | 5d5cce74aee3f39e892f05d3b37a0a8e |
| SHA1 | b1d61b3d5fa323ae9ac5207dde1ef0932bd75036 |
| SHA256 | 2aa01cc51cf19018824fe9da4957c3f2d5dc0ce99c9b6e1e610ad4ee36d1b50f |
| SHA512 | 40c3db623f42b341bd1a80da72f140f672611b6acfb25f7a97e34627ae4b0a4612e0e299b59e0de9c633203be7afac428ac0e95b420ac740707d42ccf2a809e6 |
C:\Program Files (x86)\Windows Defender\5940a34987c991
| MD5 | ae5f5ba42eec3860d89674f440ea0f78 |
| SHA1 | 361f33bc98205d1feb2b5034370664238356d143 |
| SHA256 | fec8fa57a79497e5f7bbe2d06d799fbdf8ef7b6c4677073adcc988d0a6c6ad94 |
| SHA512 | 771bc1516b3b6408b963b43303c1e542a56f4c2617170e7c5525cbceb9f1208c89374ba5b4b0d91be9d305bd4aec9f833da5ddda16aa9ef8a28e352972f66dec |
C:\Recovery\WindowsRE\9e8d7a4ca61bd9
| MD5 | 2ba4bd9b8b8edeec349665252f25cbdc |
| SHA1 | 32d5c5bff1a383e3ead42e79f45c7fff21129110 |
| SHA256 | 81cf0c57c9cdcbec7275daec4b6e6a9c664ace6726697d0894a8c22f9a9aa0b8 |
| SHA512 | 9fc685f59ee54f54761e93d342fbd308dcf700f5dcede6f8a022362e52844c382c890e6f2c404165047eea056f6d6d88b2a1404baeff45b655c8d5c7cd8c5061 |
C:\Program Files\Windows Multimedia Platform\0a1fd5f707cd16
| MD5 | 41b0b1f8666e8aeeb51c8ec9a859daf6 |
| SHA1 | ffab8e577ca0ce67e94108b2492e105476bad05d |
| SHA256 | 3abfbcef4f4f73a3c73ca25a5cf3b9012a16f47e9ab577be33506fa0cc79d990 |
| SHA512 | 202c5b6227822f357db7bd289a5d836728b6b08d767475f312fa290f4910a35eeefd652d4f4289b6b0a8bd228e1e12094ecf10354e721d9babe0fbd1b22bcb37 |
C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat
| MD5 | ccb4c9d12a15778ca4d9393023ad16dc |
| SHA1 | fdd20c0602c31e602a7df55799758888ce7e3366 |
| SHA256 | e1940ae025a954bb2b98e6f9c219fd274277b0a36d49199a1e6a4cee58d32da8 |
| SHA512 | cebdf9d569f6fbabaf975f2e66250ec659e92733135dfe232a019e8610e8550b92c1fbdea23de3241e0b518d89147a48fbf2a6e538eefc17a0cc5faa45d5c5a1 |
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\CABD97C1-51E2-44A0-88FD-F08955086650\22eafd247d37c3
| MD5 | d6e28b534af6d035cf931530e53dbdf8 |
| SHA1 | 502a7f927ea89645bcbe2f2965e401cdd5177ad7 |
| SHA256 | c08d10c9a199e52a1813379f6ecfdef5b6020cb1197fc03f8ffcfc42a7148522 |
| SHA512 | 1469fff880437eafcc0fc98082d148e549caf15e4c9280c4638d82ac4db2df09361c9db9747e077d8255b3c1ec87e0ba18af82d1dea7840ae594ca5e20d1e7fc |