Resubmissions
16-11-2024 10:34
241116-ml8y7sylen 1016-11-2024 10:32
241116-mlb98svdnd 1015-11-2024 09:16
241115-k8ww2s1mhz 1030-10-2024 05:17
241030-fy5nzsxejq 1021-07-2024 18:09
240721-wrvs7syckf 1021-07-2024 14:26
240721-rsar7svhpj 10Analysis
-
max time kernel
1779s -
max time network
1779s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
21-07-2024 18:09
Behavioral task
behavioral1
Sample
DCRatBuild.exe
Resource
win10v2004-20240709-en
General
-
Target
DCRatBuild.exe
-
Size
1.1MB
-
MD5
7ef93a29c05d412dd2dc432e1aac54a9
-
SHA1
776cc5c36f370a7e1fa840a21c13f2278723409e
-
SHA256
d9cbcae95ae824014b6d2fd6d3269b00b09ab84ed44b45b21c0b1842e7cdc132
-
SHA512
26e00619e47a130fb768b91074915c8a69f8690ac12465f21c1bd7e69f94ae6db9a238ff3c510a719cf1a318a07c80a543212c200b2b2152934a1ad154d13ab6
-
SSDEEP
12288:URZ+IoG/n9IQxW3OBseUUT+tcYbv+RK+UfXST5/rKMyFckcb8M41AT0z/GAFPz3m:u2G/nvxW3WieC7STuMMATKPTVgxr4q
Malware Config
Signatures
-
DcRat 64 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
description ioc pid Process 2628 schtasks.exe 4396 schtasks.exe 1924 schtasks.exe 1812 schtasks.exe 4788 schtasks.exe 1428 schtasks.exe 3352 schtasks.exe 4760 schtasks.exe 3340 schtasks.exe 3504 schtasks.exe 1584 schtasks.exe 2952 schtasks.exe 2508 schtasks.exe 728 schtasks.exe 3532 schtasks.exe 4860 schtasks.exe 4336 schtasks.exe 3036 schtasks.exe 4076 schtasks.exe 1144 schtasks.exe 2212 schtasks.exe 1492 schtasks.exe 2964 schtasks.exe 4704 schtasks.exe 2344 schtasks.exe 2524 schtasks.exe 1340 schtasks.exe 1964 schtasks.exe 1796 schtasks.exe 1820 schtasks.exe 4352 schtasks.exe 1488 schtasks.exe 3748 schtasks.exe 4508 schtasks.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation DCRatBuild.exe 2644 schtasks.exe 4248 schtasks.exe 4568 schtasks.exe 3956 schtasks.exe 5096 schtasks.exe 4928 schtasks.exe 4080 schtasks.exe 3264 schtasks.exe 1396 schtasks.exe 4360 schtasks.exe 1212 schtasks.exe 3008 schtasks.exe 4444 schtasks.exe 3500 schtasks.exe 4520 schtasks.exe 4340 schtasks.exe 2188 schtasks.exe 3652 schtasks.exe 748 schtasks.exe 3848 schtasks.exe 3460 schtasks.exe 5032 schtasks.exe 5056 schtasks.exe 1772 schtasks.exe 4032 schtasks.exe 2612 schtasks.exe 3192 schtasks.exe 4456 schtasks.exe 3912 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 23 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\", \"C:\\Windows\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\", \"C:\\Windows\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\smss.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\", \"C:\\Windows\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\smss.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\PortproviderRuntime\\SppExtComObj.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\", \"C:\\Windows\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\smss.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\PortproviderRuntime\\SppExtComObj.exe\", \"C:\\Users\\Public\\Desktop\\upfc.exe\", \"C:\\Program Files\\7-Zip\\backgroundTaskHost.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\", \"C:\\Windows\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\smss.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\PortproviderRuntime\\SppExtComObj.exe\", \"C:\\Users\\Public\\Desktop\\upfc.exe\", \"C:\\Program Files\\7-Zip\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Application Data\\System.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\", \"C:\\Windows\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\", \"C:\\Windows\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\smss.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\PortproviderRuntime\\SppExtComObj.exe\", \"C:\\Users\\Public\\Desktop\\upfc.exe\", \"C:\\Program Files\\7-Zip\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Application Data\\System.exe\", \"C:\\PortproviderRuntime\\dllhost.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\", \"C:\\Windows\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\smss.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\PortproviderRuntime\\SppExtComObj.exe\", \"C:\\Users\\Public\\Desktop\\upfc.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\", \"C:\\Windows\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\smss.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\PortproviderRuntime\\SppExtComObj.exe\", \"C:\\Users\\Public\\Desktop\\upfc.exe\", \"C:\\Program Files\\7-Zip\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Application Data\\System.exe\", \"C:\\PortproviderRuntime\\dllhost.exe\", \"C:\\Program Files\\VideoLAN\\Bridgewebsvc.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\", \"C:\\Windows\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\smss.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\PortproviderRuntime\\SppExtComObj.exe\", \"C:\\Users\\Public\\Desktop\\upfc.exe\", \"C:\\Program Files\\7-Zip\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Application Data\\System.exe\", \"C:\\PortproviderRuntime\\dllhost.exe\", \"C:\\Program Files\\VideoLAN\\Bridgewebsvc.exe\", \"C:\\PortproviderRuntime\\services.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\", \"C:\\Windows\\en-US\\RuntimeBroker.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\", \"C:\\Windows\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\StartMenuExperienceHost.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\", \"C:\\Windows\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\smss.exe\"" Bridgewebsvc.exe -
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 968 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4860 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3912 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4248 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3652 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3264 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4520 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2644 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4456 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4704 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2628 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1328 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3500 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2508 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5056 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4304 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4568 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2344 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3956 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4460 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3532 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1796 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1396 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5096 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1772 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4032 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4076 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4336 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4396 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4360 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1212 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4788 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4688 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1428 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1144 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3192 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 748 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 728 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1924 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3008 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1492 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3036 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4340 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3848 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4352 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3352 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4760 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1488 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3340 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4444 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3460 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4928 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3748 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4508 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5032 3320 schtasks.exe 92 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2188 3320 schtasks.exe 92 -
resource yara_rule behavioral1/files/0x0007000000023415-11.dat dcrat behavioral1/memory/1900-13-0x0000000000800000-0x00000000008D6000-memory.dmp dcrat -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation Bridgewebsvc.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation DCRatBuild.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation Bridgewebsvc.exe -
Executes dropped EXE 44 IoCs
pid Process 1900 Bridgewebsvc.exe 1480 Bridgewebsvc.exe 5056 dllhost.exe 532 StartMenuExperienceHost.exe 3328 TrustedInstaller.exe 5092 System.exe 1316 RuntimeBroker.exe 3564 Bridgewebsvc.exe 3152 StartMenuExperienceHost.exe 3556 cmd.exe 2064 services.exe 3692 smss.exe 3496 dllhost.exe 4736 SppExtComObj.exe 4032 SearchApp.exe 2080 csrss.exe 3268 upfc.exe 3584 backgroundTaskHost.exe 1036 OfficeClickToRun.exe 2604 spoolsv.exe 5004 StartMenuExperienceHost.exe 1808 TrustedInstaller.exe 4232 System.exe 4368 RuntimeBroker.exe 4904 Bridgewebsvc.exe 1152 StartMenuExperienceHost.exe 4228 cmd.exe 1496 services.exe 4280 smss.exe 4496 dllhost.exe 1896 TrustedInstaller.exe 5000 SppExtComObj.exe 3816 SearchApp.exe 4292 System.exe 4800 StartMenuExperienceHost.exe 1968 csrss.exe 1992 upfc.exe 944 backgroundTaskHost.exe 3000 RuntimeBroker.exe 4944 Bridgewebsvc.exe 1660 OfficeClickToRun.exe 1480 spoolsv.exe 5112 StartMenuExperienceHost.exe 964 cmd.exe -
Adds Run key to start application 2 TTPs 46 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\PortproviderRuntime\\services.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\en-US\\RuntimeBroker.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\PortproviderRuntime\\dllhost.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\PortproviderRuntime\\services.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\PortproviderRuntime\\cmd.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\PortproviderRuntime\\spoolsv.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Public\\Desktop\\upfc.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\All Users\\Application Data\\System.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\PortproviderRuntime\\cmd.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Sidebar\\smss.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\PortproviderRuntime\\SppExtComObj.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Public\\Desktop\\upfc.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Default User\\upfc.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\en-US\\RuntimeBroker.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Public\\Music\\StartMenuExperienceHost.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\PortproviderRuntime\\services.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default\\RuntimeBroker.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Sidebar\\smss.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\7-Zip\\backgroundTaskHost.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\All Users\\Application Data\\System.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bridgewebsvc = "\"C:\\Program Files\\VideoLAN\\Bridgewebsvc.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\PortproviderRuntime\\SearchApp.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default\\RuntimeBroker.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Public\\Music\\StartMenuExperienceHost.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\PortproviderRuntime\\SearchApp.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\PortproviderRuntime\\spoolsv.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\PortproviderRuntime\\services.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\PortproviderRuntime\\SppExtComObj.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\7-Zip\\backgroundTaskHost.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\PortproviderRuntime\\dllhost.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bridgewebsvc = "\"C:\\Program Files\\VideoLAN\\Bridgewebsvc.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Public\\AccountPictures\\cmd.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Public\\AccountPictures\\cmd.exe\"" Bridgewebsvc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Default User\\upfc.exe\"" Bridgewebsvc.exe -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\7-Zip\Lang\TrustedInstaller.exe Bridgewebsvc.exe File created C:\Program Files (x86)\Windows Sidebar\69ddcba757bf72 Bridgewebsvc.exe File created C:\Program Files\7-Zip\backgroundTaskHost.exe Bridgewebsvc.exe File created C:\Program Files\7-Zip\eddb19405b7ce1 Bridgewebsvc.exe File created C:\Program Files\VideoLAN\4d106a1fa18531 Bridgewebsvc.exe File created C:\Program Files\7-Zip\Lang\04c1e7795967e4 Bridgewebsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe Bridgewebsvc.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\c5b4cb5e9653cc Bridgewebsvc.exe File created C:\Program Files (x86)\Windows Sidebar\smss.exe Bridgewebsvc.exe File created C:\Program Files\VideoLAN\Bridgewebsvc.exe Bridgewebsvc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\servicing\en-US\System.exe Bridgewebsvc.exe File created C:\Windows\en-US\RuntimeBroker.exe Bridgewebsvc.exe File created C:\Windows\en-US\9e8d7a4ca61bd9 Bridgewebsvc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings Bridgewebsvc.exe Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings DCRatBuild.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1492 schtasks.exe 2952 schtasks.exe 4076 schtasks.exe 1820 schtasks.exe 4788 schtasks.exe 1964 schtasks.exe 4860 schtasks.exe 3652 schtasks.exe 3460 schtasks.exe 3008 schtasks.exe 1340 schtasks.exe 3500 schtasks.exe 4360 schtasks.exe 2212 schtasks.exe 1772 schtasks.exe 2188 schtasks.exe 3264 schtasks.exe 5056 schtasks.exe 1396 schtasks.exe 4352 schtasks.exe 2524 schtasks.exe 4928 schtasks.exe 3532 schtasks.exe 1212 schtasks.exe 1812 schtasks.exe 4340 schtasks.exe 3848 schtasks.exe 2900 schtasks.exe 2644 schtasks.exe 4304 schtasks.exe 4760 schtasks.exe 2964 schtasks.exe 4444 schtasks.exe 4508 schtasks.exe 2508 schtasks.exe 1796 schtasks.exe 4396 schtasks.exe 1328 schtasks.exe 3036 schtasks.exe 4080 schtasks.exe 748 schtasks.exe 1488 schtasks.exe 3748 schtasks.exe 4688 schtasks.exe 728 schtasks.exe 5032 schtasks.exe 4456 schtasks.exe 2344 schtasks.exe 3956 schtasks.exe 2612 schtasks.exe 1428 schtasks.exe 1144 schtasks.exe 3192 schtasks.exe 4460 schtasks.exe 5096 schtasks.exe 4032 schtasks.exe 3352 schtasks.exe 4704 schtasks.exe 1584 schtasks.exe 1924 schtasks.exe 3912 schtasks.exe 3340 schtasks.exe 3504 schtasks.exe 2628 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 1900 Bridgewebsvc.exe 1900 Bridgewebsvc.exe 1900 Bridgewebsvc.exe 1900 Bridgewebsvc.exe 1900 Bridgewebsvc.exe 1900 Bridgewebsvc.exe 1900 Bridgewebsvc.exe 1900 Bridgewebsvc.exe 1900 Bridgewebsvc.exe 1900 Bridgewebsvc.exe 1900 Bridgewebsvc.exe 1900 Bridgewebsvc.exe 1900 Bridgewebsvc.exe 1900 Bridgewebsvc.exe 1900 Bridgewebsvc.exe 1900 Bridgewebsvc.exe 1900 Bridgewebsvc.exe 1900 Bridgewebsvc.exe 1480 Bridgewebsvc.exe 5056 dllhost.exe 532 StartMenuExperienceHost.exe 3328 TrustedInstaller.exe 1316 RuntimeBroker.exe 3152 StartMenuExperienceHost.exe 2064 services.exe 3496 dllhost.exe 2080 csrss.exe 1036 OfficeClickToRun.exe 5004 StartMenuExperienceHost.exe 1808 TrustedInstaller.exe 4368 RuntimeBroker.exe 1152 StartMenuExperienceHost.exe 1496 services.exe 4496 dllhost.exe 4800 StartMenuExperienceHost.exe 1968 csrss.exe 3000 RuntimeBroker.exe 1660 OfficeClickToRun.exe 5112 StartMenuExperienceHost.exe -
Suspicious use of AdjustPrivilegeToken 44 IoCs
description pid Process Token: SeDebugPrivilege 1900 Bridgewebsvc.exe Token: SeDebugPrivilege 1480 Bridgewebsvc.exe Token: SeDebugPrivilege 5056 dllhost.exe Token: SeDebugPrivilege 532 StartMenuExperienceHost.exe Token: SeDebugPrivilege 3328 TrustedInstaller.exe Token: SeDebugPrivilege 5092 System.exe Token: SeDebugPrivilege 1316 RuntimeBroker.exe Token: SeDebugPrivilege 3564 Bridgewebsvc.exe Token: SeDebugPrivilege 3152 StartMenuExperienceHost.exe Token: SeDebugPrivilege 3556 cmd.exe Token: SeDebugPrivilege 2064 services.exe Token: SeDebugPrivilege 3692 smss.exe Token: SeDebugPrivilege 3496 dllhost.exe Token: SeDebugPrivilege 4736 SppExtComObj.exe Token: SeDebugPrivilege 4032 SearchApp.exe Token: SeDebugPrivilege 2080 csrss.exe Token: SeDebugPrivilege 3268 upfc.exe Token: SeDebugPrivilege 3584 backgroundTaskHost.exe Token: SeDebugPrivilege 1036 OfficeClickToRun.exe Token: SeDebugPrivilege 2604 spoolsv.exe Token: SeDebugPrivilege 5004 StartMenuExperienceHost.exe Token: SeDebugPrivilege 1808 TrustedInstaller.exe Token: SeDebugPrivilege 4232 System.exe Token: SeDebugPrivilege 4368 RuntimeBroker.exe Token: SeDebugPrivilege 4904 Bridgewebsvc.exe Token: SeDebugPrivilege 1152 StartMenuExperienceHost.exe Token: SeDebugPrivilege 4228 cmd.exe Token: SeDebugPrivilege 1496 services.exe Token: SeDebugPrivilege 4280 smss.exe Token: SeDebugPrivilege 4496 dllhost.exe Token: SeDebugPrivilege 1896 TrustedInstaller.exe Token: SeDebugPrivilege 5000 SppExtComObj.exe Token: SeDebugPrivilege 3816 SearchApp.exe Token: SeDebugPrivilege 4292 System.exe Token: SeDebugPrivilege 4800 StartMenuExperienceHost.exe Token: SeDebugPrivilege 1968 csrss.exe Token: SeDebugPrivilege 1992 upfc.exe Token: SeDebugPrivilege 944 backgroundTaskHost.exe Token: SeDebugPrivilege 3000 RuntimeBroker.exe Token: SeDebugPrivilege 4944 Bridgewebsvc.exe Token: SeDebugPrivilege 1660 OfficeClickToRun.exe Token: SeDebugPrivilege 1480 spoolsv.exe Token: SeDebugPrivilege 5112 StartMenuExperienceHost.exe Token: SeDebugPrivilege 964 cmd.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 1076 wrote to memory of 3256 1076 DCRatBuild.exe 86 PID 1076 wrote to memory of 3256 1076 DCRatBuild.exe 86 PID 1076 wrote to memory of 3256 1076 DCRatBuild.exe 86 PID 3256 wrote to memory of 2356 3256 WScript.exe 94 PID 3256 wrote to memory of 2356 3256 WScript.exe 94 PID 3256 wrote to memory of 2356 3256 WScript.exe 94 PID 2356 wrote to memory of 1900 2356 cmd.exe 96 PID 2356 wrote to memory of 1900 2356 cmd.exe 96 PID 1900 wrote to memory of 1480 1900 Bridgewebsvc.exe 142 PID 1900 wrote to memory of 1480 1900 Bridgewebsvc.exe 142 PID 1480 wrote to memory of 448 1480 Bridgewebsvc.exe 168 PID 1480 wrote to memory of 448 1480 Bridgewebsvc.exe 168 PID 448 wrote to memory of 4520 448 cmd.exe 170 PID 448 wrote to memory of 4520 448 cmd.exe 170 PID 448 wrote to memory of 5056 448 cmd.exe 173 PID 448 wrote to memory of 5056 448 cmd.exe 173 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"1⤵
- DcRat
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\PortproviderRuntime\2jiE6dDNxF2hUpVE5Z.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\PortproviderRuntime\OI2YygSphQCiiCNA7ofzvo.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\PortproviderRuntime\Bridgewebsvc.exe"C:\PortproviderRuntime\Bridgewebsvc.exe"4⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\PortproviderRuntime\Bridgewebsvc.exe"C:\PortproviderRuntime\Bridgewebsvc.exe"5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JjySRHXDhh.bat"6⤵
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵PID:4520
-
-
C:\PortproviderRuntime\dllhost.exe"C:\PortproviderRuntime\dllhost.exe"7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056
-
-
-
-
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /f1⤵
- Process spawned unexpected child process
PID:968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\TrustedInstaller.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:4248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\TrustedInstaller.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:4520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\PortproviderRuntime\cmd.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\PortproviderRuntime\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\PortproviderRuntime\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AccountPictures\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\upfc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:4568
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\PortproviderRuntime\SearchApp.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\PortproviderRuntime\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\PortproviderRuntime\SearchApp.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\PortproviderRuntime\spoolsv.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\PortproviderRuntime\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\PortproviderRuntime\spoolsv.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\PortproviderRuntime\services.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\PortproviderRuntime\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\PortproviderRuntime\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:4336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\en-US\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\RuntimeBroker.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\Music\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\smss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\smss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\PortproviderRuntime\SppExtComObj.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\PortproviderRuntime\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\PortproviderRuntime\SppExtComObj.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\upfc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Public\Desktop\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\upfc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\backgroundTaskHost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\backgroundTaskHost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Application Data\System.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4444
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Application Data\System.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\PortproviderRuntime\dllhost.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3748
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\PortproviderRuntime\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4508
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\PortproviderRuntime\dllhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BridgewebsvcB" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\Bridgewebsvc.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Bridgewebsvc" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\Bridgewebsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BridgewebsvcB" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\Bridgewebsvc.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4080
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\PortproviderRuntime\services.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\PortproviderRuntime\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\PortproviderRuntime\services.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1964
-
C:\Users\Public\Music\StartMenuExperienceHost.exeC:\Users\Public\Music\StartMenuExperienceHost.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:532
-
C:\Program Files\7-Zip\Lang\TrustedInstaller.exe"C:\Program Files\7-Zip\Lang\TrustedInstaller.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3328
-
C:\Users\All Users\Application Data\System.exe"C:\Users\All Users\Application Data\System.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
C:\Users\Default\RuntimeBroker.exeC:\Users\Default\RuntimeBroker.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
C:\Program Files\VideoLAN\Bridgewebsvc.exe"C:\Program Files\VideoLAN\Bridgewebsvc.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3564
-
C:\Users\Public\Music\StartMenuExperienceHost.exeC:\Users\Public\Music\StartMenuExperienceHost.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3152
-
C:\Users\Public\AccountPictures\cmd.exeC:\Users\Public\AccountPictures\cmd.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3556
-
C:\PortproviderRuntime\services.exeC:\PortproviderRuntime\services.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
C:\Program Files (x86)\Windows Sidebar\smss.exe"C:\Program Files (x86)\Windows Sidebar\smss.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3692
-
C:\PortproviderRuntime\dllhost.exeC:\PortproviderRuntime\dllhost.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3496
-
C:\PortproviderRuntime\SppExtComObj.exeC:\PortproviderRuntime\SppExtComObj.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
C:\PortproviderRuntime\SearchApp.exeC:\PortproviderRuntime\SearchApp.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4032
-
C:\Recovery\WindowsRE\csrss.exeC:\Recovery\WindowsRE\csrss.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080
-
C:\Users\Public\Desktop\upfc.exeC:\Users\Public\Desktop\upfc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3268
-
C:\Program Files\7-Zip\backgroundTaskHost.exe"C:\Program Files\7-Zip\backgroundTaskHost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3584
-
C:\Recovery\WindowsRE\OfficeClickToRun.exeC:\Recovery\WindowsRE\OfficeClickToRun.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
C:\PortproviderRuntime\spoolsv.exeC:\PortproviderRuntime\spoolsv.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
C:\Users\Public\Music\StartMenuExperienceHost.exeC:\Users\Public\Music\StartMenuExperienceHost.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5004
-
C:\Program Files\7-Zip\Lang\TrustedInstaller.exe"C:\Program Files\7-Zip\Lang\TrustedInstaller.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
C:\Users\All Users\Application Data\System.exe"C:\Users\All Users\Application Data\System.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4232
-
C:\Users\Default\RuntimeBroker.exeC:\Users\Default\RuntimeBroker.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4368
-
C:\Program Files\VideoLAN\Bridgewebsvc.exe"C:\Program Files\VideoLAN\Bridgewebsvc.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4904
-
C:\Users\Public\Music\StartMenuExperienceHost.exeC:\Users\Public\Music\StartMenuExperienceHost.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152
-
C:\Users\Public\AccountPictures\cmd.exeC:\Users\Public\AccountPictures\cmd.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4228
-
C:\PortproviderRuntime\services.exeC:\PortproviderRuntime\services.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496
-
C:\Program Files (x86)\Windows Sidebar\smss.exe"C:\Program Files (x86)\Windows Sidebar\smss.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4280
-
C:\PortproviderRuntime\dllhost.exeC:\PortproviderRuntime\dllhost.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4496
-
C:\Program Files\7-Zip\Lang\TrustedInstaller.exe"C:\Program Files\7-Zip\Lang\TrustedInstaller.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1896
-
C:\PortproviderRuntime\SppExtComObj.exeC:\PortproviderRuntime\SppExtComObj.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5000
-
C:\PortproviderRuntime\SearchApp.exeC:\PortproviderRuntime\SearchApp.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3816
-
C:\Users\All Users\Application Data\System.exe"C:\Users\All Users\Application Data\System.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4292
-
C:\Users\Public\Music\StartMenuExperienceHost.exeC:\Users\Public\Music\StartMenuExperienceHost.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4800
-
C:\Recovery\WindowsRE\csrss.exeC:\Recovery\WindowsRE\csrss.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
C:\Users\Public\Desktop\upfc.exeC:\Users\Public\Desktop\upfc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1992
-
C:\Program Files\7-Zip\backgroundTaskHost.exe"C:\Program Files\7-Zip\backgroundTaskHost.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:944
-
C:\Users\Default\RuntimeBroker.exeC:\Users\Default\RuntimeBroker.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000
-
C:\Program Files\VideoLAN\Bridgewebsvc.exe"C:\Program Files\VideoLAN\Bridgewebsvc.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4944
-
C:\Recovery\WindowsRE\OfficeClickToRun.exeC:\Recovery\WindowsRE\OfficeClickToRun.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
C:\PortproviderRuntime\spoolsv.exeC:\PortproviderRuntime\spoolsv.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1480
-
C:\Users\Public\Music\StartMenuExperienceHost.exeC:\Users\Public\Music\StartMenuExperienceHost.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5112
-
C:\Users\Public\AccountPictures\cmd.exeC:\Users\Public\AccountPictures\cmd.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:964
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
218B
MD5413767cf51f36f7f50d9430d73ea0bb1
SHA14469733bce94a114c836ea3591dccb3e689782c7
SHA2562e118668b3c63457b924aafd6b402e105477030d6157e3d66ba8ba7acad58dcf
SHA5123c12a46412227f57f8aa815b0b7820ca54eb3fa7a033ea7baa7efad7526755db7998d843a6790880efa87b841e9c6085b793930ae865c2694c8385e5937ee900
-
Filesize
828KB
MD5fddea23e803e9e5de212e4c0475c8f93
SHA1c4426bf36ce54917155da2bfbec1508c5a799664
SHA256f014b4dd1600fb5ecd92de55165573415c2d7ee184a4f70f2f975ee7909150f6
SHA51205459fc75998ee306e8de7e544aaf744e5c6e1930dcb7e02b94a566a7ad6e874a9fe50a78a1da50b4e7110282e49353f8ced586117d772b600b84d09ee070591
-
Filesize
41B
MD5863d81db66a0a5864890665ea50c23c5
SHA1f5a584f4ee5e390b667eaa5e5d9332251388fa7e
SHA256d4fa2e3203a21efd9f46fd9ea5fcedbabe13bd9a2bc93d0169070507380bbf9b
SHA512ecb8ff338e0febcfe8965516a58dcdcd63420592467ce1c281f7ccacf7a2ca02bd7a73d52208e98edec3e73ea69477f3ccaa4ddf4b0608e5598a92e110e5d3b0
-
Filesize
596B
MD5d4766e35a35969468be836db1bf36f54
SHA14de3b7bc6d9298a6c185c3e5440fdad24f8dd151
SHA256afec9c5947463bdfbe52ef9694a994d1c2273c68150f8acb81c414996fcfdb91
SHA512b9d434b3f0dfc5c7a5d7e91c208659e457ea03d0456341a0548a9b5dd3ab5c59e01bd4dc679e7724e72ea7e6ea25fa386cbba416f15bc8ee72e96a4ee84b4e41
-
Filesize
1KB
MD57f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA5128a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125
-
Filesize
1KB
MD5baf55b95da4a601229647f25dad12878
SHA1abc16954ebfd213733c4493fc1910164d825cac8
SHA256ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA51224f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545
-
Filesize
199B
MD531e0496b577c6f1debf662b681d5d351
SHA1a25de7375b311f4b764d0fc4433dbb7f621579bb
SHA256ed46ef3b47ee2926840c3306badfd605059db92f479deb9f300010c287a80ae3
SHA51266944f9408402eafddfe46505a9ceb415770a1b041ca8fdf29646625fa17bfbaaffce3be2c7405b0028ed3601ae56ea42e16375e7512fc448da5f051ceb585d5