Malware Analysis Report

2024-11-15 05:53

Sample ID 240721-wrvs7syckf
Target DCRatBuild.exe
SHA256 d9cbcae95ae824014b6d2fd6d3269b00b09ab84ed44b45b21c0b1842e7cdc132
Tags
rat dcrat infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d9cbcae95ae824014b6d2fd6d3269b00b09ab84ed44b45b21c0b1842e7cdc132

Threat Level: Known bad

The file DCRatBuild.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer persistence

DcRat

Process spawned unexpected child process

Dcrat family

Modifies WinLogon for persistence

DCRat payload

DCRat payload

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-21 18:09

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-21 18:09

Reported

2024-07-21 19:28

Platform

win10v2004-20240709-en

Max time kernel

1779s

Max time network

1779s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\", \"C:\\Windows\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\", \"C:\\Windows\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\smss.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\", \"C:\\Windows\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\smss.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\PortproviderRuntime\\SppExtComObj.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\", \"C:\\Windows\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\smss.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\PortproviderRuntime\\SppExtComObj.exe\", \"C:\\Users\\Public\\Desktop\\upfc.exe\", \"C:\\Program Files\\7-Zip\\backgroundTaskHost.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\", \"C:\\Windows\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\smss.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\PortproviderRuntime\\SppExtComObj.exe\", \"C:\\Users\\Public\\Desktop\\upfc.exe\", \"C:\\Program Files\\7-Zip\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Application Data\\System.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\", \"C:\\Windows\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\", \"C:\\Windows\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\smss.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\PortproviderRuntime\\SppExtComObj.exe\", \"C:\\Users\\Public\\Desktop\\upfc.exe\", \"C:\\Program Files\\7-Zip\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Application Data\\System.exe\", \"C:\\PortproviderRuntime\\dllhost.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\", \"C:\\Windows\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\smss.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\PortproviderRuntime\\SppExtComObj.exe\", \"C:\\Users\\Public\\Desktop\\upfc.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\", \"C:\\Windows\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\smss.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\PortproviderRuntime\\SppExtComObj.exe\", \"C:\\Users\\Public\\Desktop\\upfc.exe\", \"C:\\Program Files\\7-Zip\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Application Data\\System.exe\", \"C:\\PortproviderRuntime\\dllhost.exe\", \"C:\\Program Files\\VideoLAN\\Bridgewebsvc.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\", \"C:\\Windows\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\smss.exe\", \"C:\\Recovery\\WindowsRE\\csrss.exe\", \"C:\\PortproviderRuntime\\SppExtComObj.exe\", \"C:\\Users\\Public\\Desktop\\upfc.exe\", \"C:\\Program Files\\7-Zip\\backgroundTaskHost.exe\", \"C:\\Users\\All Users\\Application Data\\System.exe\", \"C:\\PortproviderRuntime\\dllhost.exe\", \"C:\\Program Files\\VideoLAN\\Bridgewebsvc.exe\", \"C:\\PortproviderRuntime\\services.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\", \"C:\\Windows\\en-US\\RuntimeBroker.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\", \"C:\\Windows\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\StartMenuExperienceHost.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\", \"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\", \"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\", \"C:\\PortproviderRuntime\\cmd.exe\", \"C:\\Users\\Public\\AccountPictures\\cmd.exe\", \"C:\\Users\\Default User\\upfc.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\PortproviderRuntime\\SearchApp.exe\", \"C:\\PortproviderRuntime\\spoolsv.exe\", \"C:\\PortproviderRuntime\\services.exe\", \"C:\\Windows\\en-US\\RuntimeBroker.exe\", \"C:\\Users\\Default\\RuntimeBroker.exe\", \"C:\\Users\\Public\\Music\\StartMenuExperienceHost.exe\", \"C:\\Recovery\\WindowsRE\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\smss.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\PortproviderRuntime\Bridgewebsvc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
N/A N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
N/A N/A C:\PortproviderRuntime\dllhost.exe N/A
N/A N/A C:\Users\Public\Music\StartMenuExperienceHost.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\TrustedInstaller.exe N/A
N/A N/A C:\Users\All Users\Application Data\System.exe N/A
N/A N/A C:\Users\Default\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\VideoLAN\Bridgewebsvc.exe N/A
N/A N/A C:\Users\Public\Music\StartMenuExperienceHost.exe N/A
N/A N/A C:\Users\Public\AccountPictures\cmd.exe N/A
N/A N/A C:\PortproviderRuntime\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\smss.exe N/A
N/A N/A C:\PortproviderRuntime\dllhost.exe N/A
N/A N/A C:\PortproviderRuntime\SppExtComObj.exe N/A
N/A N/A C:\PortproviderRuntime\SearchApp.exe N/A
N/A N/A C:\Recovery\WindowsRE\csrss.exe N/A
N/A N/A C:\Users\Public\Desktop\upfc.exe N/A
N/A N/A C:\Program Files\7-Zip\backgroundTaskHost.exe N/A
N/A N/A C:\Recovery\WindowsRE\OfficeClickToRun.exe N/A
N/A N/A C:\PortproviderRuntime\spoolsv.exe N/A
N/A N/A C:\Users\Public\Music\StartMenuExperienceHost.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\TrustedInstaller.exe N/A
N/A N/A C:\Users\All Users\Application Data\System.exe N/A
N/A N/A C:\Users\Default\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\VideoLAN\Bridgewebsvc.exe N/A
N/A N/A C:\Users\Public\Music\StartMenuExperienceHost.exe N/A
N/A N/A C:\Users\Public\AccountPictures\cmd.exe N/A
N/A N/A C:\PortproviderRuntime\services.exe N/A
N/A N/A C:\Program Files (x86)\Windows Sidebar\smss.exe N/A
N/A N/A C:\PortproviderRuntime\dllhost.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\TrustedInstaller.exe N/A
N/A N/A C:\PortproviderRuntime\SppExtComObj.exe N/A
N/A N/A C:\PortproviderRuntime\SearchApp.exe N/A
N/A N/A C:\Users\All Users\Application Data\System.exe N/A
N/A N/A C:\Users\Public\Music\StartMenuExperienceHost.exe N/A
N/A N/A C:\Recovery\WindowsRE\csrss.exe N/A
N/A N/A C:\Users\Public\Desktop\upfc.exe N/A
N/A N/A C:\Program Files\7-Zip\backgroundTaskHost.exe N/A
N/A N/A C:\Users\Default\RuntimeBroker.exe N/A
N/A N/A C:\Program Files\VideoLAN\Bridgewebsvc.exe N/A
N/A N/A C:\Recovery\WindowsRE\OfficeClickToRun.exe N/A
N/A N/A C:\PortproviderRuntime\spoolsv.exe N/A
N/A N/A C:\Users\Public\Music\StartMenuExperienceHost.exe N/A
N/A N/A C:\Users\Public\AccountPictures\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\PortproviderRuntime\\services.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\en-US\\RuntimeBroker.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\PortproviderRuntime\\dllhost.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\PortproviderRuntime\\services.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\PortproviderRuntime\\cmd.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\PortproviderRuntime\\spoolsv.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Public\\Desktop\\upfc.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\All Users\\Application Data\\System.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\PortproviderRuntime\\cmd.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Sidebar\\smss.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\PortproviderRuntime\\SppExtComObj.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Public\\Desktop\\upfc.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Default User\\upfc.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\en-US\\RuntimeBroker.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\WindowsRE\\dllhost.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Public\\Music\\StartMenuExperienceHost.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Recovery\\WindowsRE\\csrss.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\PortproviderRuntime\\services.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Program Files\\7-Zip\\Lang\\TrustedInstaller.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Recovery\\WindowsRE\\OfficeClickToRun.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default\\RuntimeBroker.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Sidebar\\smss.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\7-Zip\\backgroundTaskHost.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\All Users\\Application Data\\System.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bridgewebsvc = "\"C:\\Program Files\\VideoLAN\\Bridgewebsvc.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\PortproviderRuntime\\SearchApp.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default\\RuntimeBroker.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Public\\Music\\StartMenuExperienceHost.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\PortproviderRuntime\\SearchApp.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\PortproviderRuntime\\spoolsv.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\PortproviderRuntime\\services.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\PortproviderRuntime\\SppExtComObj.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\backgroundTaskHost = "\"C:\\Program Files\\7-Zip\\backgroundTaskHost.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TrustedInstaller = "\"C:\\Recovery\\WindowsRE\\TrustedInstaller.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\PortproviderRuntime\\dllhost.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bridgewebsvc = "\"C:\\Program Files\\VideoLAN\\Bridgewebsvc.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Public\\AccountPictures\\cmd.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Public\\AccountPictures\\cmd.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Users\\Default User\\upfc.exe\"" C:\PortproviderRuntime\Bridgewebsvc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\7-Zip\Lang\TrustedInstaller.exe C:\PortproviderRuntime\Bridgewebsvc.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\69ddcba757bf72 C:\PortproviderRuntime\Bridgewebsvc.exe N/A
File created C:\Program Files\7-Zip\backgroundTaskHost.exe C:\PortproviderRuntime\Bridgewebsvc.exe N/A
File created C:\Program Files\7-Zip\eddb19405b7ce1 C:\PortproviderRuntime\Bridgewebsvc.exe N/A
File created C:\Program Files\VideoLAN\4d106a1fa18531 C:\PortproviderRuntime\Bridgewebsvc.exe N/A
File created C:\Program Files\7-Zip\Lang\04c1e7795967e4 C:\PortproviderRuntime\Bridgewebsvc.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe C:\PortproviderRuntime\Bridgewebsvc.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\logs\c5b4cb5e9653cc C:\PortproviderRuntime\Bridgewebsvc.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\smss.exe C:\PortproviderRuntime\Bridgewebsvc.exe N/A
File created C:\Program Files\VideoLAN\Bridgewebsvc.exe C:\PortproviderRuntime\Bridgewebsvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\servicing\en-US\System.exe C:\PortproviderRuntime\Bridgewebsvc.exe N/A
File created C:\Windows\en-US\RuntimeBroker.exe C:\PortproviderRuntime\Bridgewebsvc.exe N/A
File created C:\Windows\en-US\9e8d7a4ca61bd9 C:\PortproviderRuntime\Bridgewebsvc.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
N/A N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
N/A N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
N/A N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
N/A N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
N/A N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
N/A N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
N/A N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
N/A N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
N/A N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
N/A N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
N/A N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
N/A N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
N/A N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
N/A N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
N/A N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
N/A N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
N/A N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
N/A N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
N/A N/A C:\PortproviderRuntime\dllhost.exe N/A
N/A N/A C:\Users\Public\Music\StartMenuExperienceHost.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\TrustedInstaller.exe N/A
N/A N/A C:\Users\Default\RuntimeBroker.exe N/A
N/A N/A C:\Users\Public\Music\StartMenuExperienceHost.exe N/A
N/A N/A C:\PortproviderRuntime\services.exe N/A
N/A N/A C:\PortproviderRuntime\dllhost.exe N/A
N/A N/A C:\Recovery\WindowsRE\csrss.exe N/A
N/A N/A C:\Recovery\WindowsRE\OfficeClickToRun.exe N/A
N/A N/A C:\Users\Public\Music\StartMenuExperienceHost.exe N/A
N/A N/A C:\Program Files\7-Zip\Lang\TrustedInstaller.exe N/A
N/A N/A C:\Users\Default\RuntimeBroker.exe N/A
N/A N/A C:\Users\Public\Music\StartMenuExperienceHost.exe N/A
N/A N/A C:\PortproviderRuntime\services.exe N/A
N/A N/A C:\PortproviderRuntime\dllhost.exe N/A
N/A N/A C:\Users\Public\Music\StartMenuExperienceHost.exe N/A
N/A N/A C:\Recovery\WindowsRE\csrss.exe N/A
N/A N/A C:\Users\Default\RuntimeBroker.exe N/A
N/A N/A C:\Recovery\WindowsRE\OfficeClickToRun.exe N/A
N/A N/A C:\Users\Public\Music\StartMenuExperienceHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Token: SeDebugPrivilege N/A C:\PortproviderRuntime\Bridgewebsvc.exe N/A
Token: SeDebugPrivilege N/A C:\PortproviderRuntime\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Music\StartMenuExperienceHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\7-Zip\Lang\TrustedInstaller.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Application Data\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\VideoLAN\Bridgewebsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Music\StartMenuExperienceHost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\AccountPictures\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\PortproviderRuntime\services.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Sidebar\smss.exe N/A
Token: SeDebugPrivilege N/A C:\PortproviderRuntime\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\PortproviderRuntime\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\PortproviderRuntime\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\7-Zip\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\OfficeClickToRun.exe N/A
Token: SeDebugPrivilege N/A C:\PortproviderRuntime\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Music\StartMenuExperienceHost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\7-Zip\Lang\TrustedInstaller.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Application Data\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\VideoLAN\Bridgewebsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Music\StartMenuExperienceHost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\AccountPictures\cmd.exe N/A
Token: SeDebugPrivilege N/A C:\PortproviderRuntime\services.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Sidebar\smss.exe N/A
Token: SeDebugPrivilege N/A C:\PortproviderRuntime\dllhost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\7-Zip\Lang\TrustedInstaller.exe N/A
Token: SeDebugPrivilege N/A C:\PortproviderRuntime\SppExtComObj.exe N/A
Token: SeDebugPrivilege N/A C:\PortproviderRuntime\SearchApp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\All Users\Application Data\System.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Music\StartMenuExperienceHost.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Desktop\upfc.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\7-Zip\backgroundTaskHost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Default\RuntimeBroker.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\VideoLAN\Bridgewebsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\WindowsRE\OfficeClickToRun.exe N/A
Token: SeDebugPrivilege N/A C:\PortproviderRuntime\spoolsv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Music\StartMenuExperienceHost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\AccountPictures\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1076 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 1076 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 1076 wrote to memory of 3256 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 3256 wrote to memory of 2356 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3256 wrote to memory of 2356 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3256 wrote to memory of 2356 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2356 wrote to memory of 1900 N/A C:\Windows\SysWOW64\cmd.exe C:\PortproviderRuntime\Bridgewebsvc.exe
PID 2356 wrote to memory of 1900 N/A C:\Windows\SysWOW64\cmd.exe C:\PortproviderRuntime\Bridgewebsvc.exe
PID 1900 wrote to memory of 1480 N/A C:\PortproviderRuntime\Bridgewebsvc.exe C:\PortproviderRuntime\Bridgewebsvc.exe
PID 1900 wrote to memory of 1480 N/A C:\PortproviderRuntime\Bridgewebsvc.exe C:\PortproviderRuntime\Bridgewebsvc.exe
PID 1480 wrote to memory of 448 N/A C:\PortproviderRuntime\Bridgewebsvc.exe C:\Windows\System32\cmd.exe
PID 1480 wrote to memory of 448 N/A C:\PortproviderRuntime\Bridgewebsvc.exe C:\Windows\System32\cmd.exe
PID 448 wrote to memory of 4520 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 448 wrote to memory of 4520 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 448 wrote to memory of 5056 N/A C:\Windows\System32\cmd.exe C:\PortproviderRuntime\dllhost.exe
PID 448 wrote to memory of 5056 N/A C:\Windows\System32\cmd.exe C:\PortproviderRuntime\dllhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\PortproviderRuntime\2jiE6dDNxF2hUpVE5Z.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\PortproviderRuntime\OI2YygSphQCiiCNA7ofzvo.bat" "

C:\PortproviderRuntime\Bridgewebsvc.exe

"C:\PortproviderRuntime\Bridgewebsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\TrustedInstaller.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstaller" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TrustedInstallerT" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\TrustedInstaller.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\PortproviderRuntime\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\PortproviderRuntime\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\PortproviderRuntime\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\AccountPictures\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\PortproviderRuntime\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\PortproviderRuntime\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 12 /tr "'C:\PortproviderRuntime\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\PortproviderRuntime\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\PortproviderRuntime\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\PortproviderRuntime\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\PortproviderRuntime\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\PortproviderRuntime\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\PortproviderRuntime\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\en-US\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Windows\en-US\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\StartMenuExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\Music\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\StartMenuExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\smss.exe'" /rl HIGHEST /f

C:\PortproviderRuntime\Bridgewebsvc.exe

"C:\PortproviderRuntime\Bridgewebsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\PortproviderRuntime\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\PortproviderRuntime\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\PortproviderRuntime\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Public\Desktop\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Application Data\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Application Data\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\PortproviderRuntime\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\PortproviderRuntime\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\PortproviderRuntime\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "BridgewebsvcB" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\Bridgewebsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Bridgewebsvc" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\Bridgewebsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "BridgewebsvcB" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\Bridgewebsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\PortproviderRuntime\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\PortproviderRuntime\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\PortproviderRuntime\services.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JjySRHXDhh.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\PortproviderRuntime\dllhost.exe

"C:\PortproviderRuntime\dllhost.exe"

C:\Users\Public\Music\StartMenuExperienceHost.exe

C:\Users\Public\Music\StartMenuExperienceHost.exe

C:\Program Files\7-Zip\Lang\TrustedInstaller.exe

"C:\Program Files\7-Zip\Lang\TrustedInstaller.exe"

C:\Users\All Users\Application Data\System.exe

"C:\Users\All Users\Application Data\System.exe"

C:\Users\Default\RuntimeBroker.exe

C:\Users\Default\RuntimeBroker.exe

C:\Program Files\VideoLAN\Bridgewebsvc.exe

"C:\Program Files\VideoLAN\Bridgewebsvc.exe"

C:\Users\Public\Music\StartMenuExperienceHost.exe

C:\Users\Public\Music\StartMenuExperienceHost.exe

C:\Users\Public\AccountPictures\cmd.exe

C:\Users\Public\AccountPictures\cmd.exe

C:\PortproviderRuntime\services.exe

C:\PortproviderRuntime\services.exe

C:\Program Files (x86)\Windows Sidebar\smss.exe

"C:\Program Files (x86)\Windows Sidebar\smss.exe"

C:\PortproviderRuntime\dllhost.exe

C:\PortproviderRuntime\dllhost.exe

C:\PortproviderRuntime\SppExtComObj.exe

C:\PortproviderRuntime\SppExtComObj.exe

C:\PortproviderRuntime\SearchApp.exe

C:\PortproviderRuntime\SearchApp.exe

C:\Recovery\WindowsRE\csrss.exe

C:\Recovery\WindowsRE\csrss.exe

C:\Users\Public\Desktop\upfc.exe

C:\Users\Public\Desktop\upfc.exe

C:\Program Files\7-Zip\backgroundTaskHost.exe

"C:\Program Files\7-Zip\backgroundTaskHost.exe"

C:\Recovery\WindowsRE\OfficeClickToRun.exe

C:\Recovery\WindowsRE\OfficeClickToRun.exe

C:\PortproviderRuntime\spoolsv.exe

C:\PortproviderRuntime\spoolsv.exe

C:\Users\Public\Music\StartMenuExperienceHost.exe

C:\Users\Public\Music\StartMenuExperienceHost.exe

C:\Program Files\7-Zip\Lang\TrustedInstaller.exe

"C:\Program Files\7-Zip\Lang\TrustedInstaller.exe"

C:\Users\All Users\Application Data\System.exe

"C:\Users\All Users\Application Data\System.exe"

C:\Users\Default\RuntimeBroker.exe

C:\Users\Default\RuntimeBroker.exe

C:\Program Files\VideoLAN\Bridgewebsvc.exe

"C:\Program Files\VideoLAN\Bridgewebsvc.exe"

C:\Users\Public\Music\StartMenuExperienceHost.exe

C:\Users\Public\Music\StartMenuExperienceHost.exe

C:\Users\Public\AccountPictures\cmd.exe

C:\Users\Public\AccountPictures\cmd.exe

C:\PortproviderRuntime\services.exe

C:\PortproviderRuntime\services.exe

C:\Program Files (x86)\Windows Sidebar\smss.exe

"C:\Program Files (x86)\Windows Sidebar\smss.exe"

C:\PortproviderRuntime\dllhost.exe

C:\PortproviderRuntime\dllhost.exe

C:\Program Files\7-Zip\Lang\TrustedInstaller.exe

"C:\Program Files\7-Zip\Lang\TrustedInstaller.exe"

C:\PortproviderRuntime\SppExtComObj.exe

C:\PortproviderRuntime\SppExtComObj.exe

C:\PortproviderRuntime\SearchApp.exe

C:\PortproviderRuntime\SearchApp.exe

C:\Users\All Users\Application Data\System.exe

"C:\Users\All Users\Application Data\System.exe"

C:\Users\Public\Music\StartMenuExperienceHost.exe

C:\Users\Public\Music\StartMenuExperienceHost.exe

C:\Recovery\WindowsRE\csrss.exe

C:\Recovery\WindowsRE\csrss.exe

C:\Users\Public\Desktop\upfc.exe

C:\Users\Public\Desktop\upfc.exe

C:\Program Files\7-Zip\backgroundTaskHost.exe

"C:\Program Files\7-Zip\backgroundTaskHost.exe"

C:\Users\Default\RuntimeBroker.exe

C:\Users\Default\RuntimeBroker.exe

C:\Program Files\VideoLAN\Bridgewebsvc.exe

"C:\Program Files\VideoLAN\Bridgewebsvc.exe"

C:\Recovery\WindowsRE\OfficeClickToRun.exe

C:\Recovery\WindowsRE\OfficeClickToRun.exe

C:\PortproviderRuntime\spoolsv.exe

C:\PortproviderRuntime\spoolsv.exe

C:\Users\Public\Music\StartMenuExperienceHost.exe

C:\Users\Public\Music\StartMenuExperienceHost.exe

C:\Users\Public\AccountPictures\cmd.exe

C:\Users\Public\AccountPictures\cmd.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 f1008885.xsph.ru udp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
US 8.8.8.8:53 151.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp
RU 141.8.192.151:80 f1008885.xsph.ru tcp

Files

C:\PortproviderRuntime\2jiE6dDNxF2hUpVE5Z.vbe

MD5 413767cf51f36f7f50d9430d73ea0bb1
SHA1 4469733bce94a114c836ea3591dccb3e689782c7
SHA256 2e118668b3c63457b924aafd6b402e105477030d6157e3d66ba8ba7acad58dcf
SHA512 3c12a46412227f57f8aa815b0b7820ca54eb3fa7a033ea7baa7efad7526755db7998d843a6790880efa87b841e9c6085b793930ae865c2694c8385e5937ee900

C:\PortproviderRuntime\OI2YygSphQCiiCNA7ofzvo.bat

MD5 863d81db66a0a5864890665ea50c23c5
SHA1 f5a584f4ee5e390b667eaa5e5d9332251388fa7e
SHA256 d4fa2e3203a21efd9f46fd9ea5fcedbabe13bd9a2bc93d0169070507380bbf9b
SHA512 ecb8ff338e0febcfe8965516a58dcdcd63420592467ce1c281f7ccacf7a2ca02bd7a73d52208e98edec3e73ea69477f3ccaa4ddf4b0608e5598a92e110e5d3b0

C:\PortproviderRuntime\Bridgewebsvc.exe

MD5 fddea23e803e9e5de212e4c0475c8f93
SHA1 c4426bf36ce54917155da2bfbec1508c5a799664
SHA256 f014b4dd1600fb5ecd92de55165573415c2d7ee184a4f70f2f975ee7909150f6
SHA512 05459fc75998ee306e8de7e544aaf744e5c6e1930dcb7e02b94a566a7ad6e874a9fe50a78a1da50b4e7110282e49353f8ced586117d772b600b84d09ee070591

memory/1900-12-0x00007FF8BBA93000-0x00007FF8BBA95000-memory.dmp

memory/1900-13-0x0000000000800000-0x00000000008D6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Bridgewebsvc.exe.log

MD5 7f3c0ae41f0d9ae10a8985a2c327b8fb
SHA1 d58622bf6b5071beacf3b35bb505bde2000983e3
SHA256 519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900
SHA512 8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

C:\PortproviderRuntime\c5b4cb5e9653cc

MD5 d4766e35a35969468be836db1bf36f54
SHA1 4de3b7bc6d9298a6c185c3e5440fdad24f8dd151
SHA256 afec9c5947463bdfbe52ef9694a994d1c2273c68150f8acb81c414996fcfdb91
SHA512 b9d434b3f0dfc5c7a5d7e91c208659e457ea03d0456341a0548a9b5dd3ab5c59e01bd4dc679e7724e72ea7e6ea25fa386cbba416f15bc8ee72e96a4ee84b4e41

C:\Users\Admin\AppData\Local\Temp\JjySRHXDhh.bat

MD5 31e0496b577c6f1debf662b681d5d351
SHA1 a25de7375b311f4b764d0fc4433dbb7f621579bb
SHA256 ed46ef3b47ee2926840c3306badfd605059db92f479deb9f300010c287a80ae3
SHA512 66944f9408402eafddfe46505a9ceb415770a1b041ca8fdf29646625fa17bfbaaffce3be2c7405b0028ed3601ae56ea42e16375e7512fc448da5f051ceb585d5

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545