dcrat | 3a1040de1d848bcc5564bf5d45188bbd0e69bbb43f9f6ab489d61259d843ddf8

Analysis

max time kernel
138s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2023 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87a68d59a505ea17432de19240f49590.exe
Size

6KB
MD5

87a68d59a505ea17432de19240f49590
SHA1

4b7d59eaff27ad9d1454446977b938d3b2c8b29a
SHA256

3a1040de1d848bcc5564bf5d45188bbd0e69bbb43f9f6ab489d61259d843ddf8
SHA512

ec0fb3316d4d8cfe5d245f44f123834df704a096837f49d235a5a577b0012cc8470135287ed171019c881f71522d9177fb3e19fddf132e3ebba860555e79d95a
SSDEEP

48:6vBII9IyeZAvPloQISLlOS6UXrg6Llf+NQz6VVjmEv04AWfch3HRCZnr10qBHs3U:Aec991gogZRRmxYcY0kGIp2LdzNt

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies WinLogon for persistence 2 TTPs 16 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

containerRuntime.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\87a68d59a505ea17432de19240f49590.exe\", \"C:\\Users\\Default\\Start Menu\\containerRuntime.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\87a68d59a505ea17432de19240f49590.exe\", \"C:\\Users\\Default\\Start Menu\\containerRuntime.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\fontdrvhost.exe\", \"C:\\BridgeWin\\87a68d59a505ea17432de19240f49590.exe\", \"C:\\odt\\containerRuntime.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\containerRuntime.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\87a68d59a505ea17432de19240f49590.exe\", \"C:\\Users\\Default\\Start Menu\\containerRuntime.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\fontdrvhost.exe\", \"C:\\BridgeWin\\87a68d59a505ea17432de19240f49590.exe\", \"C:\\odt\\containerRuntime.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\containerRuntime.exe\", \"C:\\odt\\OfficeClickToRun.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\87a68d59a505ea17432de19240f49590.exe\", \"C:\\Users\\Default\\Start Menu\\containerRuntime.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\fontdrvhost.exe\", \"C:\\BridgeWin\\87a68d59a505ea17432de19240f49590.exe\", \"C:\\odt\\containerRuntime.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\containerRuntime.exe\", \"C:\\odt\\OfficeClickToRun.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Users\\Default\\wininit.exe\", \"C:\\Users\\Default\\Music\\RuntimeBroker.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\87a68d59a505ea17432de19240f49590.exe\", \"C:\\Users\\Default\\Start Menu\\containerRuntime.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\fontdrvhost.exe\", \"C:\\BridgeWin\\87a68d59a505ea17432de19240f49590.exe\", \"C:\\odt\\containerRuntime.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\containerRuntime.exe\", \"C:\\odt\\OfficeClickToRun.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Users\\Default\\wininit.exe\", \"C:\\Users\\Default\\Music\\RuntimeBroker.exe\", \"C:\\Windows\\SKB\\LanguageModels\\csrss.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\87a68d59a505ea17432de19240f49590.exe\", \"C:\\Users\\Default\\Start Menu\\containerRuntime.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\fontdrvhost.exe\", \"C:\\BridgeWin\\87a68d59a505ea17432de19240f49590.exe\", \"C:\\odt\\containerRuntime.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\87a68d59a505ea17432de19240f49590.exe\", \"C:\\Users\\Default\\Start Menu\\containerRuntime.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\fontdrvhost.exe\", \"C:\\BridgeWin\\87a68d59a505ea17432de19240f49590.exe\", \"C:\\odt\\containerRuntime.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\containerRuntime.exe\", \"C:\\odt\\OfficeClickToRun.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\87a68d59a505ea17432de19240f49590.exe\", \"C:\\Users\\Default\\Start Menu\\containerRuntime.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\fontdrvhost.exe\", \"C:\\BridgeWin\\87a68d59a505ea17432de19240f49590.exe\", \"C:\\odt\\containerRuntime.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\containerRuntime.exe\", \"C:\\odt\\OfficeClickToRun.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Users\\Default\\wininit.exe\", \"C:\\Users\\Default\\Music\\RuntimeBroker.exe\", \"C:\\Windows\\SKB\\LanguageModels\\csrss.exe\", \"C:\\BridgeWin\\Idle.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\87a68d59a505ea17432de19240f49590.exe\", \"C:\\Users\\Default\\Start Menu\\containerRuntime.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\fontdrvhost.exe\", \"C:\\BridgeWin\\87a68d59a505ea17432de19240f49590.exe\", \"C:\\odt\\containerRuntime.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\containerRuntime.exe\", \"C:\\odt\\OfficeClickToRun.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Users\\Default\\wininit.exe\", \"C:\\Users\\Default\\Music\\RuntimeBroker.exe\", \"C:\\Windows\\SKB\\LanguageModels\\csrss.exe\", \"C:\\BridgeWin\\Idle.exe\", \"C:\\Windows\\Registration\\dllhost.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\en-US\\csrss.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\87a68d59a505ea17432de19240f49590.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\87a68d59a505ea17432de19240f49590.exe\", \"C:\\Users\\Default\\Start Menu\\containerRuntime.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\fontdrvhost.exe\", \"C:\\BridgeWin\\87a68d59a505ea17432de19240f49590.exe\", \"C:\\odt\\containerRuntime.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\containerRuntime.exe\", \"C:\\odt\\OfficeClickToRun.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Users\\Default\\wininit.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\87a68d59a505ea17432de19240f49590.exe\", \"C:\\Users\\Default\\Start Menu\\containerRuntime.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\fontdrvhost.exe\", \"C:\\BridgeWin\\87a68d59a505ea17432de19240f49590.exe\", \"C:\\odt\\containerRuntime.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\containerRuntime.exe\", \"C:\\odt\\OfficeClickToRun.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\conhost.exe\", \"C:\\Recovery\\WindowsRE\\spoolsv.exe\", \"C:\\Users\\Default\\wininit.exe\", \"C:\\Users\\Default\\Music\\RuntimeBroker.exe\", \"C:\\Windows\\SKB\\LanguageModels\\csrss.exe\", \"C:\\BridgeWin\\Idle.exe\", \"C:\\Windows\\Registration\\dllhost.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\87a68d59a505ea17432de19240f49590.exe\", \"C:\\Users\\Default\\Start Menu\\containerRuntime.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\fontdrvhost.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\87a68d59a505ea17432de19240f49590.exe\", \"C:\\Users\\Default\\Start Menu\\containerRuntime.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\fontdrvhost.exe\", \"C:\\BridgeWin\\87a68d59a505ea17432de19240f49590.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\", \"C:\\Program Files (x86)\\Windows Portable Devices\\87a68d59a505ea17432de19240f49590.exe\", \"C:\\Users\\Default\\Start Menu\\containerRuntime.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\fontdrvhost.exe\", \"C:\\BridgeWin\\87a68d59a505ea17432de19240f49590.exe\", \"C:\\odt\\containerRuntime.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\containerRuntime.exe\", \"C:\\odt\\OfficeClickToRun.exe\", \"C:\\Windows\\Logs\\WindowsUpdate\\conhost.exe\""	containerRuntime.exe

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4468	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	100	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3820	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3156	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3896	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4376	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3508	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4416	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3572	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3964	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	1732	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	1732	schtasks.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\ProgramData\file1.exe	dcrat
C:\ProgramData\file1.exe	dcrat
C:\BridgeWin\containerRuntime.exe	dcrat
C:\BridgeWin\containerRuntime.exe	dcrat
behavioral2/memory/1324-147-0x0000000000E30000-0x0000000000F20000-memory.dmp	dcrat
C:\Program Files (x86)\Windows Portable Devices\87a68d59a505ea17432de19240f49590.exe	dcrat
C:\Program Files (x86)\Windows Portable Devices\87a68d59a505ea17432de19240f49590.exe	dcrat

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

file1.execontainerRuntime.exe87a68d59a505ea17432de19240f49590.exe

pid process

4308 file1.exe
1324 containerRuntime.exe
776 87a68d59a505ea17432de19240f49590.exe

pid	process
4308	file1.exe
1324	containerRuntime.exe
776	87a68d59a505ea17432de19240f49590.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

87a68d59a505ea17432de19240f49590.exefile1.exeWScript.execontainerRuntime.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	87a68d59a505ea17432de19240f49590.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	file1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	containerRuntime.exe

Adds Run key to start application 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

containerRuntime.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerRuntime = "\"C:\\Program Files (x86)\\Reference Assemblies\\containerRuntime.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\Logs\\WindowsUpdate\\conhost.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\SKB\\LanguageModels\\csrss.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerRuntime = "\"C:\\odt\\containerRuntime.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Registration\\dllhost.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerRuntime = "\"C:\\odt\\containerRuntime.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerRuntime = "\"C:\\Users\\Default\\Start Menu\\containerRuntime.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\odt\\OfficeClickToRun.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerRuntime = "\"C:\\Users\\Default\\Start Menu\\containerRuntime.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\87a68d59a505ea17432de19240f49590 = "\"C:\\BridgeWin\\87a68d59a505ea17432de19240f49590.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\Logs\\WindowsUpdate\\conhost.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default\\wininit.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\fontdrvhost.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default\\Music\\RuntimeBroker.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Internet Explorer\\it-IT\\fontdrvhost.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Registration\\dllhost.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Media Player\\en-US\\csrss.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Media Player\\en-US\\csrss.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\WindowsRE\\spoolsv.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\87a68d59a505ea17432de19240f49590 = "\"C:\\Program Files (x86)\\Windows Portable Devices\\87a68d59a505ea17432de19240f49590.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\87a68d59a505ea17432de19240f49590 = "\"C:\\Program Files (x86)\\Windows Portable Devices\\87a68d59a505ea17432de19240f49590.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\87a68d59a505ea17432de19240f49590 = "\"C:\\BridgeWin\\87a68d59a505ea17432de19240f49590.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default\\Music\\RuntimeBroker.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerRuntime = "\"C:\\Program Files (x86)\\Reference Assemblies\\containerRuntime.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\odt\\OfficeClickToRun.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default\\wininit.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\SKB\\LanguageModels\\csrss.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\BridgeWin\\Idle.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\BridgeWin\\Idle.exe\""	containerRuntime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Recovery\\WindowsRE\\fontdrvhost.exe\""	containerRuntime.exe

Drops file in Program Files directory 8 IoCs

Processes:

containerRuntime.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Media Player\en-US\886983d96e3d3e	containerRuntime.exe
File created	C:\Program Files (x86)\Windows Portable Devices\87a68d59a505ea17432de19240f49590.exe	containerRuntime.exe
File created	C:\Program Files (x86)\Windows Portable Devices\5e25b44a73808b	containerRuntime.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\fontdrvhost.exe	containerRuntime.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\5b884080fd4f94	containerRuntime.exe
File created	C:\Program Files (x86)\Reference Assemblies\containerRuntime.exe	containerRuntime.exe
File created	C:\Program Files (x86)\Reference Assemblies\12549c30660286	containerRuntime.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\csrss.exe	containerRuntime.exe

Drops file in Windows directory 6 IoCs

Processes:

containerRuntime.exe

description	ioc	process
File created	C:\Windows\Logs\WindowsUpdate\088424020bedd6	containerRuntime.exe
File created	C:\Windows\SKB\LanguageModels\csrss.exe	containerRuntime.exe
File created	C:\Windows\SKB\LanguageModels\886983d96e3d3e	containerRuntime.exe
File created	C:\Windows\Registration\dllhost.exe	containerRuntime.exe
File created	C:\Windows\Registration\5940a34987c991	containerRuntime.exe
File created	C:\Windows\Logs\WindowsUpdate\conhost.exe	containerRuntime.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

pid	process
3760	schtasks.exe
1592	schtasks.exe
3368	schtasks.exe
3572	schtasks.exe
2852	schtasks.exe
4476	schtasks.exe
3156	schtasks.exe
4624	schtasks.exe
5096	schtasks.exe
2680	schtasks.exe
4220	schtasks.exe
3524	schtasks.exe
640	schtasks.exe
1364	schtasks.exe
2112	schtasks.exe
5028	schtasks.exe
1096	schtasks.exe
2292	schtasks.exe
5044	schtasks.exe
3896	schtasks.exe
4376	schtasks.exe
3964	schtasks.exe
3596	schtasks.exe
2176	schtasks.exe
5088	schtasks.exe
220	schtasks.exe
2784	schtasks.exe
4768	schtasks.exe
2088	schtasks.exe
3748	schtasks.exe
4816	schtasks.exe
4424	schtasks.exe
3508	schtasks.exe
4416	schtasks.exe
428	schtasks.exe
4500	schtasks.exe
1068	schtasks.exe
4468	schtasks.exe
4900	schtasks.exe
1600	schtasks.exe
988	schtasks.exe
1236	schtasks.exe
1584	schtasks.exe
2312	schtasks.exe
4348	schtasks.exe
392	schtasks.exe
100	schtasks.exe
3820	schtasks.exe

Modifies registry class 1 IoCs

Processes:

file1.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings file1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	file1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

containerRuntime.exepowershell.exepowershell.exesihclient.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
1324	containerRuntime.exe
372	powershell.exe
372	powershell.exe
740	powershell.exe
740	powershell.exe
3888	sihclient.exe
3888	sihclient.exe
832	powershell.exe
832	powershell.exe
1652	powershell.exe
1652	powershell.exe
2248	powershell.exe
2248	powershell.exe
4676	powershell.exe
4676	powershell.exe
4760	powershell.exe
4760	powershell.exe
1336	powershell.exe
1336	powershell.exe
4244	powershell.exe
4244	powershell.exe
3552	powershell.exe
3552	powershell.exe
1052	powershell.exe
1052	powershell.exe
4064	powershell.exe
4064	powershell.exe
3616	powershell.exe
3616	powershell.exe
5020	powershell.exe
5020	powershell.exe
2360	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

87a68d59a505ea17432de19240f49590.exe

pid process

776 87a68d59a505ea17432de19240f49590.exe

pid	process
776	87a68d59a505ea17432de19240f49590.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

87a68d59a505ea17432de19240f49590.execontainerRuntime.exepowershell.exepowershell.exesihclient.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe87a68d59a505ea17432de19240f49590.exe

description	pid	process
Token: SeDebugPrivilege	4820	87a68d59a505ea17432de19240f49590.exe
Token: SeDebugPrivilege	1324	containerRuntime.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeDebugPrivilege	740	powershell.exe
Token: SeDebugPrivilege	3888	sihclient.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	4760	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	4244	powershell.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	3616	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	776	87a68d59a505ea17432de19240f49590.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

87a68d59a505ea17432de19240f49590.exefile1.execmd.exeWScript.execmd.execontainerRuntime.exe

description	pid	process	target process
PID 4820 wrote to memory of 4308	4820	87a68d59a505ea17432de19240f49590.exe	file1.exe
PID 4820 wrote to memory of 4308	4820	87a68d59a505ea17432de19240f49590.exe	file1.exe
PID 4820 wrote to memory of 4308	4820	87a68d59a505ea17432de19240f49590.exe	file1.exe
PID 4820 wrote to memory of 4492	4820	87a68d59a505ea17432de19240f49590.exe	cmd.exe
PID 4820 wrote to memory of 4492	4820	87a68d59a505ea17432de19240f49590.exe	cmd.exe
PID 4820 wrote to memory of 4492	4820	87a68d59a505ea17432de19240f49590.exe	cmd.exe
PID 4308 wrote to memory of 3688	4308	file1.exe	WScript.exe
PID 4308 wrote to memory of 3688	4308	file1.exe	WScript.exe
PID 4308 wrote to memory of 3688	4308	file1.exe	WScript.exe
PID 4492 wrote to memory of 2540	4492	cmd.exe	chcp.com
PID 4492 wrote to memory of 2540	4492	cmd.exe	chcp.com
PID 4492 wrote to memory of 2540	4492	cmd.exe	chcp.com
PID 4492 wrote to memory of 4276	4492	cmd.exe	cmd.exe
PID 4492 wrote to memory of 4276	4492	cmd.exe	cmd.exe
PID 4492 wrote to memory of 4276	4492	cmd.exe	cmd.exe
PID 3688 wrote to memory of 4880	3688	WScript.exe	cmd.exe
PID 3688 wrote to memory of 4880	3688	WScript.exe	cmd.exe
PID 3688 wrote to memory of 4880	3688	WScript.exe	cmd.exe
PID 4880 wrote to memory of 1324	4880	cmd.exe	containerRuntime.exe
PID 4880 wrote to memory of 1324	4880	cmd.exe	containerRuntime.exe
PID 1324 wrote to memory of 1336	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 1336	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 740	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 740	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 372	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 372	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 1652	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 1652	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 3888	1324	containerRuntime.exe	sihclient.exe
PID 1324 wrote to memory of 3888	1324	containerRuntime.exe	sihclient.exe
PID 1324 wrote to memory of 4760	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 4760	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 832	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 832	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 2248	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 2248	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 4676	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 4676	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 4244	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 4244	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 4064	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 4064	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 3552	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 3552	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 1052	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 1052	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 3616	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 3616	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 5020	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 5020	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 2064	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 2064	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 2360	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 2360	1324	containerRuntime.exe	powershell.exe
PID 1324 wrote to memory of 776	1324	containerRuntime.exe	87a68d59a505ea17432de19240f49590.exe
PID 1324 wrote to memory of 776	1324	containerRuntime.exe	87a68d59a505ea17432de19240f49590.exe

C:\Users\Admin\AppData\Local\Temp\87a68d59a505ea17432de19240f49590.exe
"C:\Users\Admin\AppData\Local\Temp\87a68d59a505ea17432de19240f49590.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820

C:\ProgramData\file1.exe
"C:\ProgramData\file1.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\BridgeWin\vPDfI9lKtfPEUBD9cj.vbe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\BridgeWin\kBRJ5zb6pFGWil.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:4880

C:\BridgeWin\containerRuntime.exe
"C:\BridgeWin\containerRuntime.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeWin\containerRuntime.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\87a68d59a505ea17432de19240f49590.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\containerRuntime.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\fontdrvhost.exe'
6⤵
PID:3888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeWin\87a68d59a505ea17432de19240f49590.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\containerRuntime.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\containerRuntime.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\WindowsUpdate\conhost.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\OfficeClickToRun.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\wininit.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Music\RuntimeBroker.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SKB\LanguageModels\csrss.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeWin\Idle.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\dllhost.exe'
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\en-US\csrss.exe'
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Program Files (x86)\Windows Portable Devices\87a68d59a505ea17432de19240f49590.exe
"C:\Program Files (x86)\Windows Portable Devices\87a68d59a505ea17432de19240f49590.exe"
6⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\file2.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\SysWOW64\chcp.com
CHCP 866
3⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c bcdedit
3⤵
PID:4276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "87a68d59a505ea17432de19240f495908" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\87a68d59a505ea17432de19240f49590.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "87a68d59a505ea17432de19240f49590" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\87a68d59a505ea17432de19240f49590.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "87a68d59a505ea17432de19240f495908" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\87a68d59a505ea17432de19240f49590.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Start Menu\containerRuntime.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntime" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\containerRuntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Start Menu\containerRuntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "87a68d59a505ea17432de19240f495908" /sc MINUTE /mo 13 /tr "'C:\BridgeWin\87a68d59a505ea17432de19240f49590.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "87a68d59a505ea17432de19240f49590" /sc ONLOGON /tr "'C:\BridgeWin\87a68d59a505ea17432de19240f49590.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "87a68d59a505ea17432de19240f495908" /sc MINUTE /mo 6 /tr "'C:\BridgeWin\87a68d59a505ea17432de19240f49590.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 9 /tr "'C:\odt\containerRuntime.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntime" /sc ONLOGON /tr "'C:\odt\containerRuntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 11 /tr "'C:\odt\containerRuntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\containerRuntime.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntime" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\containerRuntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\containerRuntime.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\odt\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\WindowsUpdate\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Logs\WindowsUpdate\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\WindowsUpdate\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Music\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Music\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Music\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\SKB\LanguageModels\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\SKB\LanguageModels\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\BridgeWin\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\BridgeWin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\BridgeWin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Registration\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Registration\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Registration\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 6i8jEPbrsEeeb9GnQCm1Aw.0.2
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3888

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\BridgeWin\containerRuntime.exe
Filesize
931KB

MD5
799a6791f1c0d38cafb78ec0a88cedf0

SHA1
a33bde29181e1700dd1953191c3ab9830a0f55e9

SHA256
0686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2

SHA512
c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d

Download Submit
C:\BridgeWin\containerRuntime.exe
Filesize
931KB

MD5
799a6791f1c0d38cafb78ec0a88cedf0

SHA1
a33bde29181e1700dd1953191c3ab9830a0f55e9

SHA256
0686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2

SHA512
c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d

Download Submit
C:\BridgeWin\kBRJ5zb6pFGWil.bat
Filesize
35B

MD5
064d44ddf49217a25ad5ec14b334e0f8

SHA1
092f4a63df14672e90e8001a9bb6000315fb29d6

SHA256
a1962a0cd9c290da9a9d7bb34828fae854a8994127fcbe219e4d6a7b499274c4

SHA512
342448a993e8f8713918fe64c15f1c117ee1dd5e80de3ea78a026802895733b5024169ea9daf2eaf102005b27a6b48772b6122d28875d686d305cfd412c17acb

Download Submit
C:\BridgeWin\vPDfI9lKtfPEUBD9cj.vbe
Filesize
200B

MD5
c33c80ec8b8c3cdef3f528ea621be889

SHA1
10b010cc2b37daf6fd01031c4d2af8d684cc6953

SHA256
a2492c835a66b1e833bfebfa669e8366d66ae7ac9b6aedf35adf5c24b2bd6fdc

SHA512
d947f93f0f86d1c02b791c932febe41b2c0e58cc3842ca361d006ad79cffff3b0313be31eaaaa8610216ae936b1a24e680d97e0ad7da0ccf28f6804e63a156af

Download Submit
C:\Program Files (x86)\Windows Portable Devices\87a68d59a505ea17432de19240f49590.exe
Filesize
931KB

MD5
799a6791f1c0d38cafb78ec0a88cedf0

SHA1
a33bde29181e1700dd1953191c3ab9830a0f55e9

SHA256
0686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2

SHA512
c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d

Download Submit
C:\Program Files (x86)\Windows Portable Devices\87a68d59a505ea17432de19240f49590.exe
Filesize
931KB

MD5
799a6791f1c0d38cafb78ec0a88cedf0

SHA1
a33bde29181e1700dd1953191c3ab9830a0f55e9

SHA256
0686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2

SHA512
c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d

Download Submit
C:\ProgramData\file1.exe
Filesize
1.2MB

MD5
3e821d4b4af33a23f64c69db57770955

SHA1
019742e345c39bd10f6c9bc4c1af4c2e94a5fca0

SHA256
5ad5f24becf8b8653b7708edc35779128eb8cc84ddebf362121c603fd2caed04

SHA512
6e7f8ea74092bbb4659f24ec629e1483fb95cf682f5eda65300cc38369848cd60512ce79cd7aa5ae70d09fba420e8de6be3841306cf3302317a69d143c114160

Download Submit
C:\ProgramData\file1.exe
Filesize
1.2MB

MD5
3e821d4b4af33a23f64c69db57770955

SHA1
019742e345c39bd10f6c9bc4c1af4c2e94a5fca0

SHA256
5ad5f24becf8b8653b7708edc35779128eb8cc84ddebf362121c603fd2caed04

SHA512
6e7f8ea74092bbb4659f24ec629e1483fb95cf682f5eda65300cc38369848cd60512ce79cd7aa5ae70d09fba420e8de6be3841306cf3302317a69d143c114160

Download Submit
C:\ProgramData\file2.bat
Filesize
13KB

MD5
8bb47bc15412d726a038cff591aa5933

SHA1
8768216458761909c94bf544e1acd250099a4465

SHA256
bb279a32dd1bc418a72d80553859d64f2f0fceb3e5c40c8c09e9bdbf4080710b

SHA512
56251138791ab720dd835e3a7903f93a8b3a8553384d406a52f32ea854951beeb4286f42cc483b7f5d6b4398bd2d1fab8f4b9a3891c57e65116efe6ec6fe3a17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
377c375f814a335a131901ed5d5eca44

SHA1
9919811b18b4f8153541b332232ae88eec42f9f7

SHA256
7a73ac126468f3a94954656a0da1b494b18b6f7fc4ee09beb87573e82f300a10

SHA512
c511dff1a34a5e32cf0ce2c56aa3adf71bd51e9a5afc7ae75320ac7563ebb4571f6ac5cd771fa52e9c7966112431bbdd20e4b74e1a125c273bc835f127b599b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
377c375f814a335a131901ed5d5eca44

SHA1
9919811b18b4f8153541b332232ae88eec42f9f7

SHA256
7a73ac126468f3a94954656a0da1b494b18b6f7fc4ee09beb87573e82f300a10

SHA512
c511dff1a34a5e32cf0ce2c56aa3adf71bd51e9a5afc7ae75320ac7563ebb4571f6ac5cd771fa52e9c7966112431bbdd20e4b74e1a125c273bc835f127b599b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
377c375f814a335a131901ed5d5eca44

SHA1
9919811b18b4f8153541b332232ae88eec42f9f7

SHA256
7a73ac126468f3a94954656a0da1b494b18b6f7fc4ee09beb87573e82f300a10

SHA512
c511dff1a34a5e32cf0ce2c56aa3adf71bd51e9a5afc7ae75320ac7563ebb4571f6ac5cd771fa52e9c7966112431bbdd20e4b74e1a125c273bc835f127b599b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
22fbec4acba323d04079a263526cef3c

SHA1
eb8dd0042c6a3f20087a7d2391eaf48121f98740

SHA256
020e5d769893724f075e10b01c59bf2424214cefe6aafbab6f44bc700f525c40

SHA512
fb61d737de8cbed6b7d8b5a35911c46ef26a2927a52ed7add9d594cf19dcab1b9978b61912c6f3fe4f29228f4454fb022fb2e167788c727dc6503c1fcd42159e

Download Submit
memory/372-168-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/372-196-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/372-151-0x0000000000000000-mapping.dmp

Download
memory/740-166-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/740-197-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/740-150-0x0000000000000000-mapping.dmp

Download
memory/740-164-0x000001D303730000-0x000001D303752000-memory.dmp

Filesize
136KB

Download
memory/776-184-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/776-223-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/776-170-0x0000000000000000-mapping.dmp

Download
memory/832-189-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/832-155-0x0000000000000000-mapping.dmp

Download
memory/832-175-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/1052-211-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/1052-182-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/1052-161-0x0000000000000000-mapping.dmp

Download
memory/1324-148-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/1324-147-0x0000000000E30000-0x0000000000F20000-memory.dmp

Filesize
960KB

Download
memory/1324-144-0x0000000000000000-mapping.dmp

Download
memory/1324-174-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/1336-203-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/1336-179-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/1336-149-0x0000000000000000-mapping.dmp

Download
memory/1652-206-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/1652-152-0x0000000000000000-mapping.dmp

Download
memory/1652-169-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/2064-221-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/2064-188-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/2064-165-0x0000000000000000-mapping.dmp

Download
memory/2248-156-0x0000000000000000-mapping.dmp

Download
memory/2248-176-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/2248-198-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/2360-222-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/2360-187-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/2360-167-0x0000000000000000-mapping.dmp

Download
memory/2540-139-0x0000000000000000-mapping.dmp

Download
memory/3552-210-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/3552-185-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/3552-160-0x0000000000000000-mapping.dmp

Download
memory/3616-218-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/3616-162-0x0000000000000000-mapping.dmp

Download
memory/3616-186-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/3688-138-0x0000000000000000-mapping.dmp

Download
memory/3888-153-0x0000000000000000-mapping.dmp

Download
memory/3888-193-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/3888-173-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/4064-217-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/4064-181-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/4064-159-0x0000000000000000-mapping.dmp

Download
memory/4244-158-0x0000000000000000-mapping.dmp

Download
memory/4244-207-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/4244-180-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/4276-141-0x0000000000000000-mapping.dmp

Download
memory/4308-133-0x0000000000000000-mapping.dmp

Download
memory/4492-136-0x0000000000000000-mapping.dmp

Download
memory/4676-178-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/4676-157-0x0000000000000000-mapping.dmp

Download
memory/4676-200-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/4760-154-0x0000000000000000-mapping.dmp

Download
memory/4760-177-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/4760-216-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/4820-132-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/4880-143-0x0000000000000000-mapping.dmp

Download
memory/5020-163-0x0000000000000000-mapping.dmp

Download
memory/5020-183-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download
memory/5020-214-0x00007FFE810B0000-0x00007FFE81B71000-memory.dmp

Filesize
10.8MB

Download