Overview

overview

10

Static

static

10

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2023 13:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.2MB

  • MD5

    3e821d4b4af33a23f64c69db57770955

  • SHA1

    019742e345c39bd10f6c9bc4c1af4c2e94a5fca0

  • SHA256

    5ad5f24becf8b8653b7708edc35779128eb8cc84ddebf362121c603fd2caed04

  • SHA512

    6e7f8ea74092bbb4659f24ec629e1483fb95cf682f5eda65300cc38369848cd60512ce79cd7aa5ae70d09fba420e8de6be3841306cf3302317a69d143c114160

  • SSDEEP

    24576:U2G/nvxW3Ww0teLTGJTb/Ka2FVx0Q5eRvuiNLzrejv:UbA30yTGF/KvVd5eTNS7

Score
10/10
dcratinfostealerpersistencerat

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Modifies WinLogon for persistence 2 TTPs 14 IoCs
    persistence
  • Process spawned unexpected child process 42 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 28 IoCs
    persistence
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 42 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4732
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\BridgeWin\vPDfI9lKtfPEUBD9cj.vbe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1460
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\BridgeWin\kBRJ5zb6pFGWil.bat" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4108
        • C:\BridgeWin\containerRuntime.exe
          "C:\BridgeWin\containerRuntime.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Checks computer location settings
          • Adds Run key to start application
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:764
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeWin\containerRuntime.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4224
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeWin\dllhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4780
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SendTo\RuntimeBroker.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2488
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\OfficeClickToRun.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4832
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:684
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4132
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeWin\sppsvc.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3920
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\dwm.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:952
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\smss.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2260
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\conhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3688
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1140
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\BridgeWin\fontdrvhost.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4328
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\containerRuntime.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:448
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\csrss.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1348
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\WmiPrvSE.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4888
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tVUxPy0Pel.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3492
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:5096
              • C:\Users\Admin\SendTo\RuntimeBroker.exe
                "C:\Users\Admin\SendTo\RuntimeBroker.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of AdjustPrivilegeToken
                PID:5552
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\BridgeWin\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4576
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\BridgeWin\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2676
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\BridgeWin\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:220
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\odt\WmiPrvSE.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2176
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4680
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4580
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Searches\csrss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:936
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Searches\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3128
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Searches\csrss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2492
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\CrashReports\containerRuntime.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4172
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "containerRuntime" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\containerRuntime.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3632
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "containerRuntimec" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\CrashReports\containerRuntime.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3124
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\SendTo\RuntimeBroker.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3676
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3896
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\SendTo\RuntimeBroker.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3496
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\odt\OfficeClickToRun.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1860
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4268
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\odt\OfficeClickToRun.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:5008
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4048
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4928
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1968
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2300
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1368
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4348
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\BridgeWin\sppsvc.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2040
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\BridgeWin\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4896
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\BridgeWin\sppsvc.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4364
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Temp\dwm.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4488
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Temp\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4500
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\Temp\dwm.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3036
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\odt\smss.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2348
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2868
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4564
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3780
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:900
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:3912
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1372
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:1004
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:2792
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\BridgeWin\fontdrvhost.exe'" /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4988
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\BridgeWin\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4148
    • C:\Windows\system32\schtasks.exe
      schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\BridgeWin\fontdrvhost.exe'" /rl HIGHEST /f
      1⤵
      • Process spawned unexpected child process
      • Creates scheduled task(s)
      PID:4844

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Winlogon Helper DLL

    1
    T1004

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\BridgeWin\containerRuntime.exe
      Filesize

      931KB

      MD5

      799a6791f1c0d38cafb78ec0a88cedf0

      SHA1

      a33bde29181e1700dd1953191c3ab9830a0f55e9

      SHA256

      0686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2

      SHA512

      c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d

      Download Submit
    • C:\BridgeWin\containerRuntime.exe
      Filesize

      931KB

      MD5

      799a6791f1c0d38cafb78ec0a88cedf0

      SHA1

      a33bde29181e1700dd1953191c3ab9830a0f55e9

      SHA256

      0686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2

      SHA512

      c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d

      Download Submit
    • C:\BridgeWin\kBRJ5zb6pFGWil.bat
      Filesize

      35B

      MD5

      064d44ddf49217a25ad5ec14b334e0f8

      SHA1

      092f4a63df14672e90e8001a9bb6000315fb29d6

      SHA256

      a1962a0cd9c290da9a9d7bb34828fae854a8994127fcbe219e4d6a7b499274c4

      SHA512

      342448a993e8f8713918fe64c15f1c117ee1dd5e80de3ea78a026802895733b5024169ea9daf2eaf102005b27a6b48772b6122d28875d686d305cfd412c17acb

      Download Submit
    • C:\BridgeWin\vPDfI9lKtfPEUBD9cj.vbe
      Filesize

      200B

      MD5

      c33c80ec8b8c3cdef3f528ea621be889

      SHA1

      10b010cc2b37daf6fd01031c4d2af8d684cc6953

      SHA256

      a2492c835a66b1e833bfebfa669e8366d66ae7ac9b6aedf35adf5c24b2bd6fdc

      SHA512

      d947f93f0f86d1c02b791c932febe41b2c0e58cc3842ca361d006ad79cffff3b0313be31eaaaa8610216ae936b1a24e680d97e0ad7da0ccf28f6804e63a156af

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      59d97011e091004eaffb9816aa0b9abd

      SHA1

      1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

      SHA256

      18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

      SHA512

      d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      59d97011e091004eaffb9816aa0b9abd

      SHA1

      1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

      SHA256

      18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

      SHA512

      d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      5f0ddc7f3691c81ee14d17b419ba220d

      SHA1

      f0ef5fde8bab9d17c0b47137e014c91be888ee53

      SHA256

      a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

      SHA512

      2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      5f0ddc7f3691c81ee14d17b419ba220d

      SHA1

      f0ef5fde8bab9d17c0b47137e014c91be888ee53

      SHA256

      a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

      SHA512

      2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      59d97011e091004eaffb9816aa0b9abd

      SHA1

      1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

      SHA256

      18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

      SHA512

      d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      59d97011e091004eaffb9816aa0b9abd

      SHA1

      1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

      SHA256

      18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

      SHA512

      d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      5f0ddc7f3691c81ee14d17b419ba220d

      SHA1

      f0ef5fde8bab9d17c0b47137e014c91be888ee53

      SHA256

      a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

      SHA512

      2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      5f0ddc7f3691c81ee14d17b419ba220d

      SHA1

      f0ef5fde8bab9d17c0b47137e014c91be888ee53

      SHA256

      a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

      SHA512

      2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      5f0ddc7f3691c81ee14d17b419ba220d

      SHA1

      f0ef5fde8bab9d17c0b47137e014c91be888ee53

      SHA256

      a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

      SHA512

      2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      5f0ddc7f3691c81ee14d17b419ba220d

      SHA1

      f0ef5fde8bab9d17c0b47137e014c91be888ee53

      SHA256

      a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

      SHA512

      2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      5f0ddc7f3691c81ee14d17b419ba220d

      SHA1

      f0ef5fde8bab9d17c0b47137e014c91be888ee53

      SHA256

      a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

      SHA512

      2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      5f0ddc7f3691c81ee14d17b419ba220d

      SHA1

      f0ef5fde8bab9d17c0b47137e014c91be888ee53

      SHA256

      a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

      SHA512

      2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      3a6bad9528f8e23fb5c77fbd81fa28e8

      SHA1

      f127317c3bc6407f536c0f0600dcbcf1aabfba36

      SHA256

      986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

      SHA512

      846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      3a6bad9528f8e23fb5c77fbd81fa28e8

      SHA1

      f127317c3bc6407f536c0f0600dcbcf1aabfba36

      SHA256

      986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

      SHA512

      846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tVUxPy0Pel.bat
      Filesize

      204B

      MD5

      56a5bbda903fee6f4b6ba59b49ea38a2

      SHA1

      cb5b4819a940da676b6820e52ee7811e3aafe6f7

      SHA256

      e49f020c1b4b31b52a95418501983a03cd6fb5da6690266573528cbf74817ed9

      SHA512

      0a9b7df383f3db822b4f21a78b5eb578476b3162e0e0988a7f3c3b854ba0bcf03682c69047d7a2b6e12990bf1fd8f7f4097cc5e2e03486862e787b66b3be3644

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\RuntimeBroker.exe
      Filesize

      931KB

      MD5

      799a6791f1c0d38cafb78ec0a88cedf0

      SHA1

      a33bde29181e1700dd1953191c3ab9830a0f55e9

      SHA256

      0686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2

      SHA512

      c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d

      Download Submit
    • C:\Users\Admin\SendTo\RuntimeBroker.exe
      Filesize

      931KB

      MD5

      799a6791f1c0d38cafb78ec0a88cedf0

      SHA1

      a33bde29181e1700dd1953191c3ab9830a0f55e9

      SHA256

      0686f7db99c055dcc07c91a3815992540a55bd44e2736d64f4be4683e63909a2

      SHA512

      c36f41cc67c7528ae6d9a4762e95e21f1ad3b59fb1fad8db1a897032da9458ec341cc20b4bc063ddb2b6dc15c35b0142ca7a01eff98e969c552348f13ab0d44d

      Download Submit
    • memory/448-189-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/448-161-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/448-145-0x0000000000000000-mapping.dmp
      Download
    • memory/684-198-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/684-148-0x0000000000000000-mapping.dmp
      Download
    • memory/684-165-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/764-136-0x0000000000000000-mapping.dmp
      Download
    • memory/764-139-0x0000000000620000-0x0000000000710000-memory.dmp
      Filesize

      960KB

      Download
    • memory/764-140-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/764-163-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/952-166-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/952-151-0x0000000000000000-mapping.dmp
      Download
    • memory/952-176-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1140-154-0x0000000000000000-mapping.dmp
      Download
    • memory/1140-179-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1140-175-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1348-194-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1348-172-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1348-144-0x0000000000000000-mapping.dmp
      Download
    • memory/1460-132-0x0000000000000000-mapping.dmp
      Download
    • memory/2260-169-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2260-152-0x0000000000000000-mapping.dmp
      Download
    • memory/2260-200-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2488-173-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2488-199-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/2488-146-0x0000000000000000-mapping.dmp
      Download
    • memory/3492-159-0x0000000000000000-mapping.dmp
      Download
    • memory/3688-170-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3688-153-0x0000000000000000-mapping.dmp
      Download
    • memory/3688-205-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3920-174-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/3920-150-0x0000000000000000-mapping.dmp
      Download
    • memory/3920-195-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4108-135-0x0000000000000000-mapping.dmp
      Download
    • memory/4132-201-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4132-164-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4132-149-0x0000000000000000-mapping.dmp
      Download
    • memory/4224-160-0x00000246F2C10000-0x00000246F2C32000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4224-141-0x0000000000000000-mapping.dmp
      Download
    • memory/4224-181-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4224-155-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4328-204-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4328-156-0x0000000000000000-mapping.dmp
      Download
    • memory/4328-171-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4780-157-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4780-142-0x0000000000000000-mapping.dmp
      Download
    • memory/4780-186-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4832-162-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4832-190-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4832-147-0x0000000000000000-mapping.dmp
      Download
    • memory/4888-187-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/4888-143-0x0000000000000000-mapping.dmp
      Download
    • memory/4888-158-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/5096-168-0x0000000000000000-mapping.dmp
      Download
    • memory/5552-206-0x0000000000000000-mapping.dmp
      Download
    • memory/5552-209-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/5552-210-0x00007FF9C65E0000-0x00007FF9C70A1000-memory.dmp
      Filesize

      10.8MB

      Download