Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    13-05-2024 20:58

General

  • Target

    47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe

  • Size

    3.7MB

  • MD5

    3aff466445051bd93a7ea3ae519587ef

  • SHA1

    516c1e9da912f6d988146fb812d88bdc7b30588a

  • SHA256

    47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e

  • SHA512

    3870bd70e038bb27035eec3eb8bd8f88c2bb720f59dd5283e2bc095f540e3ab4d6e991d7a601b4d809d8de7e7592d2010c41cf57b708ea2f42a5323353a8338f

  • SSDEEP

    49152:UbA30nPNSHQAjwNVYyHycT6JYRAwWPScqhWtkOTwol8FxMQFQnSMvTklif/:UbhwTNJytcqgtkzoEOSMvTwif/

Malware Config

Signatures

  • DcRat 53 IoCs

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Modifies WinLogon for persistence 2 TTPs 17 IoCs
  • Process spawned unexpected child process 51 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Detects executables packed with SmartAssembly 8 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 34 IoCs
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 51 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe
    "C:\Users\Admin\AppData\Local\Temp\47f92f0a7130658a8a48219f0a5157e967aafcbe828d7fd5b6e2189a46baf13e.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Bridgeserverintocommon\bSNjmil342lqhlp3K93FQgNExNLM1.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1060
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Bridgeserverintocommon\G4Oc3Bdfs8kP1V8eo9CqkhGYM0as.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Bridgeserverintocommon\intobroker.exe
          "C:\Bridgeserverintocommon\intobroker.exe"
          4⤵
          • DcRat
          • Modifies WinLogon for persistence
          • UAC bypass
          • Executes dropped EXE
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2672
          • C:\Windows\PLA\Templates\services.exe
            "C:\Windows\PLA\Templates\services.exe"
            5⤵
            • UAC bypass
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2708
            • C:\Windows\System32\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed83a9bb-53f3-4788-944a-770ff34ac20c.vbs"
              6⤵
                PID:2888
              • C:\Windows\System32\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e8e1f47-810e-42c7-8afb-87a7af23927e.vbs"
                6⤵
                  PID:1824
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Bridgeserverintocommon\file.vbs"
          2⤵
            PID:2760
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2864
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2904
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2908
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\audiodg.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2712
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\audiodg.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:744
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\audiodg.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1876
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "intobrokeri" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\Chess\intobroker.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1672
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "intobroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Chess\intobroker.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1988
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "intobrokeri" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Chess\intobroker.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2524
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2776
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2836
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\services.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:692
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:908
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1592
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:752
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\wininit.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1772
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\wininit.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2560
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\wininit.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2004
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\Templates\csrss.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2420
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2020
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\Templates\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:584
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\Templates\services.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2972
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\PLA\Templates\services.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2552
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\PLA\Templates\services.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2204
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:900
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1576
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2296
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2320
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2348
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\csrss.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:984
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1848
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1088
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\07daf2c2-fe8f-11ee-804d-f636db4e28e7\explorer.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1940
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1724
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:904
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1312
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\Afternoon\wscript.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:832
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Windows\Media\Afternoon\wscript.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2144
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Windows\Media\Afternoon\wscript.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:860
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\wininit.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2396
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Fonts\wininit.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2256
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\Fonts\wininit.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:892
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Bridgeserverintocommon\cmd.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2440
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Bridgeserverintocommon\cmd.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2164
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Bridgeserverintocommon\cmd.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:1556
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2364
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2132
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2556
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\System.exe'" /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2288
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\System.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2160
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\System.exe'" /rl HIGHEST /f
          1⤵
          • DcRat
          • Process spawned unexpected child process
          • Creates scheduled task(s)
          PID:2544
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1604
        • C:\Windows\system32\wbem\WmiApSrv.exe
          C:\Windows\system32\wbem\WmiApSrv.exe
          1⤵
            PID:1504

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Bridgeserverintocommon\G4Oc3Bdfs8kP1V8eo9CqkhGYM0as.bat

            Filesize

            42B

            MD5

            9005984f23c241ae6504691edad99db9

            SHA1

            50ec3cca58fd37b1853bd144854fb0242019d2b9

            SHA256

            e4d707b17add26a6652c539cdb21c37fdad6e3ace7c81ecf2174e9822ec722de

            SHA512

            183a00fb20157a7125673eada3c8fd6c7be9b15ce84ae92e4f82c8838f6a68f3c76d8a4e38022b29480007f9ff46020e7bd3f32fd1c2684c62978a0e24e3d1ff

          • C:\Bridgeserverintocommon\bSNjmil342lqhlp3K93FQgNExNLM1.vbe

            Filesize

            227B

            MD5

            8ad651de9eab5382f5aeb6e0a38e22bc

            SHA1

            c45b320fdec6e25ccacc31bdf3999a6fec82c9a0

            SHA256

            adc8a48ba4abcaba69bb11494239f5f36da9146e54d03d3ecbf30628b77bdf01

            SHA512

            6fa241fb0c56d172dd72a1560329f573d10b2cf289aaa1e4a8e36e7a00c0f10e52fa566997654ef985f838b44b8230a5ca1215aacd1a2910ae25f0988519fb3a

          • C:\Bridgeserverintocommon\file.vbs

            Filesize

            34B

            MD5

            677cc4360477c72cb0ce00406a949c61

            SHA1

            b679e8c3427f6c5fc47c8ac46cd0e56c9424de05

            SHA256

            f1cccb5ae4aa51d293bd3c7d2a1a04cb7847d22c5db8e05ac64e9a6d7455aa0b

            SHA512

            7cfe2cc92f9e659f0a15a295624d611b3363bd01eb5bcf9bc7681ea9b70b0564d192d570d294657c8dc2c93497fa3b4526c975a9bf35d69617c31d9936573c6a

          • C:\Users\Admin\AppData\Local\Temp\6e8e1f47-810e-42c7-8afb-87a7af23927e.vbs

            Filesize

            489B

            MD5

            9e888e59e647a26ccfc29968bc56466e

            SHA1

            6c74c59a97b2d94fbb7f4413a494d70baadb7d93

            SHA256

            9f1815830978894f75f08f4845198dd56c08f7abf6cbf0c2df10647afe46fae8

            SHA512

            a2c815c9d3c55ff46dcbf662566e7ff90c6d4f8f5d540ebd32e029fa4cb2a4277581b215a4653472d412502217c41fc656c243527df4c8862b66375e6fd8cee7

          • C:\Users\Admin\AppData\Local\Temp\ed83a9bb-53f3-4788-944a-770ff34ac20c.vbs

            Filesize

            713B

            MD5

            dee19409427568c5c7d70eb865457ce9

            SHA1

            508a2a9d0e976e7493ef9ecc4495f500fde6204e

            SHA256

            d481a6f8a93e67fb1a0e4d6b40e7a6b3c190ecee1662db96c2b6eb9ab167f32c

            SHA512

            94ab9c18c63a0deb19a9d913c77f45d1076fe05907e61214385e3cb26905426ff8f1c8fc27eefddc44c47879305b68383eeee53cac10f7f1978031cfe89e4dc0

          • \Bridgeserverintocommon\intobroker.exe

            Filesize

            3.4MB

            MD5

            34f09d31d624cddea4794d6b60fb342a

            SHA1

            21dae839ec2ac251c1d80d51e32e5b0f7c9c208f

            SHA256

            fd3a3a73eaee67019836012fff9be8474388fe57f8fcf0fb60d0326acd9a9c8f

            SHA512

            e1f3c7e71a9921b6c2be32ace2ed8b809a81bfa5047034f4d3acf13386154bbda150c812def937542e01f7228b52cfe3fef1fe4446503f7a0048c852c7b2e873

          • memory/2672-34-0x000000001AB90000-0x000000001AB98000-memory.dmp

            Filesize

            32KB

          • memory/2672-37-0x000000001B160000-0x000000001B172000-memory.dmp

            Filesize

            72KB

          • memory/2672-22-0x00000000022D0000-0x00000000022EC000-memory.dmp

            Filesize

            112KB

          • memory/2672-23-0x0000000002370000-0x0000000002378000-memory.dmp

            Filesize

            32KB

          • memory/2672-24-0x0000000002380000-0x0000000002390000-memory.dmp

            Filesize

            64KB

          • memory/2672-25-0x000000001AA00000-0x000000001AA16000-memory.dmp

            Filesize

            88KB

          • memory/2672-26-0x000000001AA20000-0x000000001AA2C000-memory.dmp

            Filesize

            48KB

          • memory/2672-27-0x000000001AA30000-0x000000001AA42000-memory.dmp

            Filesize

            72KB

          • memory/2672-28-0x000000001AA40000-0x000000001AA4C000-memory.dmp

            Filesize

            48KB

          • memory/2672-29-0x000000001AA50000-0x000000001AA58000-memory.dmp

            Filesize

            32KB

          • memory/2672-30-0x000000001AB60000-0x000000001AB70000-memory.dmp

            Filesize

            64KB

          • memory/2672-31-0x000000001AB70000-0x000000001AB7A000-memory.dmp

            Filesize

            40KB

          • memory/2672-32-0x000000001B000000-0x000000001B056000-memory.dmp

            Filesize

            344KB

          • memory/2672-33-0x000000001AB80000-0x000000001AB8C000-memory.dmp

            Filesize

            48KB

          • memory/2672-20-0x00000000022B0000-0x00000000022BE000-memory.dmp

            Filesize

            56KB

          • memory/2672-35-0x000000001ABA0000-0x000000001ABAC000-memory.dmp

            Filesize

            48KB

          • memory/2672-36-0x000000001B050000-0x000000001B058000-memory.dmp

            Filesize

            32KB

          • memory/2672-21-0x00000000022C0000-0x00000000022C8000-memory.dmp

            Filesize

            32KB

          • memory/2672-38-0x000000001B190000-0x000000001B19C000-memory.dmp

            Filesize

            48KB

          • memory/2672-39-0x000000001B1A0000-0x000000001B1A8000-memory.dmp

            Filesize

            32KB

          • memory/2672-40-0x000000001B1B0000-0x000000001B1BC000-memory.dmp

            Filesize

            48KB

          • memory/2672-41-0x000000001B1C0000-0x000000001B1CC000-memory.dmp

            Filesize

            48KB

          • memory/2672-42-0x000000001B2E0000-0x000000001B2E8000-memory.dmp

            Filesize

            32KB

          • memory/2672-43-0x000000001B1D0000-0x000000001B1DC000-memory.dmp

            Filesize

            48KB

          • memory/2672-44-0x000000001B2F0000-0x000000001B2FA000-memory.dmp

            Filesize

            40KB

          • memory/2672-45-0x000000001B300000-0x000000001B30E000-memory.dmp

            Filesize

            56KB

          • memory/2672-46-0x000000001B310000-0x000000001B318000-memory.dmp

            Filesize

            32KB

          • memory/2672-47-0x000000001B320000-0x000000001B32E000-memory.dmp

            Filesize

            56KB

          • memory/2672-48-0x000000001B330000-0x000000001B338000-memory.dmp

            Filesize

            32KB

          • memory/2672-49-0x000000001B340000-0x000000001B34C000-memory.dmp

            Filesize

            48KB

          • memory/2672-50-0x000000001B350000-0x000000001B358000-memory.dmp

            Filesize

            32KB

          • memory/2672-51-0x000000001B560000-0x000000001B56A000-memory.dmp

            Filesize

            40KB

          • memory/2672-18-0x00000000009F0000-0x0000000000D58000-memory.dmp

            Filesize

            3.4MB

          • memory/2672-19-0x00000000022A0000-0x00000000022AE000-memory.dmp

            Filesize

            56KB

          • memory/2708-92-0x0000000000D80000-0x00000000010E8000-memory.dmp

            Filesize

            3.4MB