Analysis

  • max time kernel
    124s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    21-07-2024 10:47

General

  • Target

    RastyClient.exe

  • Size

    1.6MB

  • MD5

    e97033f786a03e53c5b1f2f8f7459823

  • SHA1

    ee716af387f986b3f89eaa8f95e2e9525a7e6dc5

  • SHA256

    51803275cce1aa6e37aaa3f5cc9d28244eb27f275691254b0c916224f8cbe3f3

  • SHA512

    492f847961f8bea60b2aaa9d6200148fb0b7da4a504f3bd41c624e6698d8ae5f0ac925c612cc53b099173ca1730c8c1bd6945ca8ea58d1a472fc428220c5e8ca

  • SSDEEP

    24576:U2G/nvxW3Ww0tXNKse+i4rH9o95ONppeDZf/7wL6yz3dkoJoDvCJp88aQ:UbA30Xg4rdC/bIoDvC88P

Score
10/10

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 57 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\RastyClient.exe
    "C:\Users\Admin\AppData\Local\Temp\RastyClient.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Bridgecrt\gMVksfrBboGCsBBkLwQuhvaLwm.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Bridgecrt\7isy5PZMm5dkBZViNdFGyDFLK0qR.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2260
        • C:\Bridgecrt\RefdhcpSvc.exe
          "C:\Bridgecrt\RefdhcpSvc.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2748
          • C:\Program Files (x86)\Windows Portable Devices\wininit.exe
            "C:\Program Files (x86)\Windows Portable Devices\wininit.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            PID:2180
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2956
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1296
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2652
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2620
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2672
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2320
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\Visualizations\WmiPrvSE.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1800
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:680
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\Visualizations\WmiPrvSE.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1036
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1760
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:276
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2904
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RefdhcpSvcR" /sc MINUTE /mo 7 /tr "'C:\Recovery\777f1042-3af1-11ef-b4bd-d2f1755c8afd\RefdhcpSvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1592
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RefdhcpSvc" /sc ONLOGON /tr "'C:\Recovery\777f1042-3af1-11ef-b4bd-d2f1755c8afd\RefdhcpSvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1740
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "RefdhcpSvcR" /sc MINUTE /mo 7 /tr "'C:\Recovery\777f1042-3af1-11ef-b4bd-d2f1755c8afd\RefdhcpSvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2676
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1304
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1656
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2844
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\777f1042-3af1-11ef-b4bd-d2f1755c8afd\spoolsv.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2444
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\777f1042-3af1-11ef-b4bd-d2f1755c8afd\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1100
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\777f1042-3af1-11ef-b4bd-d2f1755c8afd\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:700
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\it-IT\System.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3068
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\it-IT\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3060
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\it-IT\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2116
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Bridgecrt\audiodg.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2216
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Bridgecrt\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2500
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Bridgecrt\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:480
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\sppsvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1888
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:236
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2036
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2252
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:836
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:316
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\audiodg.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:864
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Videos\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2424
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Videos\audiodg.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1324
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1944
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1936
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1536
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:944
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1104
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1776
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Bridgecrt\cmd.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2992
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Bridgecrt\cmd.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1500
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Bridgecrt\cmd.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1696
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\fonts\dwm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1964
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1240
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\fonts\dwm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1672
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Bridgecrt\lsm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2528
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Bridgecrt\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:3024
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Bridgecrt\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1568
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2080
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:696
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2564
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2312
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:264
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2280

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Bridgecrt\7isy5PZMm5dkBZViNdFGyDFLK0qR.bat

    Filesize

    29B

    MD5

    f8f274a07f5224a3f69091f043af146c

    SHA1

    2513dccda5f12624dbb9a13052a2e629936bbab6

    SHA256

    8a6e165c22056fc26e710ade51ec3f299e8aca3c4e43b53cc77b9be60bb3cb24

    SHA512

    0c559ea5231d80976bb21b6ba1f8d788112cf89a8c7c32bb268557711a4d945f718616f9324997b5e59980956b736a1c59fb93ec17280cc7b8ccf3cf81ac298f

  • C:\Bridgecrt\gMVksfrBboGCsBBkLwQuhvaLwm.vbe

    Filesize

    214B

    MD5

    1bc36447909f83b562458feb56958fc7

    SHA1

    bdc93b6370a26ebbb0a691e62c7a9a3a9cf6b265

    SHA256

    2becf9f25216246f2503fd1378725c9cf03bebe8a0c6c8ca7778f4214bdf76d9

    SHA512

    e2b8d1d5f43f502a82865d0056fa27ddfd7f513515be6ae2419a294e71b569a2990142ff2956b16298da70456d534b8a73af4b9b2bbc55d366e656a1603e2ca8

  • \Bridgecrt\RefdhcpSvc.exe

    Filesize

    1.3MB

    MD5

    e30cdcd8806bdf366db5b9652663ff6c

    SHA1

    4d7b9c8f0e0ce092f1008a31a79ef961cd42a66e

    SHA256

    6faa8554c6856c2e5869ee5bd0d1dd6b7dcbeaabbdd108e7c24987f5a8b9a323

    SHA512

    e2f0925a9b2ae495364c07814dc7e3725b64faf31f8601e99367a89b8a155da5b54e26cc9bc7ddd50facc13726a10e1dd88b49cfbbeb4e69f3a1ee68034ffa13

  • memory/2180-62-0x00000000002E0000-0x000000000042A000-memory.dmp

    Filesize

    1.3MB

  • memory/2748-13-0x00000000001C0000-0x000000000030A000-memory.dmp

    Filesize

    1.3MB

  • memory/2748-14-0x0000000000490000-0x000000000049E000-memory.dmp

    Filesize

    56KB

  • memory/2748-15-0x00000000004A0000-0x00000000004BC000-memory.dmp

    Filesize

    112KB

  • memory/2748-16-0x00000000004C0000-0x00000000004D6000-memory.dmp

    Filesize

    88KB

  • memory/2748-17-0x00000000004F0000-0x0000000000500000-memory.dmp

    Filesize

    64KB