Overview
overview
10Static
static
10AKUMA/__py...10.pyc
windows7-x64
3AKUMA/__py...10.pyc
windows10-2004-x64
3AKUMA/__py...11.pyc
windows7-x64
3AKUMA/__py...11.pyc
windows10-2004-x64
3AKUMA/__py...12.pyc
windows7-x64
3AKUMA/__py...12.pyc
windows10-2004-x64
3AKUMA/__py...11.pyc
windows7-x64
3AKUMA/__py...11.pyc
windows10-2004-x64
3AKUMA/__py...10.pyc
windows7-x64
3AKUMA/__py...10.pyc
windows10-2004-x64
3AKUMA/__py...11.pyc
windows7-x64
3AKUMA/__py...11.pyc
windows10-2004-x64
3AKUMA/__py...12.pyc
windows7-x64
3AKUMA/__py...12.pyc
windows10-2004-x64
3AKUMA/__py...10.pyc
windows7-x64
3AKUMA/__py...10.pyc
windows10-2004-x64
3AKUMA/__py...10.pyc
windows7-x64
3AKUMA/__py...10.pyc
windows10-2004-x64
3AKUMA/__py...11.pyc
windows7-x64
3AKUMA/__py...11.pyc
windows10-2004-x64
3AKUMA/__py...12.pyc
windows7-x64
3AKUMA/__py...12.pyc
windows10-2004-x64
3AKUMA/f.l.e.a.t..exe
windows7-x64
10AKUMA/f.l.e.a.t..exe
windows10-2004-x64
10Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
21-06-2024 19:51
Behavioral task
behavioral1
Sample
AKUMA/__pycache__/banner.cpython-310.pyc
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
AKUMA/__pycache__/banner.cpython-310.pyc
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
AKUMA/__pycache__/banner.cpython-311.pyc
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
AKUMA/__pycache__/banner.cpython-311.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
AKUMA/__pycache__/banner.cpython-312.pyc
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
AKUMA/__pycache__/banner.cpython-312.pyc
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
AKUMA/__pycache__/ddos.cpython-311.pyc
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
AKUMA/__pycache__/ddos.cpython-311.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
AKUMA/__pycache__/deanon.cpython-310.pyc
Resource
win7-20240611-en
Behavioral task
behavioral10
Sample
AKUMA/__pycache__/deanon.cpython-310.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
AKUMA/__pycache__/deanon.cpython-311.pyc
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
AKUMA/__pycache__/deanon.cpython-311.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
AKUMA/__pycache__/deanon.cpython-312.pyc
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
AKUMA/__pycache__/deanon.cpython-312.pyc
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
AKUMA/__pycache__/get_ip.cpython-310.pyc
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
AKUMA/__pycache__/get_ip.cpython-310.pyc
Resource
win10v2004-20240611-en
Behavioral task
behavioral17
Sample
AKUMA/__pycache__/mail.cpython-310.pyc
Resource
win7-20240419-en
Behavioral task
behavioral18
Sample
AKUMA/__pycache__/mail.cpython-310.pyc
Resource
win10v2004-20240611-en
Behavioral task
behavioral19
Sample
AKUMA/__pycache__/mail.cpython-311.pyc
Resource
win7-20240611-en
Behavioral task
behavioral20
Sample
AKUMA/__pycache__/mail.cpython-311.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
AKUMA/__pycache__/mail.cpython-312.pyc
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
AKUMA/__pycache__/mail.cpython-312.pyc
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
AKUMA/f.l.e.a.t..exe
Resource
win7-20240611-en
General
-
Target
AKUMA/f.l.e.a.t..exe
-
Size
3.0MB
-
MD5
7a17eddc28b3fc122db1a2e5f7b5e2dc
-
SHA1
ee9b62c3d342d6009b26dcfebcf4cb4481617754
-
SHA256
2a07585be2d377da5cc225cb4ec9c4195ad14a336a279cb829d1da00ecbb277c
-
SHA512
4e89dc6a6fd9815a63fd5be87f21fe52b000343fe78ef9af4275492bcdbeb29f807b99e809f2c3af03017572aa589fb201a485176bef09bfe7dce51f858bd19f
-
SSDEEP
49152:UbA30XgNBsZoNqWheC3X+0MrQBkVOMmZui/fhjiS5juQwaVZFzyQ8xXZwB8kMc:Ub7gbsZoNEiX05VOfui3tD5qQwWFzy/6
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 33 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2636 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2732 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2480 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2304 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2516 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2300 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1612 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 764 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1896 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 344 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1092 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2140 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1624 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1576 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1396 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1228 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2652 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1608 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1860 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2040 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1908 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 264 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 464 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1640 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1468 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1920 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 316 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 2556 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1384 2556 schtasks.exe -
Processes:
BridgePortcom.exespoolsv.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" BridgePortcom.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" BridgePortcom.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" BridgePortcom.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" spoolsv.exe -
Processes:
resource yara_rule \DriverrefbrokerHostmonitor\BridgePortcom.exe dcrat behavioral23/memory/2656-13-0x0000000000CA0000-0x0000000000F4E000-memory.dmp dcrat behavioral23/memory/2092-58-0x00000000009D0000-0x0000000000C7E000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
BridgePortcom.exespoolsv.exepid process 2656 BridgePortcom.exe 2092 spoolsv.exe -
Loads dropped DLL 2 IoCs
Processes:
cmd.exepid process 2384 cmd.exe 2384 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
spoolsv.exeBridgePortcom.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BridgePortcom.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" BridgePortcom.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Drops file in Program Files directory 6 IoCs
Processes:
BridgePortcom.exedescription ioc process File created C:\Program Files\Windows Portable Devices\System.exe BridgePortcom.exe File created C:\Program Files\Windows Portable Devices\27d1bcfc3c54e0 BridgePortcom.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\System.exe BridgePortcom.exe File created C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\27d1bcfc3c54e0 BridgePortcom.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\explorer.exe BridgePortcom.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\7a0fd90576e088 BridgePortcom.exe -
Drops file in Windows directory 4 IoCs
Processes:
BridgePortcom.exedescription ioc process File created C:\Windows\AppCompat\Programs\lsass.exe BridgePortcom.exe File created C:\Windows\AppCompat\Programs\6203df4a6bafc7 BridgePortcom.exe File created C:\Windows\Offline Web Pages\explorer.exe BridgePortcom.exe File created C:\Windows\Offline Web Pages\7a0fd90576e088 BridgePortcom.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D92D4E01-3007-11EF-A13C-DEB4B2C1951C} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20c041b014c4da01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425161441" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a0390500000000020000000000106600000001000020000000b003e2853a6a4fe6532ce5641a5079b68775cd14489556e2da34b88eccbc1724000000000e80000000020000200000000a87b25d1f91636fd0d8bcdaa0f5878834b6b4330ce241e33c244520f3722bf2900000007822dfaa606ce4e0a1c7cac49e51446ee6276a4c7e0672e2da39952cb54c44b5c58e2eedf970703bcf2085d2717f65ffa9d8f94014407d867f319c0c98dc7484b31f9bc38d2515ef20f48314c6fa0c9b8cf929917b35f364e00b6b63a913507a7999c8c56d60cbe4cd29a88ddae1406107b5db7c38d39593e084cd1cf3b15a5bd60dabda672bc555048552904f6da9bc40000000d1339b14b949a0855746796a0b784769ad7e3e47cf19b9bd90b35674a024d906f5b39af1b35a59ee50d37de292b8c439b44827b16b07dac8605c73f6410dd691 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a0390500000000020000000000106600000001000020000000c47c2054f7973095022e5a9bf547046060aab01177053a5f1009170ea850e8fc000000000e800000000200002000000094cfcd9bc628eb09325279c068a79708915b49287ec0091c1d515224195ee3382000000005547cc598b8f1c904798dc07c2c55ff3e7e49c97e6554f86593b85138a2da0f400000006a707e9d137eb7c5c80f11deeb56b2ac6b5f145b2351d46f7c2af017bf19da103837fc3deb2cd5a258b3171918715b2d4c28a8d12054f313ba279efe429d6ec8 iexplore.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2280 schtasks.exe 464 schtasks.exe 2636 schtasks.exe 2732 schtasks.exe 2516 schtasks.exe 1920 schtasks.exe 764 schtasks.exe 2100 schtasks.exe 1468 schtasks.exe 1576 schtasks.exe 1384 schtasks.exe 1396 schtasks.exe 2040 schtasks.exe 2300 schtasks.exe 1624 schtasks.exe 264 schtasks.exe 316 schtasks.exe 1896 schtasks.exe 1092 schtasks.exe 1908 schtasks.exe 1228 schtasks.exe 2652 schtasks.exe 1608 schtasks.exe 1612 schtasks.exe 1928 schtasks.exe 2140 schtasks.exe 2204 schtasks.exe 1860 schtasks.exe 1640 schtasks.exe 1736 schtasks.exe 2480 schtasks.exe 2304 schtasks.exe 344 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
BridgePortcom.exespoolsv.exepid process 2656 BridgePortcom.exe 2656 BridgePortcom.exe 2656 BridgePortcom.exe 2656 BridgePortcom.exe 2656 BridgePortcom.exe 2656 BridgePortcom.exe 2656 BridgePortcom.exe 2656 BridgePortcom.exe 2656 BridgePortcom.exe 2656 BridgePortcom.exe 2656 BridgePortcom.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe 2092 spoolsv.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
spoolsv.exepid process 2092 spoolsv.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
BridgePortcom.exespoolsv.exedescription pid process Token: SeDebugPrivilege 2656 BridgePortcom.exe Token: SeDebugPrivilege 2092 spoolsv.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid process 1864 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1864 iexplore.exe 1864 iexplore.exe 1568 IEXPLORE.EXE 1568 IEXPLORE.EXE 1568 IEXPLORE.EXE 1568 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
f.l.e.a.t..exeWScript.execmd.exeBridgePortcom.exespoolsv.exeiexplore.exedescription pid process target process PID 1892 wrote to memory of 2896 1892 f.l.e.a.t..exe WScript.exe PID 1892 wrote to memory of 2896 1892 f.l.e.a.t..exe WScript.exe PID 1892 wrote to memory of 2896 1892 f.l.e.a.t..exe WScript.exe PID 1892 wrote to memory of 2896 1892 f.l.e.a.t..exe WScript.exe PID 2896 wrote to memory of 2384 2896 WScript.exe cmd.exe PID 2896 wrote to memory of 2384 2896 WScript.exe cmd.exe PID 2896 wrote to memory of 2384 2896 WScript.exe cmd.exe PID 2896 wrote to memory of 2384 2896 WScript.exe cmd.exe PID 2384 wrote to memory of 2656 2384 cmd.exe BridgePortcom.exe PID 2384 wrote to memory of 2656 2384 cmd.exe BridgePortcom.exe PID 2384 wrote to memory of 2656 2384 cmd.exe BridgePortcom.exe PID 2384 wrote to memory of 2656 2384 cmd.exe BridgePortcom.exe PID 2656 wrote to memory of 2092 2656 BridgePortcom.exe spoolsv.exe PID 2656 wrote to memory of 2092 2656 BridgePortcom.exe spoolsv.exe PID 2656 wrote to memory of 2092 2656 BridgePortcom.exe spoolsv.exe PID 2384 wrote to memory of 952 2384 cmd.exe reg.exe PID 2384 wrote to memory of 952 2384 cmd.exe reg.exe PID 2384 wrote to memory of 952 2384 cmd.exe reg.exe PID 2384 wrote to memory of 952 2384 cmd.exe reg.exe PID 2092 wrote to memory of 1864 2092 spoolsv.exe iexplore.exe PID 2092 wrote to memory of 1864 2092 spoolsv.exe iexplore.exe PID 2092 wrote to memory of 1864 2092 spoolsv.exe iexplore.exe PID 1864 wrote to memory of 1568 1864 iexplore.exe IEXPLORE.EXE PID 1864 wrote to memory of 1568 1864 iexplore.exe IEXPLORE.EXE PID 1864 wrote to memory of 1568 1864 iexplore.exe IEXPLORE.EXE PID 1864 wrote to memory of 1568 1864 iexplore.exe IEXPLORE.EXE -
System policy modification 1 TTPs 6 IoCs
Processes:
spoolsv.exeBridgePortcom.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" spoolsv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" BridgePortcom.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" BridgePortcom.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" BridgePortcom.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" spoolsv.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\AKUMA\f.l.e.a.t..exe"C:\Users\Admin\AppData\Local\Temp\AKUMA\f.l.e.a.t..exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\DriverrefbrokerHostmonitor\6JhXF8E5VqOiEt6G.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\DriverrefbrokerHostmonitor\in39wj3.bat" "3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\DriverrefbrokerHostmonitor\BridgePortcom.exe"C:\DriverrefbrokerHostmonitor\BridgePortcom.exe"4⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2656 -
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe"C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2092 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://localhost:12224/6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1864 CREDAT:275457 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1568 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\DriverrefbrokerHostmonitor\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\DriverrefbrokerHostmonitor\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\DriverrefbrokerHostmonitor\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\wininit.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Local Settings\lsm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Local Settings\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\Idle.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\AppCompat\Programs\lsass.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\AppCompat\Programs\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\System.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\Offline Web Pages\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\DriverrefbrokerHostmonitor\6JhXF8E5VqOiEt6G.vbeFilesize
210B
MD53d5fd8f807da0d61ca3fa5dca7e45c5a
SHA16f2d53fe7717c5f29c6b49bf1e24ed7688b78fe0
SHA2565808f2dd0b95fcd5ec99f0d6989e3e3fa43d010299ff6e9ed2b0d2ed3d2f1050
SHA5128d05c605c42e757de126d057392942301c1d54e055494ae98d3ae30f3d7af7a5a2d2cd13679e5391253076ff93212b1793b51943c3659e3860a18b3b409b89ac
-
C:\DriverrefbrokerHostmonitor\in39wj3.batFilesize
161B
MD5f5680b342a5d4a3a130ef25bef57cb04
SHA1a57261b163e84cf26e1c1d23d60b16a0cd9aedc7
SHA256d0d87605d4cc0093b9ca75647cd0144b3790d49fa5d5f498acafd4be8a347ca2
SHA512a596e1a661039487102e14393b9d32952b0449b3de4b8828adedeee308e79e999a7c114e972a6be42c1778eb8430b15b34f8c3531df97c5cbda72c27e41ac71a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD515645fece3334fe1bbd39f077b82424b
SHA14ac12afe94dac988ab2d9e0745b207935ff78456
SHA256257b662ebfa8c4417a004daeafddf3217b9a9031da2a31b07de0d3286e9c749c
SHA51261818ce1cb795773c37e83e737d613d040c980453b7d5239f40401b7dad7acd921a3538e94473fa129379ad72319f48d04f7ac000506968e2baef621d8252b92
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5283aa854a8f27d014ed90ded5acdd606
SHA1d26f07f912c58e4a69adb497ea680256ad8d834d
SHA2566774ed1eafcde8af99960d3be85ac45e991e99d328e5e66df425f2af9a9d90d5
SHA51252cd93a14c2259a050766d28a1295d8b69062e89d283345a1d359de0594503a1af9258606bebda8a335a54ef872cb8dd06e14d209f1857c256823a3013ffe02f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5e4fcd8d4e339b4a21f5d94659bbe72b2
SHA1b4200699c1049e8ea85703e89a3cf706c08f5917
SHA256e676dd7a7571526543acc64ccaf9a831ef83d21f5159c5b3f5a585ad18d2590f
SHA512a08cdea8c344b1f06131761fc1bbb7d196b1ce1c137c9b4c1b1cc7f84afc04eae4f4542d222f6020281aff49496b8e3ba8ea1c031e3a5960467509ffa676f4f8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD54872dfde70b37d92308b24c0609e1c1e
SHA1239bca1eaa66771ad95e3bf12ec1dc490c687b1c
SHA256dc163ab23e2c960f339a297b25747e5a49ca7fc37e9e1b237fe394fe4c8e3976
SHA51233ac0dd660851fdfa282d7ad6a99ed3c551bc12be78742d80d67c9f346bb592633f1e76c3a7ef53f84bc9d8dd348e1720c83e6c3399a60f47d54171f2602e517
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5aafe679c6b535ba839ae3046e4b83872
SHA143d6d4b1189c8bb3609e5990fc90aeba50bee74a
SHA256b302809b73139fe4787bf21b7b58dc2c7ea840446647d25e66415dc48bf02034
SHA51258c2d5a2e04d00f15acd65f0b4ef7cb09896483ed8b75841590e65391cede3300f48076159f39b8eaa8bb18fd0defbe0fb1e517c297108fde032c8c952b5ee86
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5c87a645ad388f481697fd78acc4e9e81
SHA16a4c07e49f29242137e030773b72875559acc4a7
SHA256c01914baefe0a1f081eccc2fa8b50e83ee98f002431cb437ad42d0013f6cd220
SHA512a08aa59cc2e773761906cfb071f34605eff504c25bec06608b502135a879729f98a54e5e240e584a9e641ef532539603bea2d98bf49b313316476e9e3ac7039b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5f86861548e65667eda476a01d03f2c4c
SHA1ae14496cb49727ccc11f740538eff7c240311dba
SHA256e01f3181624e66fe1d53f9f6feeaea13cf68e6619d002e505638aa67b3eba2c8
SHA512ab5a7d1f153912efb6a762c603a9f87bf5646f109bd85f520741e0f06c004ee5ad5c5b47e9cd2da5bfd6a1f1b37e53f5b0a3a36a40936a746932e7ef63e3590d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5c2d092297145eba295994d442248cd0d
SHA148a7f5712347b39709c33a0f413ebd6982bcf3b9
SHA2567878b9c93025f8dbe8450033ad5e1a9f589dd232b26a08bdef7f1a6ab74486f6
SHA512f57ee8f8cb01da3d06fa57be6a4402c0dac17a139c1de46ed6ff330b481c078eb784b64bd4438cf3d71a70f4d61a73461e3d1d5a86834df06dff1249cfe464a9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD56a703f266eaabcfcfdf406263961452a
SHA155ed1576982521c5e06c0f9062b4828bdeab69fa
SHA25682e6a0bfe672786d8eb66e72aedc6e49d11b1705ac5fc43cb71d3be54c51a077
SHA512f2c4d752be0dac2968c3ff02c97fe6302aa80bd2f08f4b36ae2bf4dce047543484e4565705b98c227f86a7a44ed5a69f1c1c4365e0f4b270b92b530f37b1f89a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD548caa6ccb2b380c56427b6d8185280e8
SHA176f59fee061782f5de07901a6cc9d3be77b2352c
SHA2567e613c10b8013faf83bcf209408f28ed8551e4d7b53d25173495c40958f6632a
SHA5124a50dde6a7a3270da2d320e48e5ad222d6f813741f02acdefa6269b233224d2c2891fbd6a744c659bdf227f169dc97d09889ee04197ab58f37fb0a1ae4a20356
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5717143bbef1428d37610fd88999bd245
SHA111b1d0e4ce317efde5cfc572f2604f86fab28789
SHA2563f5b026dbc0c834a6a0e318c5f80859f8f1c930af17ad3b639a234ab8cbe250e
SHA512a3ed4ba8efe44e77160ccae54f97abfbf74785383bf10413153e62815818d623df394f29980187ea312c5b0627ef18955833af2d1453519748fbdf069feed033
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD582565d1577258c0dfb79307785a3a401
SHA1448d268b669c83f59eaa1d7792ddc70564bf0feb
SHA256727c21082a8bc184659388fb74612d4c872f76f8ddf89b8113427afce1e99496
SHA5127bee6934cc768a8b1d36d52bdd85431af578d80f536a5193ab8880d3d83b772e7a963a33e445c49c0a30b14cce147f2912b54fb914a506c16071363a7e311bf8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD519a4484b0fffbfd39dd0ba279e115e19
SHA187d8f61a6c98e14e104c13cce77c8be8342b1876
SHA25632b6b625248fdae8f03b654cdb63ccfb2fda66c1371a14553b1c779f3091363d
SHA5120d03f477def1d1ddcee391390d9a7a386eebd5b37179c1efdf9f6dee8fa1874ad8d89be780f339c02f64069b3a26a24c5adb8c0dfe1c5eeb3f1fdf671d79f6f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5bd3cb9fb20a08e0dc0886a665b43373c
SHA1156845a7bc0953469c71f66559fa78b27ba435b2
SHA2564e0799f9fae1729ee89da9bfdd779f233b0b9b2c86f4c8074c8ae3eb77a10f91
SHA512ec2a1d30af1e0e1dd338cac98b0d75522255da27fa2b15fbabf55da355c28252b8d6818d2b07bfad6f95df1019d11ab3641b897352d11fd3657ee39cd8b6e560
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5b33e5f2786b870eef1f2e649f096f762
SHA1b12e9f8c5956bc9455157749fa1d291191fea0b1
SHA256e4e050deeab2b66a73faf2930539a12e14d0403a011e4381160b13b0588c1596
SHA512ea8c1de6bae7c89059a50b47e5c4a36e0ef2015a1c069a66c3abf6b9b62e68f0465ac8d97c3e855c9c0ec2f6678f0faa3cc1ed4048c9ec568456e3809f0c48c5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD59074596e2cde2d562f3c1cbbedbd7046
SHA11d3753c3ea9fab72f83152afbfd8959ff621aee9
SHA25684fbe49b2e78385bb6ac50509e109cfa04a43456567714f7c98903ad19ac073e
SHA512f5d0cd3be6d9e705bb92d7b9022908e4dcbf1f53d5c736dc0d6ffc04887f9faed48bf8a38cafaa61c196e67b0c3b105cfd3e9cf7387a1c96c36fe5a22621506b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5b73dc5fa05d33b0b2c1221a21d20f2b8
SHA1618c15e72a70e9d62aef50f9ba86cfba59316fe0
SHA25626b974931f9d701122386fc07e3a2574f0c0456e2b617ac1c500813984e45548
SHA5128a15a04d0af3fbf66e4fdc561b8cc429c95c225c1ab213e1d40a5aa839d05b340f9d5cd7e7b6ed94c789bd34cec225ed719dd47deadf81f500a0b16cb69b3ef1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD56d01d9449338923dc99ac5e52d931cfd
SHA11d9052f3f8ea5332f6e45b603e0a36743d92bc4f
SHA256f2b42b0945c9c243bbd4209a09914721dfef1505a66dc811c13ac117a7700123
SHA512982757ee6f36ee093ab61db338ae9e8148ec9e625c6d2448f1df4085cc7789003b18a56013772de7ad7eea7e1da5e61413476fa820cca3957570e3d4bcb95597
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD511eee33bc72d8dd161901865bb8f2a00
SHA17408bec5bdf7b25c31625d8e33cd0a8f82f3857b
SHA256342260098dd847a252eeb242f6aab9bf28c2d69870d2b3f52cecdab8fcbeecc5
SHA51298d3b1b7124d493413c00f9fe5432c0399ab32b15f0bdd74debb4d3c924e1de6f08489a15f1490419e35928187fd55029d0567f213a81b256a3815d8ca7e1586
-
C:\Users\Admin\AppData\Local\Temp\Cab84FA.tmpFilesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\Local\Temp\Tar858B.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
\DriverrefbrokerHostmonitor\BridgePortcom.exeFilesize
2.6MB
MD58f5e91893b75fbe0e0349bf8c7588196
SHA1c40d65ef34886089d9a1b5077d0a0d88b475c9d1
SHA256d801f60d22a9c7c2ea2411298fa35b4eea7892392ef83ef36f64d19297b16073
SHA512ef703c5057969b11adc8c0cfd6b9c655d2dba35f2b4c3fa9d2492bb4c13c67001e7f85728efedc6e2bb266bbc95d137c477be9968f7a7b3440db11977ec82580
-
memory/2092-58-0x00000000009D0000-0x0000000000C7E000-memory.dmpFilesize
2.7MB
-
memory/2092-59-0x0000000002380000-0x00000000023D6000-memory.dmpFilesize
344KB
-
memory/2656-29-0x00000000023F0000-0x00000000023FA000-memory.dmpFilesize
40KB
-
memory/2656-28-0x00000000023E0000-0x00000000023EC000-memory.dmpFilesize
48KB
-
memory/2656-27-0x00000000023D0000-0x00000000023DC000-memory.dmpFilesize
48KB
-
memory/2656-26-0x0000000002490000-0x0000000002498000-memory.dmpFilesize
32KB
-
memory/2656-25-0x00000000023C0000-0x00000000023CC000-memory.dmpFilesize
48KB
-
memory/2656-24-0x0000000000C90000-0x0000000000C98000-memory.dmpFilesize
32KB
-
memory/2656-23-0x0000000000900000-0x000000000090C000-memory.dmpFilesize
48KB
-
memory/2656-22-0x00000000008F0000-0x00000000008FC000-memory.dmpFilesize
48KB
-
memory/2656-21-0x00000000008E0000-0x00000000008E8000-memory.dmpFilesize
32KB
-
memory/2656-20-0x00000000006C0000-0x00000000006CC000-memory.dmpFilesize
48KB
-
memory/2656-19-0x0000000000BC0000-0x0000000000C16000-memory.dmpFilesize
344KB
-
memory/2656-18-0x00000000006B0000-0x00000000006BA000-memory.dmpFilesize
40KB
-
memory/2656-17-0x0000000000550000-0x0000000000560000-memory.dmpFilesize
64KB
-
memory/2656-16-0x0000000000690000-0x00000000006A6000-memory.dmpFilesize
88KB
-
memory/2656-15-0x0000000000670000-0x000000000068C000-memory.dmpFilesize
112KB
-
memory/2656-14-0x0000000000140000-0x000000000014E000-memory.dmpFilesize
56KB
-
memory/2656-13-0x0000000000CA0000-0x0000000000F4E000-memory.dmpFilesize
2.7MB