Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    21-06-2024 19:51

General

  • Target

    AKUMA/f.l.e.a.t..exe

  • Size

    3.0MB

  • MD5

    7a17eddc28b3fc122db1a2e5f7b5e2dc

  • SHA1

    ee9b62c3d342d6009b26dcfebcf4cb4481617754

  • SHA256

    2a07585be2d377da5cc225cb4ec9c4195ad14a336a279cb829d1da00ecbb277c

  • SHA512

    4e89dc6a6fd9815a63fd5be87f21fe52b000343fe78ef9af4275492bcdbeb29f807b99e809f2c3af03017572aa589fb201a485176bef09bfe7dce51f858bd19f

  • SSDEEP

    49152:UbA30XgNBsZoNqWheC3X+0MrQBkVOMmZui/fhjiS5juQwaVZFzyQ8xXZwB8kMc:Ub7gbsZoNEiX05VOfui3tD5qQwWFzy/6

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
  • DCRat payload 3 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

  • Disables Task Manager via registry modification
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Checks whether UAC is enabled 1 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • System policy modification 1 TTPs 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\AKUMA\f.l.e.a.t..exe
    "C:\Users\Admin\AppData\Local\Temp\AKUMA\f.l.e.a.t..exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1892
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\DriverrefbrokerHostmonitor\6JhXF8E5VqOiEt6G.vbe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2896
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\DriverrefbrokerHostmonitor\in39wj3.bat" "
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2384
        • C:\DriverrefbrokerHostmonitor\BridgePortcom.exe
          "C:\DriverrefbrokerHostmonitor\BridgePortcom.exe"
          4⤵
          • UAC bypass
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2656
          • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe
            "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe"
            5⤵
            • UAC bypass
            • Executes dropped EXE
            • Checks whether UAC is enabled
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2092
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" http://localhost:12224/
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1864
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1864 CREDAT:275457 /prefetch:2
                7⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1568
        • C:\Windows\SysWOW64\reg.exe
          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          4⤵
          • Modifies registry key
          PID:952
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\DriverrefbrokerHostmonitor\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2636
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\DriverrefbrokerHostmonitor\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2732
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\DriverrefbrokerHostmonitor\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2480
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2304
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2516
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2300
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\wininit.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1612
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2280
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\wininit.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:764
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Local Settings\lsm.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1896
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1928
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Local Settings\lsm.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:344
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1092
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2140
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1624
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\Idle.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1576
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1396
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1228
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\AppCompat\Programs\lsass.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2100
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2652
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\AppCompat\Programs\lsass.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1608
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\conhost.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2204
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1860
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:2040
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\System.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1908
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:264
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\System.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:464
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1640
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1468
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1920
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\Offline Web Pages\explorer.exe'" /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:316
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1736
  • C:\Windows\system32\schtasks.exe
    schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\explorer.exe'" /rl HIGHEST /f
    1⤵
    • Process spawned unexpected child process
    • Scheduled Task/Job: Scheduled Task
    PID:1384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\DriverrefbrokerHostmonitor\6JhXF8E5VqOiEt6G.vbe
    Filesize

    210B

    MD5

    3d5fd8f807da0d61ca3fa5dca7e45c5a

    SHA1

    6f2d53fe7717c5f29c6b49bf1e24ed7688b78fe0

    SHA256

    5808f2dd0b95fcd5ec99f0d6989e3e3fa43d010299ff6e9ed2b0d2ed3d2f1050

    SHA512

    8d05c605c42e757de126d057392942301c1d54e055494ae98d3ae30f3d7af7a5a2d2cd13679e5391253076ff93212b1793b51943c3659e3860a18b3b409b89ac

  • C:\DriverrefbrokerHostmonitor\in39wj3.bat
    Filesize

    161B

    MD5

    f5680b342a5d4a3a130ef25bef57cb04

    SHA1

    a57261b163e84cf26e1c1d23d60b16a0cd9aedc7

    SHA256

    d0d87605d4cc0093b9ca75647cd0144b3790d49fa5d5f498acafd4be8a347ca2

    SHA512

    a596e1a661039487102e14393b9d32952b0449b3de4b8828adedeee308e79e999a7c114e972a6be42c1778eb8430b15b34f8c3531df97c5cbda72c27e41ac71a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    15645fece3334fe1bbd39f077b82424b

    SHA1

    4ac12afe94dac988ab2d9e0745b207935ff78456

    SHA256

    257b662ebfa8c4417a004daeafddf3217b9a9031da2a31b07de0d3286e9c749c

    SHA512

    61818ce1cb795773c37e83e737d613d040c980453b7d5239f40401b7dad7acd921a3538e94473fa129379ad72319f48d04f7ac000506968e2baef621d8252b92

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    283aa854a8f27d014ed90ded5acdd606

    SHA1

    d26f07f912c58e4a69adb497ea680256ad8d834d

    SHA256

    6774ed1eafcde8af99960d3be85ac45e991e99d328e5e66df425f2af9a9d90d5

    SHA512

    52cd93a14c2259a050766d28a1295d8b69062e89d283345a1d359de0594503a1af9258606bebda8a335a54ef872cb8dd06e14d209f1857c256823a3013ffe02f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    e4fcd8d4e339b4a21f5d94659bbe72b2

    SHA1

    b4200699c1049e8ea85703e89a3cf706c08f5917

    SHA256

    e676dd7a7571526543acc64ccaf9a831ef83d21f5159c5b3f5a585ad18d2590f

    SHA512

    a08cdea8c344b1f06131761fc1bbb7d196b1ce1c137c9b4c1b1cc7f84afc04eae4f4542d222f6020281aff49496b8e3ba8ea1c031e3a5960467509ffa676f4f8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4872dfde70b37d92308b24c0609e1c1e

    SHA1

    239bca1eaa66771ad95e3bf12ec1dc490c687b1c

    SHA256

    dc163ab23e2c960f339a297b25747e5a49ca7fc37e9e1b237fe394fe4c8e3976

    SHA512

    33ac0dd660851fdfa282d7ad6a99ed3c551bc12be78742d80d67c9f346bb592633f1e76c3a7ef53f84bc9d8dd348e1720c83e6c3399a60f47d54171f2602e517

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    aafe679c6b535ba839ae3046e4b83872

    SHA1

    43d6d4b1189c8bb3609e5990fc90aeba50bee74a

    SHA256

    b302809b73139fe4787bf21b7b58dc2c7ea840446647d25e66415dc48bf02034

    SHA512

    58c2d5a2e04d00f15acd65f0b4ef7cb09896483ed8b75841590e65391cede3300f48076159f39b8eaa8bb18fd0defbe0fb1e517c297108fde032c8c952b5ee86

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c87a645ad388f481697fd78acc4e9e81

    SHA1

    6a4c07e49f29242137e030773b72875559acc4a7

    SHA256

    c01914baefe0a1f081eccc2fa8b50e83ee98f002431cb437ad42d0013f6cd220

    SHA512

    a08aa59cc2e773761906cfb071f34605eff504c25bec06608b502135a879729f98a54e5e240e584a9e641ef532539603bea2d98bf49b313316476e9e3ac7039b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    f86861548e65667eda476a01d03f2c4c

    SHA1

    ae14496cb49727ccc11f740538eff7c240311dba

    SHA256

    e01f3181624e66fe1d53f9f6feeaea13cf68e6619d002e505638aa67b3eba2c8

    SHA512

    ab5a7d1f153912efb6a762c603a9f87bf5646f109bd85f520741e0f06c004ee5ad5c5b47e9cd2da5bfd6a1f1b37e53f5b0a3a36a40936a746932e7ef63e3590d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c2d092297145eba295994d442248cd0d

    SHA1

    48a7f5712347b39709c33a0f413ebd6982bcf3b9

    SHA256

    7878b9c93025f8dbe8450033ad5e1a9f589dd232b26a08bdef7f1a6ab74486f6

    SHA512

    f57ee8f8cb01da3d06fa57be6a4402c0dac17a139c1de46ed6ff330b481c078eb784b64bd4438cf3d71a70f4d61a73461e3d1d5a86834df06dff1249cfe464a9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    6a703f266eaabcfcfdf406263961452a

    SHA1

    55ed1576982521c5e06c0f9062b4828bdeab69fa

    SHA256

    82e6a0bfe672786d8eb66e72aedc6e49d11b1705ac5fc43cb71d3be54c51a077

    SHA512

    f2c4d752be0dac2968c3ff02c97fe6302aa80bd2f08f4b36ae2bf4dce047543484e4565705b98c227f86a7a44ed5a69f1c1c4365e0f4b270b92b530f37b1f89a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    48caa6ccb2b380c56427b6d8185280e8

    SHA1

    76f59fee061782f5de07901a6cc9d3be77b2352c

    SHA256

    7e613c10b8013faf83bcf209408f28ed8551e4d7b53d25173495c40958f6632a

    SHA512

    4a50dde6a7a3270da2d320e48e5ad222d6f813741f02acdefa6269b233224d2c2891fbd6a744c659bdf227f169dc97d09889ee04197ab58f37fb0a1ae4a20356

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    717143bbef1428d37610fd88999bd245

    SHA1

    11b1d0e4ce317efde5cfc572f2604f86fab28789

    SHA256

    3f5b026dbc0c834a6a0e318c5f80859f8f1c930af17ad3b639a234ab8cbe250e

    SHA512

    a3ed4ba8efe44e77160ccae54f97abfbf74785383bf10413153e62815818d623df394f29980187ea312c5b0627ef18955833af2d1453519748fbdf069feed033

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    82565d1577258c0dfb79307785a3a401

    SHA1

    448d268b669c83f59eaa1d7792ddc70564bf0feb

    SHA256

    727c21082a8bc184659388fb74612d4c872f76f8ddf89b8113427afce1e99496

    SHA512

    7bee6934cc768a8b1d36d52bdd85431af578d80f536a5193ab8880d3d83b772e7a963a33e445c49c0a30b14cce147f2912b54fb914a506c16071363a7e311bf8

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    19a4484b0fffbfd39dd0ba279e115e19

    SHA1

    87d8f61a6c98e14e104c13cce77c8be8342b1876

    SHA256

    32b6b625248fdae8f03b654cdb63ccfb2fda66c1371a14553b1c779f3091363d

    SHA512

    0d03f477def1d1ddcee391390d9a7a386eebd5b37179c1efdf9f6dee8fa1874ad8d89be780f339c02f64069b3a26a24c5adb8c0dfe1c5eeb3f1fdf671d79f6f0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    bd3cb9fb20a08e0dc0886a665b43373c

    SHA1

    156845a7bc0953469c71f66559fa78b27ba435b2

    SHA256

    4e0799f9fae1729ee89da9bfdd779f233b0b9b2c86f4c8074c8ae3eb77a10f91

    SHA512

    ec2a1d30af1e0e1dd338cac98b0d75522255da27fa2b15fbabf55da355c28252b8d6818d2b07bfad6f95df1019d11ab3641b897352d11fd3657ee39cd8b6e560

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b33e5f2786b870eef1f2e649f096f762

    SHA1

    b12e9f8c5956bc9455157749fa1d291191fea0b1

    SHA256

    e4e050deeab2b66a73faf2930539a12e14d0403a011e4381160b13b0588c1596

    SHA512

    ea8c1de6bae7c89059a50b47e5c4a36e0ef2015a1c069a66c3abf6b9b62e68f0465ac8d97c3e855c9c0ec2f6678f0faa3cc1ed4048c9ec568456e3809f0c48c5

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    9074596e2cde2d562f3c1cbbedbd7046

    SHA1

    1d3753c3ea9fab72f83152afbfd8959ff621aee9

    SHA256

    84fbe49b2e78385bb6ac50509e109cfa04a43456567714f7c98903ad19ac073e

    SHA512

    f5d0cd3be6d9e705bb92d7b9022908e4dcbf1f53d5c736dc0d6ffc04887f9faed48bf8a38cafaa61c196e67b0c3b105cfd3e9cf7387a1c96c36fe5a22621506b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b73dc5fa05d33b0b2c1221a21d20f2b8

    SHA1

    618c15e72a70e9d62aef50f9ba86cfba59316fe0

    SHA256

    26b974931f9d701122386fc07e3a2574f0c0456e2b617ac1c500813984e45548

    SHA512

    8a15a04d0af3fbf66e4fdc561b8cc429c95c225c1ab213e1d40a5aa839d05b340f9d5cd7e7b6ed94c789bd34cec225ed719dd47deadf81f500a0b16cb69b3ef1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    6d01d9449338923dc99ac5e52d931cfd

    SHA1

    1d9052f3f8ea5332f6e45b603e0a36743d92bc4f

    SHA256

    f2b42b0945c9c243bbd4209a09914721dfef1505a66dc811c13ac117a7700123

    SHA512

    982757ee6f36ee093ab61db338ae9e8148ec9e625c6d2448f1df4085cc7789003b18a56013772de7ad7eea7e1da5e61413476fa820cca3957570e3d4bcb95597

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    11eee33bc72d8dd161901865bb8f2a00

    SHA1

    7408bec5bdf7b25c31625d8e33cd0a8f82f3857b

    SHA256

    342260098dd847a252eeb242f6aab9bf28c2d69870d2b3f52cecdab8fcbeecc5

    SHA512

    98d3b1b7124d493413c00f9fe5432c0399ab32b15f0bdd74debb4d3c924e1de6f08489a15f1490419e35928187fd55029d0567f213a81b256a3815d8ca7e1586

  • C:\Users\Admin\AppData\Local\Temp\Cab84FA.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Tar858B.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • \DriverrefbrokerHostmonitor\BridgePortcom.exe
    Filesize

    2.6MB

    MD5

    8f5e91893b75fbe0e0349bf8c7588196

    SHA1

    c40d65ef34886089d9a1b5077d0a0d88b475c9d1

    SHA256

    d801f60d22a9c7c2ea2411298fa35b4eea7892392ef83ef36f64d19297b16073

    SHA512

    ef703c5057969b11adc8c0cfd6b9c655d2dba35f2b4c3fa9d2492bb4c13c67001e7f85728efedc6e2bb266bbc95d137c477be9968f7a7b3440db11977ec82580

  • memory/2092-58-0x00000000009D0000-0x0000000000C7E000-memory.dmp
    Filesize

    2.7MB

  • memory/2092-59-0x0000000002380000-0x00000000023D6000-memory.dmp
    Filesize

    344KB

  • memory/2656-29-0x00000000023F0000-0x00000000023FA000-memory.dmp
    Filesize

    40KB

  • memory/2656-28-0x00000000023E0000-0x00000000023EC000-memory.dmp
    Filesize

    48KB

  • memory/2656-27-0x00000000023D0000-0x00000000023DC000-memory.dmp
    Filesize

    48KB

  • memory/2656-26-0x0000000002490000-0x0000000002498000-memory.dmp
    Filesize

    32KB

  • memory/2656-25-0x00000000023C0000-0x00000000023CC000-memory.dmp
    Filesize

    48KB

  • memory/2656-24-0x0000000000C90000-0x0000000000C98000-memory.dmp
    Filesize

    32KB

  • memory/2656-23-0x0000000000900000-0x000000000090C000-memory.dmp
    Filesize

    48KB

  • memory/2656-22-0x00000000008F0000-0x00000000008FC000-memory.dmp
    Filesize

    48KB

  • memory/2656-21-0x00000000008E0000-0x00000000008E8000-memory.dmp
    Filesize

    32KB

  • memory/2656-20-0x00000000006C0000-0x00000000006CC000-memory.dmp
    Filesize

    48KB

  • memory/2656-19-0x0000000000BC0000-0x0000000000C16000-memory.dmp
    Filesize

    344KB

  • memory/2656-18-0x00000000006B0000-0x00000000006BA000-memory.dmp
    Filesize

    40KB

  • memory/2656-17-0x0000000000550000-0x0000000000560000-memory.dmp
    Filesize

    64KB

  • memory/2656-16-0x0000000000690000-0x00000000006A6000-memory.dmp
    Filesize

    88KB

  • memory/2656-15-0x0000000000670000-0x000000000068C000-memory.dmp
    Filesize

    112KB

  • memory/2656-14-0x0000000000140000-0x000000000014E000-memory.dmp
    Filesize

    56KB

  • memory/2656-13-0x0000000000CA0000-0x0000000000F4E000-memory.dmp
    Filesize

    2.7MB