Overview
overview
10Static
static
10AKUMA/__py...10.pyc
windows7-x64
3AKUMA/__py...10.pyc
windows10-2004-x64
3AKUMA/__py...11.pyc
windows7-x64
3AKUMA/__py...11.pyc
windows10-2004-x64
3AKUMA/__py...12.pyc
windows7-x64
3AKUMA/__py...12.pyc
windows10-2004-x64
3AKUMA/__py...11.pyc
windows7-x64
3AKUMA/__py...11.pyc
windows10-2004-x64
3AKUMA/__py...10.pyc
windows7-x64
3AKUMA/__py...10.pyc
windows10-2004-x64
3AKUMA/__py...11.pyc
windows7-x64
3AKUMA/__py...11.pyc
windows10-2004-x64
3AKUMA/__py...12.pyc
windows7-x64
3AKUMA/__py...12.pyc
windows10-2004-x64
3AKUMA/__py...10.pyc
windows7-x64
3AKUMA/__py...10.pyc
windows10-2004-x64
3AKUMA/__py...10.pyc
windows7-x64
3AKUMA/__py...10.pyc
windows10-2004-x64
3AKUMA/__py...11.pyc
windows7-x64
3AKUMA/__py...11.pyc
windows10-2004-x64
3AKUMA/__py...12.pyc
windows7-x64
3AKUMA/__py...12.pyc
windows10-2004-x64
3AKUMA/f.l.e.a.t..exe
windows7-x64
10AKUMA/f.l.e.a.t..exe
windows10-2004-x64
10Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 19:51
Behavioral task
behavioral1
Sample
AKUMA/__pycache__/banner.cpython-310.pyc
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
AKUMA/__pycache__/banner.cpython-310.pyc
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
AKUMA/__pycache__/banner.cpython-311.pyc
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
AKUMA/__pycache__/banner.cpython-311.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
AKUMA/__pycache__/banner.cpython-312.pyc
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
AKUMA/__pycache__/banner.cpython-312.pyc
Resource
win10v2004-20240226-en
Behavioral task
behavioral7
Sample
AKUMA/__pycache__/ddos.cpython-311.pyc
Resource
win7-20240611-en
Behavioral task
behavioral8
Sample
AKUMA/__pycache__/ddos.cpython-311.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
AKUMA/__pycache__/deanon.cpython-310.pyc
Resource
win7-20240611-en
Behavioral task
behavioral10
Sample
AKUMA/__pycache__/deanon.cpython-310.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
AKUMA/__pycache__/deanon.cpython-311.pyc
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
AKUMA/__pycache__/deanon.cpython-311.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
AKUMA/__pycache__/deanon.cpython-312.pyc
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
AKUMA/__pycache__/deanon.cpython-312.pyc
Resource
win10v2004-20240611-en
Behavioral task
behavioral15
Sample
AKUMA/__pycache__/get_ip.cpython-310.pyc
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
AKUMA/__pycache__/get_ip.cpython-310.pyc
Resource
win10v2004-20240611-en
Behavioral task
behavioral17
Sample
AKUMA/__pycache__/mail.cpython-310.pyc
Resource
win7-20240419-en
Behavioral task
behavioral18
Sample
AKUMA/__pycache__/mail.cpython-310.pyc
Resource
win10v2004-20240611-en
Behavioral task
behavioral19
Sample
AKUMA/__pycache__/mail.cpython-311.pyc
Resource
win7-20240611-en
Behavioral task
behavioral20
Sample
AKUMA/__pycache__/mail.cpython-311.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
AKUMA/__pycache__/mail.cpython-312.pyc
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
AKUMA/__pycache__/mail.cpython-312.pyc
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
AKUMA/f.l.e.a.t..exe
Resource
win7-20240611-en
General
-
Target
AKUMA/f.l.e.a.t..exe
-
Size
3.0MB
-
MD5
7a17eddc28b3fc122db1a2e5f7b5e2dc
-
SHA1
ee9b62c3d342d6009b26dcfebcf4cb4481617754
-
SHA256
2a07585be2d377da5cc225cb4ec9c4195ad14a336a279cb829d1da00ecbb277c
-
SHA512
4e89dc6a6fd9815a63fd5be87f21fe52b000343fe78ef9af4275492bcdbeb29f807b99e809f2c3af03017572aa589fb201a485176bef09bfe7dce51f858bd19f
-
SSDEEP
49152:UbA30XgNBsZoNqWheC3X+0MrQBkVOMmZui/fhjiS5juQwaVZFzyQ8xXZwB8kMc:Ub7gbsZoNEiX05VOfui3tD5qQwWFzy/6
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2992 1884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3736 1884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4936 1884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2612 1884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2212 1884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4972 1884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2656 1884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4168 1884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4744 1884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4656 1884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1348 1884 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4392 1884 schtasks.exe -
Processes:
BridgePortcom.exeStartMenuExperienceHost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" BridgePortcom.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" BridgePortcom.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" BridgePortcom.exe -
Processes:
resource yara_rule C:\DriverrefbrokerHostmonitor\BridgePortcom.exe dcrat behavioral24/memory/3448-13-0x00000000009C0000-0x0000000000C6E000-memory.dmp dcrat -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f.l.e.a.t..exeWScript.exeBridgePortcom.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation f.l.e.a.t..exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation BridgePortcom.exe -
Executes dropped EXE 2 IoCs
Processes:
BridgePortcom.exeStartMenuExperienceHost.exepid process 3448 BridgePortcom.exe 3444 StartMenuExperienceHost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
StartMenuExperienceHost.exeBridgePortcom.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BridgePortcom.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" BridgePortcom.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA StartMenuExperienceHost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 24 ip-api.com -
Drops file in Program Files directory 5 IoCs
Processes:
BridgePortcom.exedescription ioc process File created C:\Program Files (x86)\Windows Portable Devices\9e8d7a4ca61bd9 BridgePortcom.exe File created C:\Program Files\Microsoft Office 15\ClientX64\dwm.exe BridgePortcom.exe File created C:\Program Files\Microsoft Office 15\ClientX64\6cb0b6c459d5d3 BridgePortcom.exe File created C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe BridgePortcom.exe File opened for modification C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe BridgePortcom.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 2 IoCs
Processes:
f.l.e.a.t..exeBridgePortcom.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings f.l.e.a.t..exe Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings BridgePortcom.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Runs regedit.exe 1 IoCs
Processes:
regedit.exepid process 1544 regedit.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2612 schtasks.exe 2212 schtasks.exe 4972 schtasks.exe 2656 schtasks.exe 4168 schtasks.exe 4744 schtasks.exe 2992 schtasks.exe 4936 schtasks.exe 4656 schtasks.exe 4392 schtasks.exe 3736 schtasks.exe 1348 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
BridgePortcom.exeStartMenuExperienceHost.exepid process 3448 BridgePortcom.exe 3448 BridgePortcom.exe 3448 BridgePortcom.exe 3448 BridgePortcom.exe 3448 BridgePortcom.exe 3448 BridgePortcom.exe 3448 BridgePortcom.exe 3448 BridgePortcom.exe 3448 BridgePortcom.exe 3448 BridgePortcom.exe 3448 BridgePortcom.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe 3444 StartMenuExperienceHost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
StartMenuExperienceHost.exeregedit.exepid process 3444 StartMenuExperienceHost.exe 1544 regedit.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
BridgePortcom.exeStartMenuExperienceHost.exedescription pid process Token: SeDebugPrivilege 3448 BridgePortcom.exe Token: SeDebugPrivilege 3444 StartMenuExperienceHost.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe 5112 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f.l.e.a.t..exeWScript.execmd.exeBridgePortcom.execmd.exeStartMenuExperienceHost.exemsedge.exedescription pid process target process PID 1428 wrote to memory of 2384 1428 f.l.e.a.t..exe WScript.exe PID 1428 wrote to memory of 2384 1428 f.l.e.a.t..exe WScript.exe PID 1428 wrote to memory of 2384 1428 f.l.e.a.t..exe WScript.exe PID 2384 wrote to memory of 4872 2384 WScript.exe cmd.exe PID 2384 wrote to memory of 4872 2384 WScript.exe cmd.exe PID 2384 wrote to memory of 4872 2384 WScript.exe cmd.exe PID 4872 wrote to memory of 3448 4872 cmd.exe BridgePortcom.exe PID 4872 wrote to memory of 3448 4872 cmd.exe BridgePortcom.exe PID 3448 wrote to memory of 3040 3448 BridgePortcom.exe cmd.exe PID 3448 wrote to memory of 3040 3448 BridgePortcom.exe cmd.exe PID 4872 wrote to memory of 2732 4872 cmd.exe reg.exe PID 4872 wrote to memory of 2732 4872 cmd.exe reg.exe PID 4872 wrote to memory of 2732 4872 cmd.exe reg.exe PID 3040 wrote to memory of 624 3040 cmd.exe w32tm.exe PID 3040 wrote to memory of 624 3040 cmd.exe w32tm.exe PID 3040 wrote to memory of 3444 3040 cmd.exe StartMenuExperienceHost.exe PID 3040 wrote to memory of 3444 3040 cmd.exe StartMenuExperienceHost.exe PID 3444 wrote to memory of 5112 3444 StartMenuExperienceHost.exe msedge.exe PID 3444 wrote to memory of 5112 3444 StartMenuExperienceHost.exe msedge.exe PID 5112 wrote to memory of 888 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 888 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1020 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1772 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 1772 5112 msedge.exe msedge.exe PID 5112 wrote to memory of 2212 5112 msedge.exe msedge.exe -
System policy modification 1 TTPs 6 IoCs
Processes:
BridgePortcom.exeStartMenuExperienceHost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" BridgePortcom.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" StartMenuExperienceHost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" BridgePortcom.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" BridgePortcom.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\AKUMA\f.l.e.a.t..exe"C:\Users\Admin\AppData\Local\Temp\AKUMA\f.l.e.a.t..exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\DriverrefbrokerHostmonitor\6JhXF8E5VqOiEt6G.vbe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\DriverrefbrokerHostmonitor\in39wj3.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\DriverrefbrokerHostmonitor\BridgePortcom.exe"C:\DriverrefbrokerHostmonitor\BridgePortcom.exe"4⤵
- UAC bypass
- Checks computer location settings
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SKH5vY7aaO.bat"5⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:26⤵PID:624
-
C:\Users\Public\Music\StartMenuExperienceHost.exe"C:\Users\Public\Music\StartMenuExperienceHost.exe"6⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3444 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:13500/7⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb35ed46f8,0x7ffb35ed4708,0x7ffb35ed47188⤵PID:888
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,17314481568233939350,3091252198587941537,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:28⤵PID:1020
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,17314481568233939350,3091252198587941537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:38⤵PID:1772
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,17314481568233939350,3091252198587941537,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:88⤵PID:2212
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17314481568233939350,3091252198587941537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:18⤵PID:4392
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17314481568233939350,3091252198587941537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:18⤵PID:1148
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17314481568233939350,3091252198587941537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:18⤵PID:2044
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17314481568233939350,3091252198587941537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:18⤵PID:4576
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,17314481568233939350,3091252198587941537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:88⤵PID:3516
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,17314481568233939350,3091252198587941537,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:88⤵PID:2532
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17314481568233939350,3091252198587941537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:18⤵PID:3920
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17314481568233939350,3091252198587941537,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:18⤵PID:2304
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17314481568233939350,3091252198587941537,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:18⤵PID:5052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17314481568233939350,3091252198587941537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:18⤵PID:1232
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17314481568233939350,3091252198587941537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1948 /prefetch:18⤵PID:976
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,17314481568233939350,3091252198587941537,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:18⤵PID:4780
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,17314481568233939350,3091252198587941537,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3032 /prefetch:28⤵PID:2844
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f4⤵
- Modifies registry key
PID:2732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\RuntimeBroker.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\fontdrvhost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\fontdrvhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\StartMenuExperienceHost.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Public\Music\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\StartMenuExperienceHost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2768
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:396
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3248
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"1⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:1544
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\DriverrefbrokerHostmonitor\6JhXF8E5VqOiEt6G.vbeFilesize
210B
MD53d5fd8f807da0d61ca3fa5dca7e45c5a
SHA16f2d53fe7717c5f29c6b49bf1e24ed7688b78fe0
SHA2565808f2dd0b95fcd5ec99f0d6989e3e3fa43d010299ff6e9ed2b0d2ed3d2f1050
SHA5128d05c605c42e757de126d057392942301c1d54e055494ae98d3ae30f3d7af7a5a2d2cd13679e5391253076ff93212b1793b51943c3659e3860a18b3b409b89ac
-
C:\DriverrefbrokerHostmonitor\BridgePortcom.exeFilesize
2.6MB
MD58f5e91893b75fbe0e0349bf8c7588196
SHA1c40d65ef34886089d9a1b5077d0a0d88b475c9d1
SHA256d801f60d22a9c7c2ea2411298fa35b4eea7892392ef83ef36f64d19297b16073
SHA512ef703c5057969b11adc8c0cfd6b9c655d2dba35f2b4c3fa9d2492bb4c13c67001e7f85728efedc6e2bb266bbc95d137c477be9968f7a7b3440db11977ec82580
-
C:\DriverrefbrokerHostmonitor\in39wj3.batFilesize
161B
MD5f5680b342a5d4a3a130ef25bef57cb04
SHA1a57261b163e84cf26e1c1d23d60b16a0cd9aedc7
SHA256d0d87605d4cc0093b9ca75647cd0144b3790d49fa5d5f498acafd4be8a347ca2
SHA512a596e1a661039487102e14393b9d32952b0449b3de4b8828adedeee308e79e999a7c114e972a6be42c1778eb8430b15b34f8c3531df97c5cbda72c27e41ac71a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c39b3aa574c0c938c80eb263bb450311
SHA1f4d11275b63f4f906be7a55ec6ca050c62c18c88
SHA25666f8d413a30451055d4b6fa40e007197a4bb93a66a28ca4112967ec417ffab6c
SHA512eeca2e21cd4d66835beb9812e26344c8695584253af397b06f378536ca797c3906a670ed239631729c96ebb93acfb16327cf58d517e83fb8923881c5fdb6d232
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5dabfafd78687947a9de64dd5b776d25f
SHA116084c74980dbad713f9d332091985808b436dea
SHA256c7658f407cbe799282ef202e78319e489ed4e48e23f6d056b505bc0d73e34201
SHA512dae1de5245cd9b72117c430250aa2029eb8df1b85dc414ac50152d8eba4d100bcf0320ac18446f865dc96949f8b06a5b9e7a0c84f9c1b0eada318e80f99f9d2b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD566d0ee7e3d473ee02f7149a6b9f26773
SHA121e886f9659b81cfc3cd45f7c671a7af95e3cf4d
SHA256746a9f469c04b5a8afacae7c6225171667ec3e24fef42a786d34983aebfbe85f
SHA5129839a377f2a533cc07a0d255856814a7b9357f818d66924e35bda0a4ab389bcfa2e7fc67da649aaebd5915e3a27ea8562876a7d63e225f0b56d23c6fcd444099
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD55e65ff68a2018f29f5ca05850467116a
SHA13ae0b599ffc5260ceee940468e4d4d149e01db00
SHA25643a49c116d696c688f8c8b19cc4cd95432f29ff4c3ce70b15067edb8612c1ce8
SHA51291220be80c79ed3c303e6f88e2b6ff508b9293ccd15d5198a190c71e7409436751d142ac58b143b28c873680e671399920ecb5211c74cd6e9460fe3e3a73aebf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD50dcecc75f5ecb41bf069c90e40e7cc89
SHA188565301eb50775d0f9caa655f75decf0d5ff544
SHA2567f1a5f06f19ef99ce4d33557349181c786aaae788ef3cd55eef0ec80abf49392
SHA512e67c696c00b9977319208998e83c7dbf17a0ed46c7dd4db6cf08bcdd6fde7351f268956fdcda61d89134a72ba29cdab08899c11b62e2c6826f7f6cb59dd5d7be
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5ab543bafdc0090e032c89422bb3e3a23
SHA1670667361e3c292d58dcb316c93bbf1da1da12de
SHA256756bc4feb3fc2d8ed85297a8a145219915f1fabe58303d74cc8dcf5fbf0c9b2e
SHA51285a6e2209fefff1f582aa10a61b9e0384fcd4d8effc66de5f072818a772f9b4b5af7b246a2574a08745e760d4afcc8819d4a4e5c2c67c85b399b033ae37be380
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD57ddff1159fbf3fa20d658c1c4e40cee6
SHA103dd5a736464217fdfea6ebe181f665450117d9a
SHA256a78b69918d01c8dbabf70591a5263bf6e5706653f791ed32f5836238b3d9a5db
SHA5127f489b035638c4c442073029663d54f59ddf4e0b1b109f37da096d86ea444f5ced5b507477a049a524fddea8b5bf44965ebc8d8b66a77b600f18340558494c0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5ebe80e0b55af41ce469a9ccb47bd10a6
SHA1692c6133fa9579145eea0745a6eff4baf4018dac
SHA2564dbaa578448a7a0bce538324fd1197ee7dffcdd86bcf83ae7234f2d9533957f1
SHA51243ebe057c787c8674799ad3f223cd379001610202b4e3725c7abc2654a31679c6681ff87831c912e07c2355f361cb6f0ccad5abede0b5d8d9fa5f496af9808c7
-
C:\Users\Admin\AppData\Local\Temp\SKH5vY7aaO.batFilesize
214B
MD57b1d2ca547dcb23e5bf53df2037aaa8b
SHA168fb961de99dbaad3146421565af3f90db4afaf6
SHA256986c111ebfc0a8574201bf879498319bc71b1bb6a095612bd603c56a78e48404
SHA5120d554131a9ea9e0e6c417fb1413cde9e309f2e804bc3b0966bca8d8d63c64ade56c8c01ad4e3215252aca635399f2c73eb4f3ecd1e9f00f962fe5c57915d7153
-
\??\pipe\LOCAL\crashpad_5112_DBHLPSPYHZRBNHUJMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/3448-18-0x000000001B820000-0x000000001B830000-memory.dmpFilesize
64KB
-
memory/3448-22-0x000000001C1A0000-0x000000001C1A8000-memory.dmpFilesize
32KB
-
memory/3448-25-0x000000001C220000-0x000000001C228000-memory.dmpFilesize
32KB
-
memory/3448-26-0x000000001C230000-0x000000001C23C000-memory.dmpFilesize
48KB
-
memory/3448-28-0x000000001C240000-0x000000001C24C000-memory.dmpFilesize
48KB
-
memory/3448-27-0x000000001C800000-0x000000001C808000-memory.dmpFilesize
32KB
-
memory/3448-29-0x000000001C7A0000-0x000000001C7AC000-memory.dmpFilesize
48KB
-
memory/3448-30-0x000000001C7B0000-0x000000001C7BA000-memory.dmpFilesize
40KB
-
memory/3448-23-0x000000001C1B0000-0x000000001C1BC000-memory.dmpFilesize
48KB
-
memory/3448-24-0x000000001C1C0000-0x000000001C1CC000-memory.dmpFilesize
48KB
-
memory/3448-21-0x000000001C190000-0x000000001C19C000-memory.dmpFilesize
48KB
-
memory/3448-20-0x000000001C550000-0x000000001C5A6000-memory.dmpFilesize
344KB
-
memory/3448-19-0x000000001C180000-0x000000001C18A000-memory.dmpFilesize
40KB
-
memory/3448-17-0x000000001B800000-0x000000001B816000-memory.dmpFilesize
88KB
-
memory/3448-16-0x000000001C1D0000-0x000000001C220000-memory.dmpFilesize
320KB
-
memory/3448-15-0x000000001B7E0000-0x000000001B7FC000-memory.dmpFilesize
112KB
-
memory/3448-14-0x000000001B760000-0x000000001B76E000-memory.dmpFilesize
56KB
-
memory/3448-13-0x00000000009C0000-0x0000000000C6E000-memory.dmpFilesize
2.7MB
-
memory/3448-12-0x00007FFB3BCF3000-0x00007FFB3BCF5000-memory.dmpFilesize
8KB