phemedrone | 3581ec8316ebca52d075c8c97f22857f4eaa9e5c9ba3c4c08ec0ef57f8c610b2

Resubmissions

04-02-2024 09:11

240204-k5n22agcdl 10

04-02-2024 09:07

240204-k3s8zagcaq 10

Analysis

max time kernel
158s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2024 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FunPev.exe
Size

2.8MB
MD5

f8b3253892fbd1e56f2fc46b9b79166d
SHA1

4834ed4980148055733af52834958d2884d27b2f
SHA256

3581ec8316ebca52d075c8c97f22857f4eaa9e5c9ba3c4c08ec0ef57f8c610b2
SHA512

6bdbbe764ebb264f052cfd43633f81dc02e22c4b14f0eec78450d56217475f983b5202ab79dbe5c9f1bc453626cfd06e4fcaa13662f99b7072338e20ddafbe35
SSDEEP

49152:LekGSFyxsRbm58Dkwu2WDIxwZsjm8uV88i/O2g7QIIvw7QQZq4PXO:SkGSFsWbF1u9kxwuj+pi/c7nIA

Score

10^/10

phemedrone xmrig evasion miner persistence spyware stealer upx

Malware Config

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral2/memory/4628-204-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4628-205-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4628-207-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4628-208-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4628-210-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4628-209-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4628-211-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4628-223-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4628-224-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	Pev.exe
File created	C:\Windows\system32\drivers\etc\hosts	ggljrwvvwhni.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	FunPev.exe

Executes dropped EXE 3 IoCs

pid	Process
4680	Fun.exe
3880	Pev.exe
3100	ggljrwvvwhni.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4628-199-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4628-200-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4628-201-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4628-202-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4628-203-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4628-204-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4628-205-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4628-207-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4628-208-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4628-210-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4628-209-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4628-211-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4628-223-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4628-224-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	ggljrwvvwhni.exe
File opened for modification	C:\Windows\system32\MRT.exe	Pev.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3100 set thread context of 4936	3100	ggljrwvvwhni.exe	138
PID 3100 set thread context of 4628	3100	ggljrwvvwhni.exe	136

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1684	sc.exe
2988	sc.exe
4500	sc.exe
1580	sc.exe
1396	sc.exe
8	sc.exe
2028	sc.exe
3232	sc.exe
2468	sc.exe
1888	sc.exe
4812	sc.exe
3548	sc.exe
2176	sc.exe
2040	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133515113859563359"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	FunPev.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4680	Fun.exe
4680	Fun.exe
4680	Fun.exe
4680	Fun.exe
4680	Fun.exe
4680	Fun.exe
4680	Fun.exe
3880	Pev.exe
4680	Fun.exe
4680	Fun.exe
4680	Fun.exe
4680	Fun.exe
4680	Fun.exe
4680	Fun.exe
4680	Fun.exe
4680	Fun.exe
4680	Fun.exe
4680	Fun.exe
4680	Fun.exe
4680	Fun.exe
4680	Fun.exe
4680	Fun.exe
3184	powershell.exe
4680	Fun.exe
4680	Fun.exe
4680	Fun.exe
4680	Fun.exe
4680	Fun.exe
4680	Fun.exe
4680	Fun.exe
4680	Fun.exe
4680	Fun.exe
3184	powershell.exe
3880	Pev.exe
3880	Pev.exe
3880	Pev.exe
3880	Pev.exe
3880	Pev.exe
3880	Pev.exe
3880	Pev.exe
3880	Pev.exe
3880	Pev.exe
3880	Pev.exe
3880	Pev.exe
3880	Pev.exe
3880	Pev.exe
3880	Pev.exe
3880	Pev.exe
3100	ggljrwvvwhni.exe
3392	powershell.exe
3392	powershell.exe
3100	ggljrwvvwhni.exe
3100	ggljrwvvwhni.exe
3100	ggljrwvvwhni.exe
3100	ggljrwvvwhni.exe
3100	ggljrwvvwhni.exe
3100	ggljrwvvwhni.exe
3100	ggljrwvvwhni.exe
3100	ggljrwvvwhni.exe
3100	ggljrwvvwhni.exe
3100	ggljrwvvwhni.exe
3100	ggljrwvvwhni.exe
3100	ggljrwvvwhni.exe
4628	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4680	Fun.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	3880	Pev.exe
Token: SeShutdownPrivilege	2412	powercfg.exe
Token: SeCreatePagefilePrivilege	2412	powercfg.exe
Token: SeShutdownPrivilege	2324	powercfg.exe
Token: SeCreatePagefilePrivilege	2324	powercfg.exe
Token: SeShutdownPrivilege	4012	powercfg.exe
Token: SeCreatePagefilePrivilege	4012	powercfg.exe
Token: SeShutdownPrivilege	4420	powercfg.exe
Token: SeCreatePagefilePrivilege	4420	powercfg.exe
Token: SeDebugPrivilege	3392	powershell.exe
Token: SeDebugPrivilege	3100	ggljrwvvwhni.exe
Token: SeShutdownPrivilege	3584	powercfg.exe
Token: SeCreatePagefilePrivilege	3584	powercfg.exe
Token: SeShutdownPrivilege	5000	powercfg.exe
Token: SeCreatePagefilePrivilege	5000	powercfg.exe
Token: SeShutdownPrivilege	4896	powercfg.exe
Token: SeCreatePagefilePrivilege	4896	powercfg.exe
Token: SeShutdownPrivilege	564	powercfg.exe
Token: SeCreatePagefilePrivilege	564	powercfg.exe
Token: SeLockMemoryPrivilege	4628	svchost.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe
Token: SeShutdownPrivilege	3572	chrome.exe
Token: SeCreatePagefilePrivilege	3572	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe
3572	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 4680	4288	FunPev.exe	84
PID 4288 wrote to memory of 4680	4288	FunPev.exe	84
PID 4288 wrote to memory of 3880	4288	FunPev.exe	85
PID 4288 wrote to memory of 3880	4288	FunPev.exe	85
PID 2400 wrote to memory of 2280	2400	cmd.exe	102
PID 2400 wrote to memory of 2280	2400	cmd.exe	102
PID 3872 wrote to memory of 5008	3872	cmd.exe	122
PID 3872 wrote to memory of 5008	3872	cmd.exe	122
PID 2512 wrote to memory of 1132	2512	cmd.exe	151
PID 2512 wrote to memory of 1132	2512	cmd.exe	151
PID 3100 wrote to memory of 4936	3100	ggljrwvvwhni.exe	138
PID 3100 wrote to memory of 4936	3100	ggljrwvvwhni.exe	138
PID 3100 wrote to memory of 4936	3100	ggljrwvvwhni.exe	138
PID 3100 wrote to memory of 4936	3100	ggljrwvvwhni.exe	138
PID 3100 wrote to memory of 4936	3100	ggljrwvvwhni.exe	138
PID 3100 wrote to memory of 4936	3100	ggljrwvvwhni.exe	138
PID 3100 wrote to memory of 4936	3100	ggljrwvvwhni.exe	138
PID 3100 wrote to memory of 4936	3100	ggljrwvvwhni.exe	138
PID 3100 wrote to memory of 4936	3100	ggljrwvvwhni.exe	138
PID 3100 wrote to memory of 4628	3100	ggljrwvvwhni.exe	136
PID 3100 wrote to memory of 4628	3100	ggljrwvvwhni.exe	136
PID 3100 wrote to memory of 4628	3100	ggljrwvvwhni.exe	136
PID 3100 wrote to memory of 4628	3100	ggljrwvvwhni.exe	136
PID 3100 wrote to memory of 4628	3100	ggljrwvvwhni.exe	136
PID 3572 wrote to memory of 2072	3572	chrome.exe	160
PID 3572 wrote to memory of 2072	3572	chrome.exe	160
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161
PID 3572 wrote to memory of 5064	3572	chrome.exe	161

C:\Users\Admin\AppData\Local\Temp\FunPev.exe
"C:\Users\Admin\AppData\Local\Temp\FunPev.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Users\Admin\AppData\Local\Temp\Fun.exe
  "C:\Users\Admin\AppData\Local\Temp\Fun.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4680
- C:\Users\Admin\AppData\Local\Temp\Pev.exe
  "C:\Users\Admin\AppData\Local\Temp\Pev.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3880
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3184
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2028
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:2040
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2988
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2400
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2468
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "DRIRIEJS"
    3⤵
    - Launches sc.exe
    PID:4812
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Pev.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3872
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "DRIRIEJS"
    3⤵
    - Launches sc.exe
    PID:1684
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:4500
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "DRIRIEJS" binpath= "C:\ProgramData\fizpxdtvfdpb\ggljrwvvwhni.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:3548
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4012
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2324

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4136

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:2280

C:\ProgramData\fizpxdtvfdpb\ggljrwvvwhni.exe
C:\ProgramData\fizpxdtvfdpb\ggljrwvvwhni.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3392
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4628
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4936
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:564
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3584
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4896
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5000
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:1580
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:1396
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:3232
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:8
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2512

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
1⤵
PID:5008

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:1132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff95fc39758,0x7ff95fc39768,0x7ff95fc39778
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1832,i,4668407791210181943,8186303941308348418,131072 /prefetch:2
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 --field-trial-handle=1832,i,4668407791210181943,8186303941308348418,131072 /prefetch:8
  2⤵
  PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1832,i,4668407791210181943,8186303941308348418,131072 /prefetch:8
  2⤵
  PID:4388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3024 --field-trial-handle=1832,i,4668407791210181943,8186303941308348418,131072 /prefetch:1
  2⤵
  PID:440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1832,i,4668407791210181943,8186303941308348418,131072 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4752 --field-trial-handle=1832,i,4668407791210181943,8186303941308348418,131072 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4868 --field-trial-handle=1832,i,4668407791210181943,8186303941308348418,131072 /prefetch:8
  2⤵
  PID:1868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5008 --field-trial-handle=1832,i,4668407791210181943,8186303941308348418,131072 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5128 --field-trial-handle=1832,i,4668407791210181943,8186303941308348418,131072 /prefetch:8
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 --field-trial-handle=1832,i,4668407791210181943,8186303941308348418,131072 /prefetch:8
  2⤵
  PID:1352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 --field-trial-handle=1832,i,4668407791210181943,8186303941308348418,131072 /prefetch:8
  2⤵
  PID:3472
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:5020
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff722417688,0x7ff722417698,0x7ff7224176a8
    3⤵
    PID:4572

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fizpxdtvfdpb\ggljrwvvwhni.exe

Filesize
826KB

MD5
58bf9ca0082e4879ee5b89e3df03f81d

SHA1
ff0345dcdf53ae3323465df09cf1911bb77af693

SHA256
6aad93c27b7aecdd0600c5fd6dcc0eb4ab8560a46cb0a9e3ae4d11a9860e6372

SHA512
bca2216d14bbb1f393c596347ebadb5473e63115a4e98f640f9c454f0b62a24585d8fe119f20165b77101b6ed43e1c7d2d67cd2994e3b02b848534fb72f9f606

Download Submit
C:\ProgramData\fizpxdtvfdpb\ggljrwvvwhni.exe

Filesize
457KB

MD5
e09d39ebe0bc453dc13ba7d626eb8d9e

SHA1
ac31c2434914e05955d51694ea35c9edb07eba87

SHA256
640b3d2b69ec65096f8cac33040f90b0817c25b59a3e1eaba59b34a4dc18a414

SHA512
1f5e053466c835deda7a5ecab64147979ec7c0e35fc5a20431d16b4f23e43fca5005b36fd65b39b4b94afeed1c77a2873fd052da9cfed1b054410eb9c19284aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7b2ee77c60707ba83174c4136a91e2f5

SHA1
e3ede714a4e392906411b458c9e496abe8c7bd17

SHA256
17dc6157c6d83d474385c045151bc200f3b6544ef764fc6257bc322348e00c2e

SHA512
0e9bd60f582dbcf64d882f0cd80c8f13a3f77aebdf7735f37dc5fc55c427f7772d761f6897339e43612272e38bc22935c6edb27e2c6c2534b2e0821c158257a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
b89590dbdf1143f3ce57ce8623b61f33

SHA1
4ca21eb1c169a723cd75443d81dc11dfe05d244d

SHA256
e6dccc7ec6c3eacd3670cb6b1727373614d7d50df38a22fe997b3915bbe28ecb

SHA512
facd2d5443f753006b5d6cebba6ffd447aa8c51700709d3c49c0f81b4a5084a862d54aa4e160d934a71dae46a81d1a2f4cf1bd860f1a2e1bf4e7dca9bbd6f392

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
addbfb7ff49d0daa3b2e90124271b019

SHA1
b2815300a486f8d875626b7d619a7cdf5b624c6b

SHA256
ec803ae36b290b97f4102e698677b0d2f2f6c470ede5edb8657b6d044a6cc6c5

SHA512
b88d93349acfd696544891c3a0da53d5be5573cc82c2eb35628dc9648578c8f2cead290a1462744d77f6ef0331184176834aca54c8c53df07bdb6b8ce1810a1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
cae23928c451812ada017c8c141d4216

SHA1
46ce2baf2bf95c3a0bb420363754e624dbca5cd3

SHA256
c4d5b3e1f003c77ddc7be9a7112e451d291bb1035399f7dbcd83f11f99ead16e

SHA512
344848eb640d1449fd3e55ab15f12bbbc4d6f654e3035196b23230cb38e186662c9a03630211dbf55a0903b5096ab3cdf0b7be349b43fb4a17ad09502374b311

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1cf139361976ac4bac59ea716b1e046e

SHA1
7d33c8083cd8061b38425bddd5258674ea0354f5

SHA256
0420b57cba3a6d08729af76ebaf85c2e42df3c61903a4f75e4765fafbd35898b

SHA512
2009fbce78d96ce335f732b33ae974738683b45195cbeff191426a5bcd18a44e84552df6b30f82aaebebfa62b5698556103297c6ce2969b44d7ea1f3996765ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e8134895-f0e0-4706-8479-b35ac34aedcd.tmp

Filesize
15KB

MD5
13c5fa2dec96c0ac821584bd2ee6a877

SHA1
b2652a11986b72c358fdbe8e8b60157262f39204

SHA256
c7df923a0a801866ac531af5ea38142d4d9a10c431e1c71e57cc074614fb787b

SHA512
370b6865c8bcdbba92f938b671a972df4647208e5bafa40a3bcf42fe4798830705602b13aee9d9e46a115e0946e1bb2372855f2391e5a0b125a6400fbe4d65d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
4413f655d4aa2ee0b0abdd480bec65ad

SHA1
3ebb5d3892efe00b3362a979e61eaec03306ca03

SHA256
010fd025a9c1617ab99ad6377d7d580b6c6c0b64df5257e0c445ce76f3655755

SHA512
050a518dc774ef5158466a5d2111f2171bff90f990991bf1e1f855f97eb2eeea61cbad85cc97a1231f99b898774bf326429a502003291a0260dc097323b444b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fun.exe

Filesize
84KB

MD5
d4a83b7524f738c124b66e750005a370

SHA1
f0c823bfeee6d11b8388a6aa309dd26f99ffbd9f

SHA256
f2db703542baaaba867eb97e29d28afef5f19da2759831e7d03a0aa01e76585b

SHA512
0049de80fa35cff2760a68b8462578e9e0d9e6cd5b118572e646d476d237505ec5b3f07822fab70e45cf5297bb9cb8b4df6be4d63f6a6751daccd2056c71bc9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pev.exe

Filesize
2.6MB

MD5
5360523978557d28180f0aa67fc0216b

SHA1
bad046fd59f80c9b3908a3033851cd04a2055a71

SHA256
6d86fa05b2790cb6f0165e303b48a1ddc7e36c488225b797fa64cce15d4de3d3

SHA512
c33e349fdc65efa1055ae0d6d59f1d2bbaf7c32f966969e041deffca5903a4b96b59d0cea6635bf14c2cc8f7980d845a28f62a1a5d08b3283c5bf9c7758f778f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gvofxzej.ste.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
2d29fd3ae57f422e2b2121141dc82253

SHA1
c2464c857779c0ab4f5e766f5028fcc651a6c6b7

SHA256
80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4

SHA512
077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

Download Submit
memory/3184-138-0x00007FF95F190000-0x00007FF95FC51000-memory.dmp

Filesize
10.8MB

Download
memory/3184-141-0x00000167210D0000-0x00000167210E0000-memory.dmp

Filesize
64KB

Download
memory/3184-142-0x00000167210D0000-0x00000167210E0000-memory.dmp

Filesize
64KB

Download
memory/3184-145-0x00007FF95F190000-0x00007FF95FC51000-memory.dmp

Filesize
10.8MB

Download
memory/3184-139-0x00000167210D0000-0x00000167210E0000-memory.dmp

Filesize
64KB

Download
memory/3184-140-0x00000167210D0000-0x00000167210E0000-memory.dmp

Filesize
64KB

Download
memory/3184-137-0x0000016721330000-0x0000016721352000-memory.dmp

Filesize
136KB

Download
memory/3392-183-0x00000210CBF90000-0x00000210CBF96000-memory.dmp

Filesize
24KB

Download
memory/3392-181-0x00000210CBFC0000-0x00000210CBFDA000-memory.dmp

Filesize
104KB

Download
memory/3392-188-0x00007FF95F190000-0x00007FF95FC51000-memory.dmp

Filesize
10.8MB

Download
memory/3392-166-0x00007FF4BD060000-0x00007FF4BD070000-memory.dmp

Filesize
64KB

Download
memory/3392-176-0x00000210CAC20000-0x00000210CAC3C000-memory.dmp

Filesize
112KB

Download
memory/3392-177-0x00000210CB070000-0x00000210CB125000-memory.dmp

Filesize
724KB

Download
memory/3392-178-0x00000210CAC40000-0x00000210CAC4A000-memory.dmp

Filesize
40KB

Download
memory/3392-179-0x00000210CBFA0000-0x00000210CBFBC000-memory.dmp

Filesize
112KB

Download
memory/3392-180-0x00000210CAC50000-0x00000210CAC5A000-memory.dmp

Filesize
40KB

Download
memory/3392-163-0x00000210CAC60000-0x00000210CAC70000-memory.dmp

Filesize
64KB

Download
memory/3392-182-0x00000210CBF80000-0x00000210CBF88000-memory.dmp

Filesize
32KB

Download
memory/3392-184-0x00000210CBFE0000-0x00000210CBFEA000-memory.dmp

Filesize
40KB

Download
memory/3392-160-0x00000210CAC60000-0x00000210CAC70000-memory.dmp

Filesize
64KB

Download
memory/3392-185-0x00000210CAC60000-0x00000210CAC70000-memory.dmp

Filesize
64KB

Download
memory/3392-161-0x00000210CAC60000-0x00000210CAC70000-memory.dmp

Filesize
64KB

Download
memory/3392-159-0x00007FF95F190000-0x00007FF95FC51000-memory.dmp

Filesize
10.8MB

Download
memory/4288-126-0x00007FF95F190000-0x00007FF95FC51000-memory.dmp

Filesize
10.8MB

Download
memory/4288-2-0x000000001C460000-0x000000001C716000-memory.dmp

Filesize
2.7MB

Download
memory/4288-0-0x0000000000290000-0x000000000055E000-memory.dmp

Filesize
2.8MB

Download
memory/4288-1-0x00007FF95F190000-0x00007FF95FC51000-memory.dmp

Filesize
10.8MB

Download
memory/4628-204-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4628-212-0x0000012D685A0000-0x0000012D685E0000-memory.dmp

Filesize
256KB

Download
memory/4628-275-0x0000012D685E0000-0x0000012D68600000-memory.dmp

Filesize
128KB

Download
memory/4628-199-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4628-225-0x0000012D685E0000-0x0000012D68600000-memory.dmp

Filesize
128KB

Download
memory/4628-224-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4628-206-0x0000012D68530000-0x0000012D68550000-memory.dmp

Filesize
128KB

Download
memory/4628-205-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4628-207-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4628-208-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4628-210-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4628-209-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4628-211-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4628-202-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4628-201-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4628-203-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4628-200-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4628-223-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4680-162-0x00007FF95F190000-0x00007FF95FC51000-memory.dmp

Filesize
10.8MB

Download
memory/4680-127-0x000000001BBB0000-0x000000001BBC0000-memory.dmp

Filesize
64KB

Download
memory/4680-67-0x00007FF95F190000-0x00007FF95FC51000-memory.dmp

Filesize
10.8MB

Download
memory/4680-66-0x0000000000A00000-0x0000000000A1C000-memory.dmp

Filesize
112KB

Download
memory/4680-165-0x00007FF95F190000-0x00007FF95FC51000-memory.dmp

Filesize
10.8MB

Download
memory/4936-192-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4936-193-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4936-198-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4936-195-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4936-194-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4936-191-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download