phemedrone | hxxps://mega[.]nz/file/IH8QWYTL#BcI_WKvxxVeptdcphlAkZYijEWqgdgSVInTUCH0tfkU

Analysis

max time kernel
97s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/IH8QWYTL#BcI_WKvxxVeptdcphlAkZYijEWqgdgSVInTUCH0tfkU

Score

10^/10

phemedrone xmrig discovery evasion execution miner persistence spyware stealer upx

Malware Config

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1648-701-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1648-702-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1648-700-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1648-699-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1648-698-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1648-696-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1648-695-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1504 powershell.exe
3264 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 6 IoCs

Processes:

7z2406-x64.exe7zFM.exeoptionsof.exeproxyservers.exe7zFM.exefewirakvdifb.exe

pid process

5484 7z2406-x64.exe
5792 7zFM.exe
3284 optionsof.exe
748 proxyservers.exe
5284 7zFM.exe
4540 fewirakvdifb.exe
Loads dropped DLL 2 IoCs

Processes:

7zFM.exe7zFM.exe

pid process

5792 7zFM.exe
5284 7zFM.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1504	powershell.exe
3264	powershell.exe

pid	process
5484	7z2406-x64.exe
5792	7zFM.exe
3284	optionsof.exe
748	proxyservers.exe
5284	7zFM.exe
4540	fewirakvdifb.exe

pid	process
5792	7zFM.exe
5284	7zFM.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

7z2406-x64.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2406-x64.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1648-690-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1648-701-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1648-702-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1648-700-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1648-699-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1648-698-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1648-696-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1648-693-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1648-694-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1648-692-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1648-695-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1648-691-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

114 ip-api.com
Drops file in System32 directory 1 IoCs

Processes:

proxyservers.exe

description ioc process

File opened for modification C:\Windows\system32\MRT.exe proxyservers.exe

flow	ioc
114	ip-api.com

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	proxyservers.exe

Drops file in Program Files directory 64 IoCs

Processes:

7z2406-x64.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	7z2406-x64.exe
File created	C:\Program Files\7-Zip\7-zip.dll	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	7z2406-x64.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	7z2406-x64.exe

Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4672 sc.exe
876 sc.exe
1540 sc.exe
2052 sc.exe
5744 sc.exe
2560 sc.exe
5620 sc.exe
4696 sc.exe
3024 sc.exe
324 sc.exe
5664 sc.exe
4628 sc.exe
2576 sc.exe
3252 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4672	sc.exe
876	sc.exe
1540	sc.exe
2052	sc.exe
5744	sc.exe
2560	sc.exe
5620	sc.exe
4696	sc.exe
3024	sc.exe
324	sc.exe
5664	sc.exe
4628	sc.exe
2576	sc.exe
3252	sc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 48 IoCs

Processes:

powershell.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133614571611074081"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe

Modifies registry class 21 IoCs

Processes:

7z2406-x64.exechrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2406-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2406-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2406-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2406-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2406-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2406-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2406-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2406-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2406-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2406-x64.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exeoptionsof.exe

pid	process
464	chrome.exe
464	chrome.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe
3284	optionsof.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

5284 7zFM.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

464 chrome.exe
464 chrome.exe
464 chrome.exe
464 chrome.exe
464 chrome.exe
464 chrome.exe

pid	process
5284	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: 33	4176	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4176	AUDIODG.EXE
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe
Token: SeShutdownPrivilege	464	chrome.exe
Token: SeCreatePagefilePrivilege	464	chrome.exe

Suspicious use of FindShellTrayWindow 54 IoCs

Processes:

chrome.exe7zFM.exe7zFM.exe

pid	process
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
5792	7zFM.exe
5792	7zFM.exe
5284	7zFM.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe
464	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

7z2406-x64.exe

pid process

5484 7z2406-x64.exe

pid	process
5484	7z2406-x64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 464 wrote to memory of 4228	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 4228	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2724	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2228	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 2228	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe
PID 464 wrote to memory of 1772	464	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/IH8QWYTL#BcI_WKvxxVeptdcphlAkZYijEWqgdgSVInTUCH0tfkU
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff5f9ab58,0x7ffff5f9ab68,0x7ffff5f9ab78
2⤵
PID:4228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1896,i,6147161742613977643,8025868936438373985,131072 /prefetch:2
2⤵
PID:2724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 --field-trial-handle=1896,i,6147161742613977643,8025868936438373985,131072 /prefetch:8
2⤵
PID:2228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1896,i,6147161742613977643,8025868936438373985,131072 /prefetch:8
2⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2864 --field-trial-handle=1896,i,6147161742613977643,8025868936438373985,131072 /prefetch:1
2⤵
PID:1488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2872 --field-trial-handle=1896,i,6147161742613977643,8025868936438373985,131072 /prefetch:1
2⤵
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4436 --field-trial-handle=1896,i,6147161742613977643,8025868936438373985,131072 /prefetch:8
2⤵
PID:4404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4656 --field-trial-handle=1896,i,6147161742613977643,8025868936438373985,131072 /prefetch:8
2⤵
PID:5396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4856 --field-trial-handle=1896,i,6147161742613977643,8025868936438373985,131072 /prefetch:8
2⤵
PID:5460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1896,i,6147161742613977643,8025868936438373985,131072 /prefetch:8
2⤵
PID:5948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=1752 --field-trial-handle=1896,i,6147161742613977643,8025868936438373985,131072 /prefetch:1
2⤵
PID:5632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2408 --field-trial-handle=1896,i,6147161742613977643,8025868936438373985,131072 /prefetch:1
2⤵
PID:5960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5688 --field-trial-handle=1896,i,6147161742613977643,8025868936438373985,131072 /prefetch:8
2⤵
PID:5948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5692 --field-trial-handle=1896,i,6147161742613977643,8025868936438373985,131072 /prefetch:8
2⤵
PID:6052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5680 --field-trial-handle=1896,i,6147161742613977643,8025868936438373985,131072 /prefetch:8
2⤵
PID:2556

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6060 --field-trial-handle=1896,i,6147161742613977643,8025868936438373985,131072 /prefetch:8
2⤵
PID:6064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2492 --field-trial-handle=1896,i,6147161742613977643,8025868936438373985,131072 /prefetch:1
2⤵
PID:5540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5876 --field-trial-handle=1896,i,6147161742613977643,8025868936438373985,131072 /prefetch:1
2⤵
PID:1964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4860 --field-trial-handle=1896,i,6147161742613977643,8025868936438373985,131072 /prefetch:8
2⤵
PID:5328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3124 --field-trial-handle=1896,i,6147161742613977643,8025868936438373985,131072 /prefetch:8
2⤵
PID:5564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4236 --field-trial-handle=1896,i,6147161742613977643,8025868936438373985,131072 /prefetch:8
2⤵
PID:5612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5292 --field-trial-handle=1896,i,6147161742613977643,8025868936438373985,131072 /prefetch:8
2⤵
PID:5332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6128 --field-trial-handle=1896,i,6147161742613977643,8025868936438373985,131072 /prefetch:8
2⤵
PID:676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 --field-trial-handle=1896,i,6147161742613977643,8025868936438373985,131072 /prefetch:8
2⤵
PID:5504

C:\Users\Admin\Downloads\7z2406-x64.exe
"C:\Users\Admin\Downloads\7z2406-x64.exe"
2⤵
- Executes dropped EXE
- Registers COM server for autorun
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5484

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3600

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x2fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4180,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4080 /prefetch:8
1⤵
PID:5340

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5124

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Nursultan Alpha 1.16.5.zip"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Nursultan Alpha\start.bat" "
1⤵
PID:1328

C:\Users\Admin\Desktop\Nursultan Alpha\client_1_16_5\optionsof.exe
"client_1_16_5\optionsof.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3284

C:\Users\Admin\Desktop\Nursultan Alpha\client_1_16_5\proxyservers.exe
"client_1_16_5\proxyservers.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:748

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Command and Scripting Interpreter: PowerShell
PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:2276

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
4⤵
PID:5484

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
3⤵
- Launches sc.exe
PID:5664

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:4696

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
3⤵
- Launches sc.exe
PID:5744

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
3⤵
- Launches sc.exe
PID:4672

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
3⤵
- Launches sc.exe
PID:4628

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
PID:3164

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
PID:5280

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
PID:1484

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
PID:1864

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WQIBBSFB"
3⤵
- Launches sc.exe
PID:3024

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WQIBBSFB" binpath= "C:\ProgramData\raxgtymifkhn\fewirakvdifb.exe" start= "auto"
3⤵
- Launches sc.exe
PID:2560

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:876

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WQIBBSFB"
3⤵
- Launches sc.exe
PID:324

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Nursultan Alpha\client_1_16_5\proxyservers.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:5284

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5768

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Nursultan Alpha\client_1_16_5\options.txt
1⤵
PID:6084

C:\ProgramData\raxgtymifkhn\fewirakvdifb.exe
C:\ProgramData\raxgtymifkhn\fewirakvdifb.exe
1⤵
- Executes dropped EXE
PID:4540

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:3900

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:336

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:2576

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:5620

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:1540

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:3252

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:2052

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:3356

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:3484

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:1696

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:452

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:2140

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.dll

Filesize
1.8MB

MD5
1939f878ae8d0cbcc553007480a0c525

SHA1
df9255af8e398e72925309b840b14df1ae504805

SHA256
86926f78fad0d8c75c7ae01849bf5931f4484596d28d3690766f16c4fb943c19

SHA512
a5e4431f641e030df426c8f0db79d4cef81a67ee98e9253f79c1d9e41d4fc939de6f3fd5fc3a7170042842f69be2bb15187bf472eeaaf8edd55898e90b4f1ddd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
960KB

MD5
5764deed342ca47eb4b97ae94eedc524

SHA1
e9cbefd32e5ddd0d914e98cfb0df2592bebc5987

SHA256
c5c7ad094ad71d8784c8b0990bf37a55ffc7c7ab77866286d77b7b6721943e4f

SHA512
6809130394a683c56a0245906d709b2289a631f630055d5e6161b001e216d58045d314b0148512d8c01f0c2bf5f9f16e93fa7d61ab3d24beab4f9c3d4db13c18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
a0ac6bbfb50956a9fa48d1dffacdc780

SHA1
61af56a84ec40e75ba5970eb210a49224e19aa10

SHA256
b7565ad6160486f0bee9d6543d6141d3771d23f636e83a2980035826008d44c2

SHA512
88cb90009e8a7b5773ca5bd98d44f2d4ed0ceee2793fbc406a02941bb3c7af438e8a8912a9000fe91c8165298648013397b615ad32a71b2cfd65d8bebc48529b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
0948adffeb596e90513b40b490f30565

SHA1
ad1de67ab4cbd024467187db0ffa97b3d8707082

SHA256
4466d418131e15e667351a337e3d74b9ab0baa57da0819e3812017f72df0252b

SHA512
2b4dfac1794c5b8e42dc10a7382baebba2ca81bb8c540a9e9c8fc103ce502d7b73ae8801752047156691ece61c2a60908c8fb9a0d2d07e61f82bea7e4f4dddc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
17089909f68689ddcd9d558298917e59

SHA1
1b4305dd5c0ae806d22ab8ce141f433e8ea3516a

SHA256
c35060716724a225bf5662f01402fb68c891da14d804b8c46b9afb64573d2a66

SHA512
8f3a6c65f3417aa3190af2dd254280f3d123ac4834fd4d77237730148a667aebc4abf57a3877853a3f0c604803be081e9bf29efc063eb82512efe80143033c77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
f6574a4b2d20c8a5c8d61d242e57fcf8

SHA1
5b8798f6472950d25238eb59ab272bec51e4443a

SHA256
e4aeae48797a4cb431e2ac46d72b9b1be08036746467f77e8df71fac6b09b934

SHA512
e9fc8a1e1cb2398bcd52607e0684de63f37e05b65082193e492d48e8db151b2795fec64fc841781b0e728cedbcf06a6b495e7351331b7f86d5d3460c99d0fa8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
e59cc3ee7e5fae79cfb30a426a31ff8e

SHA1
5ca5161facb721b8ab27ba29e96fe3417bb25494

SHA256
93a1450b6cce54f603c30210a39fd559e3f7143269e3afd38e5777d487508184

SHA512
5c86ef03942dacb7b83da7d9ca9a6aae24c4eff1247f03edd5a993aec7a22348788e7bed18503525f9eee472b394f55a93017dff93c78201a3248f7ab3b47449

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
ae1bb992790229b86772232e3b8e7214

SHA1
c582faca3679d86269282e21f148829f33ae9494

SHA256
45aeaa63663c0de719d4241fc3351a91b62a9604d0426e7f1616248aeb6dc71a

SHA512
2777a854850dabffb13f989882aca8a804ade972ba1e31634404d08a108532d02fa20e2d6429f5ac16dfbf495106b4a2160939c222d59fb4b64d85ac48036de1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
2867356493f711f484a63fd9b7340773

SHA1
9360d07436967bd0071e6c84e7058d281b2ad1a2

SHA256
b6994bcd04e05bd49b516d82079a12532776dd753fbad2309f2c7dce79133368

SHA512
4934ff1f24587c33ca4f23517fc6a47c77b847072ab0592900177ffeea9d213e828f24f7cb246694fe101aa72556b2ef943c35b7fddbc94a14ec0a1b4e13246c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
3674023fb31fb303b8243cdfec1d6b50

SHA1
30e661b328c994c668b06305d7a27da00e0d923d

SHA256
bbb8a818fc46f0570e0ce26a6c130aebb27049dc7ddb4e92c22dc18e3a11ca5d

SHA512
bcb96aaa0f3f147903e4d5ee5690ffe7f3c1365614ff298f17d3e3fae67f300c073177128a734f24d6dafa91d9f9e5c8cdd7d79813452843e107402c0eca860f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7e7bb1ede01920aa58f06d72d82fc175

SHA1
227ff35bbc9b8d3d6c17f86ef774a8e72b4ddabe

SHA256
ca2f405befc09fd4843787e9798a7341ccc71863bf8953a3d973f843970504a8

SHA512
1c6bcc37bd5473bc382db4b5186d27791df421014e74086bbb89c0b55168d56eb6086b3ded5d29fa1d496ab9668570ccc5b2f4f61617f38fdc004b34cb379cd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f8189111ab8f1f66d17b2e2db144c663

SHA1
b7ad9041b9fb397d342c9c038f5413ad89c91fb8

SHA256
3a9ec967ad323cc0f297b07b7cadd16d7e164ee208d4f1558229337204b13681

SHA512
417b18622ec0d8f4c250c5e161f88bac4822fc4b1760dfc58ff0200e5385ce1aa6e34a7b1af74ac9fa87a42695cca0b877f9eecd39ab447e332e6b67b931c140

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
94affe36b51fb3707add7cea61cbc405

SHA1
2d23f762fd42026b6398efb074033b3e4d0b6b77

SHA256
79f99cdb30eb38d352a1e252f4985545c52ab09c195a33426e3725336d8757af

SHA512
3c0072036fbf3f8aa229c4e7cefa472267f4c7fe2b82408e840afc976c30343c6ff885fe91dcf9717100f42587d79b664fc62cf17b2e199d380e4917caa9706c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe585908.TMP

Filesize
48B

MD5
4e5947cb157a41c060734b3c15d6a6ac

SHA1
d1a171314c41ebc87e43e62dac5af826b3797357

SHA256
b42ca79373bcfd31584d1981ec50fd934a8f7c95b4b785e3e8d099c58c05787b

SHA512
503e585333a411f6889e5a768dd465580d590aa14a2e1f1808119a7a15854058deb454efa0ddffd38b11c27a2803b9ee8f5cf162605f586ed7e4d7e2c9b0998b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
100KB

MD5
94ffb15a0640e51143d7af65fbc17fa1

SHA1
9e46fdd01a0788d3a1cf35fdd6388dda71dc82ad

SHA256
bcc21e317673afdd588684934d3723597079d745c7a902db73459894d78a9421

SHA512
7d309f97ca3977ea5d439b836ffbb066b1d2e4295dacdac41dd89a1dc872e2b70398a2392d74afc87353b3d249436fc283c10e9b88085e4babce86d6063ca615

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
009b9a2ee7afbf6dd0b9617fc8f8ecba

SHA1
c97ed0652e731fc412e3b7bdfca2994b7cc206a7

SHA256
de607a2c68f52e15a104ead9ecbaa3e6862fdb11eac080e408ba4d69f1f7a915

SHA512
6161dd952ae140a8fb8aa5e33f06bc65fdc15ce3fbfe4c576dc2668c86bce4a1d5c1112caee014e5efa3698547faad3bc80ec253eedb43148e36e1a02ce89910

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
fc60a3966dd9d833a10bed2edcd11412

SHA1
724207fe67753500993688ac5a4b95f685a9d4e3

SHA256
cf480029d2941dd89ea637dbaec742c2048369bb79d920b3a232719b6009bf78

SHA512
554b5fc9cd3f780a8799c4171e1dcda8ecf5dc825598028f06158a216b6e150646b9406d6498736190eae53e0a29d90aceffdbdb30d974e168b1d429867371ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
f5a9bb4132766c59e7c92887101f80a6

SHA1
c52682297e1961f09e5ae7ebdee89ff2165e7130

SHA256
faaf5910ee8f1fce64596335e58f2ff879c6aeafdbf5feed28f5ced4e3a8512b

SHA512
e03cae0ae3a675922c0deb3ace7e4c0f69847d559055c28650afce75395dcac484983bc3cb193081864f8afbbc9aff67fb85e08459f124849b8352477694a392

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
102KB

MD5
e5b44ff87a30217896aef7d8a9978d62

SHA1
0d297b3a1ef91d4762f023d866892436ac520daa

SHA256
7000b9c0f4957aac28ab31960b08c6d879175425e8541e6226dc810090b3b0df

SHA512
a52bef9c3faa6c7a1c101610f58264d56249059e33a0d22ed7aa75f0a3658b5bb213132df43006855516cb98e478fb51d50cd2fb8d325526494ee74720ebfe67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58f865.TMP

Filesize
97KB

MD5
068da67836626f9f96ed06720257e828

SHA1
8530ada47314897ec3f7fd6f771c67739aec44fb

SHA256
4f892773ccce93bd289ee657965ca53b6d0be882925ab8d5359811cd989c9074

SHA512
22962d8698b75fb3cee1ffd9b021d95c1fb057dd0a6550a2393f87eb03b737915738870bc32f892fdea0fd2a918acd665321ef4dba763af142ae5f145017c03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bpvpa0pz.dwh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\Nursultan Alpha\client_1_16_5\options.txt

Filesize
2KB

MD5
41fbcb9b2a9aea6374972ab6018f9d88

SHA1
bc18e21f5fe536936819bd2f54c20900041f385d

SHA256
47f7b994f42c0ac0d5ba8989954728863ecb2e7a4c8768e00bc6cdb6828b6185

SHA512
be2375068fcd9fb9a99925e04bc3a65ea44a1d2806ade994ef6431384b1e8cda6fa1eb6fa896e90e7df9003ef00ac607069ea408a1b8932ac2a436ccb87f60a6

Download Submit
C:\Users\Admin\Desktop\Nursultan Alpha\client_1_16_5\optionsof.exe

Filesize
83KB

MD5
024e81ed603e5e0dd5c78aad816041a4

SHA1
3bd50202be201aa21dbd8aa8e0b25fefb983b180

SHA256
8f7b6ba475bbb4ba95fddac2acb6acccb905d9a4d55d58583fdbd8b7376bf801

SHA512
533d6795c02307622b1e023bc3c83c1f8bc0d69bfba5d67020758c41993098cbddccbcb81341f00b52055412a941e1ba4e7864e6f30d3d9419d9398309f62e7b

Download Submit
C:\Users\Admin\Desktop\Nursultan Alpha\client_1_16_5\proxyservers.exe

Filesize
2.5MB

MD5
220f7b5753f252691438ba574de31dcd

SHA1
9c4a86377e13ac893455ae5d2435f16821ee950d

SHA256
a9476079bb9e631c7172d501f4a61f23ecc4df8dfdd2933f37f19f1045b52ced

SHA512
c0c7f38b25e948005a4b3204fae33d8e8fbc4c812d47af073b7dc28f022a7cd825056ef51797038766275fba6a1e4c4f9668d34362f278ba73d80fb278c6f6f0

Download Submit
C:\Users\Admin\Desktop\Nursultan Alpha\start.bat

Filesize
83B

MD5
9722542cace5204daf6f2a73e5c4ba19

SHA1
917e8a58ed3ca53e6acbcc4185e7a95285cd0d04

SHA256
665ab9a4be12a85e4431a1b4f28b138fc9e82e915b6d66412985ba48241251a4

SHA512
c4ea807dc7a6575695951f43f124715b08f01151426953e22b76ec6c7c93bc19c955e8283373aa8111daa3a418a7b446a5f95ba00cca249506c95d981f642a8b

Download Submit
C:\Users\Admin\Downloads\Nursultan Alpha 1.16.5.zip

Filesize
35.9MB

MD5
21f5fdd0616176246cbc723bc4b07e9b

SHA1
050786682fcfa3aed2c3eb0bb1d5a2e8186af7fe

SHA256
f85aa39d0398943daefad03e5149a7369210a0a8057b6148aab0ad0638cec4fb

SHA512
7ff4740e9d23ae81450f989c0f29dcc36a608ec4680ac6ca0210f2525ba9891553fd218e9133485da22f1745bc9c362ca675ac48785a12ffffec61902e3721de

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 155781.crdownload

Filesize
1.5MB

MD5
d8af785ca5752bae36e8af5a2f912d81

SHA1
54da15671ad8a765f3213912cba8ebd8dac1f254

SHA256
6220bbe6c26d87fc343e0ffa4e20ccfafeca7dab2742e41963c40b56fb884807

SHA512
b635b449f49aac29234f677e662be35f72a059401ea0786d956485d07134f9dd10ed284338503f08ff7aad16833cf034eb955ca34e1faf35a8177ccad1f20c75

Download Submit
\??\pipe\crashpad_464_QXGJAMYEBEKOWSMB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1504-679-0x0000019975A80000-0x0000019975A8A000-memory.dmp

Filesize
40KB

Download
memory/1504-678-0x0000019975A70000-0x0000019975A76000-memory.dmp

Filesize
24KB

Download
memory/1504-671-0x0000019975800000-0x000001997581C000-memory.dmp

Filesize
112KB

Download
memory/1504-672-0x0000019975820000-0x00000199758D5000-memory.dmp

Filesize
724KB

Download
memory/1504-673-0x00000199758E0000-0x00000199758EA000-memory.dmp

Filesize
40KB

Download
memory/1504-674-0x0000019975A50000-0x0000019975A6C000-memory.dmp

Filesize
112KB

Download
memory/1504-675-0x0000019975A30000-0x0000019975A3A000-memory.dmp

Filesize
40KB

Download
memory/1504-676-0x0000019975A90000-0x0000019975AAA000-memory.dmp

Filesize
104KB

Download
memory/1504-677-0x0000019975A40000-0x0000019975A48000-memory.dmp

Filesize
32KB

Download
memory/1648-700-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1648-693-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1648-691-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1648-695-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1648-692-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1648-694-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1648-696-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1648-698-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1648-690-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1648-697-0x0000014567FC0000-0x0000014567FE0000-memory.dmp

Filesize
128KB

Download
memory/1648-701-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1648-702-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1648-699-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2140-682-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2140-684-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2140-685-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2140-689-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2140-686-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2140-683-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3264-647-0x0000011B35C10000-0x0000011B35C32000-memory.dmp

Filesize
136KB

Download
memory/3284-624-0x0000000000230000-0x000000000024C000-memory.dmp

Filesize
112KB

Download