phemedrone | hxxps://disk[.]yandex[.]ru/d/YnQ_-USlCGYAtQ

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://disk.yandex.ru/d/YnQ_-USlCGYAtQ

Score

10^/10

phemedrone xmrig discovery evasion execution miner persistence spyware stealer upx

Malware Config

Signatures

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral1/memory/1496-3088-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1496-3087-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1496-3089-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1496-3085-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1496-3086-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1496-3083-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/1496-3082-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2080	powershell.exe
1584	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 5 IoCs

pid	Process
1596	7z2406-x64.exe
2020	7zFM.exe
2576	proxyservers.exe
5924	optionsof.exe
1768	fewirakvdifb.exe

Loads dropped DLL 1 IoCs

pid	Process
2020	7zFM.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2406-x64.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1496-3077-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1496-3080-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1496-3079-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1496-3088-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1496-3087-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1496-3089-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1496-3085-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1496-3086-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1496-3083-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1496-3082-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1496-3081-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/1496-3078-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
271	ip-api.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	optionsof.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\History.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll.tmp	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	7z2406-x64.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	7z2406-x64.exe
File created	C:\Program Files\7-Zip\7-zip.dll	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2406-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2406-x64.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2608	sc.exe
4584	sc.exe
2612	sc.exe
3376	sc.exe
5528	sc.exe
1644	sc.exe
5680	sc.exe
3916	sc.exe
5364	sc.exe
2232	sc.exe
3672	sc.exe
5320	sc.exe
5296	sc.exe
4484	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133615461496944160"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2406-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2406-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2406-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2406-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2406-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2406-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2406-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2406-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2406-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2406-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2406-x64.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\RustMe Soft.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5760	chrome.exe
5760	chrome.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
2576	proxyservers.exe
5924	optionsof.exe
2080	powershell.exe
2080	powershell.exe
5924	optionsof.exe
5924	optionsof.exe
5924	optionsof.exe
5924	optionsof.exe
5924	optionsof.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4972	firefox.exe
Token: SeDebugPrivilege	4972	firefox.exe
Token: SeDebugPrivilege	4972	firefox.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe
Token: SeCreatePagefilePrivilege	5760	chrome.exe
Token: SeShutdownPrivilege	5760	chrome.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
4972	firefox.exe
4972	firefox.exe
4972	firefox.exe
4972	firefox.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
2020	7zFM.exe
2020	7zFM.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
4972	firefox.exe
4972	firefox.exe
4972	firefox.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe
5760	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4972	firefox.exe
4972	firefox.exe
4972	firefox.exe
4972	firefox.exe
4972	firefox.exe
4972	firefox.exe
4972	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 4972	4268	firefox.exe	82
PID 4268 wrote to memory of 4972	4268	firefox.exe	82
PID 4268 wrote to memory of 4972	4268	firefox.exe	82
PID 4268 wrote to memory of 4972	4268	firefox.exe	82
PID 4268 wrote to memory of 4972	4268	firefox.exe	82
PID 4268 wrote to memory of 4972	4268	firefox.exe	82
PID 4268 wrote to memory of 4972	4268	firefox.exe	82
PID 4268 wrote to memory of 4972	4268	firefox.exe	82
PID 4268 wrote to memory of 4972	4268	firefox.exe	82
PID 4268 wrote to memory of 4972	4268	firefox.exe	82
PID 4268 wrote to memory of 4972	4268	firefox.exe	82
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3100	4972	firefox.exe	83
PID 4972 wrote to memory of 3572	4972	firefox.exe	86
PID 4972 wrote to memory of 3572	4972	firefox.exe	86
PID 4972 wrote to memory of 3572	4972	firefox.exe	86
PID 4972 wrote to memory of 3572	4972	firefox.exe	86
PID 4972 wrote to memory of 3572	4972	firefox.exe	86
PID 4972 wrote to memory of 3572	4972	firefox.exe	86
PID 4972 wrote to memory of 3572	4972	firefox.exe	86
PID 4972 wrote to memory of 3572	4972	firefox.exe	86
PID 4972 wrote to memory of 3572	4972	firefox.exe	86
PID 4972 wrote to memory of 3572	4972	firefox.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://disk.yandex.ru/d/YnQ_-USlCGYAtQ"
1⤵
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://disk.yandex.ru/d/YnQ_-USlCGYAtQ
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4972.0.1320219930\1651510346" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {35e5aefa-1edf-4629-a4b8-fdd57216b0de} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" 1836 2aa7f20f258 gpu
    3⤵
    PID:3100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4972.1.1090976771\761051111" -parentBuildID 20230214051806 -prefsHandle 2416 -prefMapHandle 2404 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {acf7c5f1-d103-4488-9243-e062eddc5493} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" 2428 2aa6af89658 socket
    3⤵
    - Checks processor information in registry
    PID:3572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4972.2.1851401773\1828606583" -childID 1 -isForBrowser -prefsHandle 2688 -prefMapHandle 2604 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1360 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35c91896-41c3-4822-aff1-47249906b6c1} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" 2824 2aa02520b58 tab
    3⤵
    PID:3156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4972.3.1560032233\278134746" -childID 2 -isForBrowser -prefsHandle 3648 -prefMapHandle 3644 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1360 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {65a41fba-467e-4a00-ae3f-42e908eb6cbb} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" 3660 2aa04722b58 tab
    3⤵
    PID:2172
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4972.4.773051064\6018214" -childID 3 -isForBrowser -prefsHandle 5360 -prefMapHandle 5356 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1360 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fda1a00-2d53-4d16-b73f-8727d9b3eccb} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" 5372 2aa06f4cb58 tab
    3⤵
    PID:4816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4972.5.1343287748\1633762662" -childID 4 -isForBrowser -prefsHandle 5532 -prefMapHandle 5540 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1360 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {110186ab-53dc-4dd3-9bd3-863f524a4cd4} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" 5528 2aa06f4d158 tab
    3⤵
    PID:1908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4972.6.1844583894\942488688" -childID 5 -isForBrowser -prefsHandle 5708 -prefMapHandle 5716 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1360 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f326f072-aa39-476a-aab4-4d0dec890c98} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" 5696 2aa06f4d458 tab
    3⤵
    PID:4796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4972.7.1159330122\673146913" -childID 6 -isForBrowser -prefsHandle 5768 -prefMapHandle 5532 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1360 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75911a3f-0508-463d-8c7b-04ff6c85c636} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" 5248 2aa008bdd58 tab
    3⤵
    PID:4684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4972.8.1126921822\826571701" -childID 7 -isForBrowser -prefsHandle 9616 -prefMapHandle 3620 -prefsLen 31732 -prefMapSize 235121 -jsInitHandle 1360 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ffac4d1-58bb-4d80-aab6-a9855b93808c} 4972 "\\.\pipe\gecko-crash-server-pipe.4972" 9772 2aa0251d858 tab
    3⤵
    PID:2312

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe7e45ab58,0x7ffe7e45ab68,0x7ffe7e45ab78
  2⤵
  PID:5876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=2028,i,13123531360481410609,4775291076299956919,131072 /prefetch:2
  2⤵
  PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1996 --field-trial-handle=2028,i,13123531360481410609,4775291076299956919,131072 /prefetch:8
  2⤵
  PID:6052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2188 --field-trial-handle=2028,i,13123531360481410609,4775291076299956919,131072 /prefetch:8
  2⤵
  PID:6060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2936 --field-trial-handle=2028,i,13123531360481410609,4775291076299956919,131072 /prefetch:1
  2⤵
  PID:6088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2960 --field-trial-handle=2028,i,13123531360481410609,4775291076299956919,131072 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3912 --field-trial-handle=2028,i,13123531360481410609,4775291076299956919,131072 /prefetch:1
  2⤵
  PID:1004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4456 --field-trial-handle=2028,i,13123531360481410609,4775291076299956919,131072 /prefetch:8
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4596 --field-trial-handle=2028,i,13123531360481410609,4775291076299956919,131072 /prefetch:8
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4712 --field-trial-handle=2028,i,13123531360481410609,4775291076299956919,131072 /prefetch:8
  2⤵
  PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4632 --field-trial-handle=2028,i,13123531360481410609,4775291076299956919,131072 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5072 --field-trial-handle=2028,i,13123531360481410609,4775291076299956919,131072 /prefetch:8
  2⤵
  PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4956 --field-trial-handle=2028,i,13123531360481410609,4775291076299956919,131072 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4748 --field-trial-handle=2028,i,13123531360481410609,4775291076299956919,131072 /prefetch:1
  2⤵
  PID:444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5004 --field-trial-handle=2028,i,13123531360481410609,4775291076299956919,131072 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4052 --field-trial-handle=2028,i,13123531360481410609,4775291076299956919,131072 /prefetch:8
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5040 --field-trial-handle=2028,i,13123531360481410609,4775291076299956919,131072 /prefetch:8
  2⤵
  PID:1404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4568 --field-trial-handle=2028,i,13123531360481410609,4775291076299956919,131072 /prefetch:8
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4296 --field-trial-handle=2028,i,13123531360481410609,4775291076299956919,131072 /prefetch:8
  2⤵
  PID:648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4808 --field-trial-handle=2028,i,13123531360481410609,4775291076299956919,131072 /prefetch:8
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4584 --field-trial-handle=2028,i,13123531360481410609,4775291076299956919,131072 /prefetch:8
  2⤵
  PID:880
- C:\Users\Admin\Downloads\7z2406-x64.exe
  "C:\Users\Admin\Downloads\7z2406-x64.exe"
  2⤵
  - Executes dropped EXE
  - Registers COM server for autorun
  - Drops file in Program Files directory
  - Modifies registry class
  PID:1596

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3576

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\RustMe Soft.zip"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\RustMe Soft\start.bat" "
1⤵
PID:3656
- C:\Users\Admin\Desktop\RustMe Soft\client_1_12_2\proxyservers.exe
  "client_1_12_2\proxyservers.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2576
- C:\Users\Admin\Desktop\RustMe Soft\client_1_12_2\optionsof.exe
  "client_1_12_2\optionsof.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5924
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4152
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:228
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:5528
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1644
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2232
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:2608
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:4584
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    PID:6044
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    PID:5432
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    PID:5628
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    PID:5624
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "WQIBBSFB"
    3⤵
    - Launches sc.exe
    PID:2612
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "WQIBBSFB" binpath= "C:\ProgramData\raxgtymifkhn\fewirakvdifb.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:5680
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:3672
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "WQIBBSFB"
    3⤵
    - Launches sc.exe
    PID:3916

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4372

C:\ProgramData\raxgtymifkhn\fewirakvdifb.exe
C:\ProgramData\raxgtymifkhn\fewirakvdifb.exe
1⤵
- Executes dropped EXE
PID:1768
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  PID:1584
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3608
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:5056
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:3376
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:5364
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:5320
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:5296
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4484
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:4436
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:4892
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:3408
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:5792
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:5824
- C:\Windows\system32\conhost.exe
  conhost.exe
  2⤵
  PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.dll

Filesize
1.8MB

MD5
1939f878ae8d0cbcc553007480a0c525

SHA1
df9255af8e398e72925309b840b14df1ae504805

SHA256
86926f78fad0d8c75c7ae01849bf5931f4484596d28d3690766f16c4fb943c19

SHA512
a5e4431f641e030df426c8f0db79d4cef81a67ee98e9253f79c1d9e41d4fc939de6f3fd5fc3a7170042842f69be2bb15187bf472eeaaf8edd55898e90b4f1ddd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
960KB

MD5
5764deed342ca47eb4b97ae94eedc524

SHA1
e9cbefd32e5ddd0d914e98cfb0df2592bebc5987

SHA256
c5c7ad094ad71d8784c8b0990bf37a55ffc7c7ab77866286d77b7b6721943e4f

SHA512
6809130394a683c56a0245906d709b2289a631f630055d5e6161b001e216d58045d314b0148512d8c01f0c2bf5f9f16e93fa7d61ab3d24beab4f9c3d4db13c18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
372e1955420103eb8cf35c80b8f8c115

SHA1
354ae717bf084e2de76242b74348699e532bd249

SHA256
affcb5f754e84593acf4ba2479bf3fc64a914e7b2dd7b300a99c084d942001b5

SHA512
2e3b93d9adfa740fc084b72e40a1f7897300ceca7fc456c74f5f637b8ce5d3d57f4c76556a9061ae08be37d807e380c16cf99f4d0d1c26e18b717a990fef6235

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
216276d90d38a663ca1b274dadc23144

SHA1
c6a61e512a182b07b6560856e50cc6a3ab5bf831

SHA256
9fd3939905af151965084e7391a179c8ce1091d98669f596897516ca21d667b8

SHA512
2e1513ec3a3bb45c117f81b223d058b6cf18e4e2fbd98e263ab53cc49ba3ea76e1a816cae6a04bcd1a4f11277398dd0b176ae5ed9ddcff254d4a062de9c70593

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b3783e0257c5a620dc012ea56a5ebe93

SHA1
11fd73acabdbfee35611c03afe1d09830373fc5a

SHA256
be9de6eb4e54e1c797a087883b5b663f21fac5f987840acc58b32943049e1db7

SHA512
f8684e951a2c73482ce9f10f4b0c3cee269ac4e7c8ea9939c19bd42dbc341306a6a125a52ab8f0c10534609902fd2a4dd78311301e7b2b66a532b9d36dd956c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
757a6310257735c02c0d68a9960554a0

SHA1
37d655185c52be8f0b7ecc617be524e685c39775

SHA256
652ac435bb12ce46df065c10c3ac3995878ed5db0aa0aab83bf6628879530d25

SHA512
457295ad4a51d018d9247d5c7538b57ab1d8102037f5b1e0f3478013b3f6958f180cfedd1e27e366cfe496eb790cb7852e7929d54b28158ab1a796e58ab8bfb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
88d6c4933846efd535d40e16b818b92b

SHA1
5b59a8eec6a2e4331d7f8ac50eb7664ee5c653c7

SHA256
17161de210aad373ec6b60e432e52dd511bb8cbb384564519594136d7d508e3f

SHA512
4caf92453fe7095667d800990c48b675d250e171dedd21d04cc7402a6a9abd5040ffd9212681f867b430aa787e856d34344f7847f087f2161ae7409a683637f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
2a333371e9d36d4a0f33c435c5f474d6

SHA1
f5f06695e2acaf963d6749472cc18af9a422fb98

SHA256
cbe40e1d31a5ed91c8f125287828e036792e828245cce6d58122c2f4b4af19d4

SHA512
9878d7d293e8e1a82992b45ab8f4ce942b0ce897be1da607479ee3746da67704e7b76da151e2c2b95d0b8ce434acea0a1f41a6b006f6f0d2e22a95d7e12b1fe6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
182009f46c6582ae2e7b43e1abb12dd5

SHA1
917e627d5692b587e0661b90b05a61a019baeb1f

SHA256
7c43b67c83377a483465356e5b470e9524e1653cc2f541720a7eec1487a04699

SHA512
ae73b03c6354649de8f2ce62b6c2d3259c1daf0385fe74f79416f4dd7f2694cc0224a7fa5f58ae30a29dd2e52b2198d83763794e9f58daa36cc0912d63bdb9d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
113B

MD5
329f1e154fe7830873c71b5db92036d0

SHA1
9a42842f2ced980ec87dc1d1db454dfd034b21ef

SHA256
69852547a6b71bcdcc3f4123440965cfd27bd1d4d74542b8f81ff66e0c7c5dee

SHA512
0b913617ba64a994435aad55c4a35d77b54c3af3fa60fd613f4c92d676c57fc9c37a3dde135aa0d9ae5d3399cdd2b87b09c9bc4e0f25b97174c074f13de0929b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe590e10.TMP

Filesize
120B

MD5
50642fe6cf8f2bd9e49cc1d51aef22f7

SHA1
e63cd7e8123ec8e873d8f6de407472c101a6ad3a

SHA256
14851df62324d5d5f20b8db2df4ac15ae6194b05370322404a38b1b0efc40a6d

SHA512
e17e9968832f4d762babe110fa9f706806c617557dbb65da164b7fa4e59f393f26389d7c75d678bdb705b749bc1c5ae6694faee344262bab50e8986106d9b20e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
100KB

MD5
71e5bb9d2937a677d55678b33bd6872a

SHA1
3213f5e06f4385af47f9cb5330703995fe3fa8cd

SHA256
051bbbaf935fde502cff6433792d26016054908473459b19ca36872a77cd31a6

SHA512
57911f135982c34b585c142319cd057925fe5b1e1f7cd220625fd409b72118e6ca9db4434c430af55ecac069e2bcf17673b6b4809f21bdaa258c8e8396870355

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ceee16f3-7eb8-4369-ae41-ee232730a2c8.tmp

Filesize
7KB

MD5
40cb767db7f2055283b1a90dd4008870

SHA1
7bc8355beb2ce1f87f3f64f73e3c477a05f314c8

SHA256
c9006b655f40b28ecac31a73740e8a9273392ba05415b6206b43b285857aaaa1

SHA512
92f4dd24a83d5da835dcee7738b0d39ed5fa96201fb4901fbb6663ae4db153eb3e80679ac48026aca7580ecf74b6fb396cfba0a1ccaeba8ef438776c8e8db615

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
009b9a2ee7afbf6dd0b9617fc8f8ecba

SHA1
c97ed0652e731fc412e3b7bdfca2994b7cc206a7

SHA256
de607a2c68f52e15a104ead9ecbaa3e6862fdb11eac080e408ba4d69f1f7a915

SHA512
6161dd952ae140a8fb8aa5e33f06bc65fdc15ce3fbfe4c576dc2668c86bce4a1d5c1112caee014e5efa3698547faad3bc80ec253eedb43148e36e1a02ce89910

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
261KB

MD5
bf06d4e4bf59520a2db86316388ebcef

SHA1
1f8f2874366bb3183a9c462ff62f231c529c6257

SHA256
357c0ccdce8f548b2c0f21c6413a52a511c3deb9181b3722776e67dce19bba64

SHA512
b31a9403c51f9226082f30a469eaaf0230556f9f23fc80cd425b6ed4bbb268ef37c06c8f50f223dff36c54f724a0eca3b0eefafc1dfe637f5b328a48e818e739

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
100KB

MD5
9ebde3d6500abd3d1b8dae69cbb45509

SHA1
20b49e9cc2189cc529eeb0c18269e1f14e1fa582

SHA256
7c99b617b02be1bf1b765665aca5652017b213092ad4c69518a2a5cef1ef0080

SHA512
e89161be70b5a0fa2c6e84c6fb7e0138bc268d4658063d7ab4b3aab7923645e2102359be165f25cc836a5446bf876eba0e4cf6d64f8ded21735dc5ffc28639de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58fac6.TMP

Filesize
88KB

MD5
c7d097528a1d0f56fe2768a6481b41c5

SHA1
fc69acfb651ec645ddec8a0b6e7d555ca4939b7a

SHA256
614f2fd09c2889aa146e836b62422180537e0fa771eb1c737980730388daa9af

SHA512
7467d2fccd05a8847e1cd87b9e10c109bf05d75581d3a4d4df681552cc1e9c89795a505486a70dbe6aaba8050da96e16f3d7979fa4beacf407e3d80df21647ba

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\activity-stream.discovery_stream.json.tmp

Filesize
24KB

MD5
66eb17622273f33c9d45cd7957a79be0

SHA1
538d011a1f586ba7d690d09425c1942a4540689c

SHA256
0fa17c77219f73c0f337189e993a1be5c7d74348354a97c04105187da1e01da9

SHA512
d4dbea34400a2e14563f109a4db68d777c36640e36b22f659028cb7eb49cd192b80e6235162616f4dbfbf34ef07031dc4a731e6631cb65a0fb5a625d94083f49

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\cache2\entries\2A38FEF142E9FF8B7AA8781F3A5EFB4E899A8B19

Filesize
486KB

MD5
b643890cdafa1a07bfbf2733a7607984

SHA1
bde49467d6e460746c5ca5f4ff7c891517086ba1

SHA256
74af01ca372d5e1b349c7282147d5a0317271a6609f89f8f63f0ffaa2eb80ebc

SHA512
ad0db1486e94b197324e398002f0cea5c41f884285a9530d434e77f7ec43d136527b7b730d4228474f503553f0c6c756d18339acce190daf55bdf4228f76893b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\cache2\entries\F4EFE37A30D0F14C6AC03FF7949A51CBC2EBC649

Filesize
13KB

MD5
3a80f99f35b2be4c4587d460003800e0

SHA1
5800fe44641546560f257217ce04e6b481d759e4

SHA256
9d79c7533d4171276eb59581f8df7efc4e65051c0b28f466d8dbdcb3fbf5bf96

SHA512
a568e36190d48a1ea5bd454d0b3c81ce375ce77382439fc09fcd52c22e6f6ddfea01c554a4e6905209e7b9f06af8ba0c76c296de56257cee6c82bc7749750c11

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lubkevbh.ku4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\cookies.sqlite

Filesize
512KB

MD5
efd0a1f11a87ad21ffdc6633c496c053

SHA1
b26c119a907b24005abb27cd3b92e71d1f3f2c01

SHA256
69cba3e56a96e7cb9ce64375f6176b4b6258429ef922d022340c9f4ffbb128a1

SHA512
ce42d995e3b53b6da23a56cc91ac97807213ea8e0360c1f3d8317b622d7b951eec166d9206716641c51fa2faa04e0c5bd1ac9c452e57cf695264e26dbb99f14b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\prefs-1.js

Filesize
11KB

MD5
1506577985df15e19bc3d969a54dc528

SHA1
686be89306ac8d3d95dfb1f06a0eff387d00641b

SHA256
d0c74a9e630c410cd67caf274b2dc719775a6f95fc76783e5cd8220d8c3fa265

SHA512
a42f1e62788a89052281e6a933aa36f5fc45ca303297ff9b72b209c371f46077617f60a961c1a084c9ffcbcf89455f2be0524e6894befa2c0334625c5c608aca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\prefs-1.js

Filesize
7KB

MD5
41a8bcb60c8201abdd51ae700fa600c2

SHA1
9b9a53d41afbf5f59182edc06c0ef6b9c0bdcd5e

SHA256
46695d8d3e82e1fed3f66a716753db24d56e25b96ec60e5e1f01a759c4557050

SHA512
a746f6591a17c5869f586e61c9b22bc9a6a4acc80bb14164b0adc4b1ee406bb94ac9b4b59200aabc08a4a682b8dbc8ff496500fb304f7237c6e79181c40eceec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\prefs-1.js

Filesize
6KB

MD5
c614c882c8cc8ca15057eb6ac80de563

SHA1
9c31a16d1d82e9f441c4e874c02e0666e4fd0ddb

SHA256
aaedd1063e776e54eb0b5b2749e4b87d49b0b7b60e278d1cb37adcbec3665fc4

SHA512
5eb9ab9c6c2bc0eec34ce5c04a9abaf948cfcd36f0e490e111c0cca5bc565e81b978ba28066556c79ebdb63c65519c8d47319cdca96e31e89d86781406473bdb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\prefs-1.js

Filesize
7KB

MD5
0f5a4b23243cbf1b8a622dd1d5276668

SHA1
176319f464554581a438fb6b2d2b7be5de595b23

SHA256
bebd1aae756fcc52b767d106628e6c34a52ac837d175d5cd765958f522e026d4

SHA512
a1ab66319af2adf5f681a9de9ad086a8f4e7ee2b3615387b5ec48cd87f32dbb95e28f20d47beb1b2bfe76c8dd25c18ca7ee06ec69d94367beaaa5830734cd0a3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\sessionCheckpoints.json

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
20cd61e6a72cae5e1a8a12b6808f648c

SHA1
3a2898a698cbc7eeb6567e8a7127cf1c6440c4bd

SHA256
0f8d114187acbd28c4c75a127e501480a3e280fcbf628c1a68f66e45adfb9283

SHA512
c851612e482663c22f7f328f1204603518aab6b2e5c19100ba41f3901b899ea0e8a880519ba406f98f56569ce199fdd48a8a0141f59ec8d1cbb2115270573830

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
5ee3b95d466d787ee5a907f49bd58dfa

SHA1
4c2540e57998bb26a95f7ccd4fa65b0929272288

SHA256
271e1751811e9869cba69a1a294eefd071fa65a939e0f4763062d3d28875fa68

SHA512
6625a29996c0a72968a0d89ac27b3377389d657ea624111f95c3018787279815905ca914f91ba95cd2b3fb352441a40f455679e2df2dc081b32449f05368461e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
10f374e0bf27659050680bce90be4908

SHA1
1357928bc6a7c5c8c9c953c7adbc9ca9638606ee

SHA256
296b0c3ca4a3a1812509b8f6556d55fc84f7e8e1473547bdb44cbcd194d95986

SHA512
9332ae09e829a5810f3c3eef147c186085cce29eea02073dcee37cd50cef78d08c0bdef499288f9ac498b685069c8e99683e2548643455b8d9d1ce89864f0c78

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
3b0bfb03d4b8c6da0326fcaad02ab14c

SHA1
b78bfc4ea3ef052f0d7e854e47c810354c16304b

SHA256
2ab33ca8677a5cf83b3e775fa99de061d064b92674b882cd6303de5e6f8abac2

SHA512
9b5bf4a9f8c695ba506fab5f0c0a94b6d4a934ab7831e763d0fd53b4ddbc77338f6bd198cf3976e7a9c0538d5b7f10ae6f397803cc02f9dcc094184bb2d5c794

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\h6dhg2l4.default-release\sessionstore.jsonlz4

Filesize
2KB

MD5
ce9a120548c52e921f534563e9a73867

SHA1
cd907a28f1af9412382180b133dca5980564096d

SHA256
f8da7cedb2294c71b32ea65bc332b43b14674080b20e7259354d4b1fc9de78d1

SHA512
228a98b3a7926325665b9cd323b738ddc4ba826466fc96f5c73bf88d244302d030e9b6e70687ee8ca435561b088eed85eb38c6e9a04bc874a3b7831b87839311

Download Submit
C:\Users\Admin\Desktop\RustMe Soft\client_1_12_2\optionsof.exe

Filesize
2.5MB

MD5
220f7b5753f252691438ba574de31dcd

SHA1
9c4a86377e13ac893455ae5d2435f16821ee950d

SHA256
a9476079bb9e631c7172d501f4a61f23ecc4df8dfdd2933f37f19f1045b52ced

SHA512
c0c7f38b25e948005a4b3204fae33d8e8fbc4c812d47af073b7dc28f022a7cd825056ef51797038766275fba6a1e4c4f9668d34362f278ba73d80fb278c6f6f0

Download Submit
C:\Users\Admin\Desktop\RustMe Soft\client_1_12_2\proxyservers.exe

Filesize
83KB

MD5
024e81ed603e5e0dd5c78aad816041a4

SHA1
3bd50202be201aa21dbd8aa8e0b25fefb983b180

SHA256
8f7b6ba475bbb4ba95fddac2acb6acccb905d9a4d55d58583fdbd8b7376bf801

SHA512
533d6795c02307622b1e023bc3c83c1f8bc0d69bfba5d67020758c41993098cbddccbcb81341f00b52055412a941e1ba4e7864e6f30d3d9419d9398309f62e7b

Download Submit
C:\Users\Admin\Desktop\RustMe Soft\start.bat

Filesize
83B

MD5
5a6c3aaf10605250aaebc64757f669f1

SHA1
7b6fc880dd26a42f7498733c01b6537e1ac20034

SHA256
5616b51e2f5002470f599452d6844b339a5c55556dffedc46e3e2c7deb70f232

SHA512
6d3314f0a9f3f05a21607125aff82cc809ec15523a3c9f4acc578af31b77b2901a9c75ae3b366752f4598b2a1a62070067e56ec203311aa9bf6e1d342efd92ab

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 255498.crdownload

Filesize
1.5MB

MD5
d8af785ca5752bae36e8af5a2f912d81

SHA1
54da15671ad8a765f3213912cba8ebd8dac1f254

SHA256
6220bbe6c26d87fc343e0ffa4e20ccfafeca7dab2742e41963c40b56fb884807

SHA512
b635b449f49aac29234f677e662be35f72a059401ea0786d956485d07134f9dd10ed284338503f08ff7aad16833cf034eb955ca34e1faf35a8177ccad1f20c75

Download Submit
memory/1496-3083-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1496-3081-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1496-3082-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1496-3078-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1496-3086-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1496-3085-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1496-3089-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1496-3087-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1496-3088-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1496-3077-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1496-3079-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1496-3080-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1496-3084-0x000002DCEAA80000-0x000002DCEAAA0000-memory.dmp

Filesize
128KB

Download
memory/1584-3065-0x000001DADBBC0000-0x000001DADBBC6000-memory.dmp

Filesize
24KB

Download
memory/1584-3058-0x000001DADB950000-0x000001DADB96C000-memory.dmp

Filesize
112KB

Download
memory/1584-3059-0x000001DADB970000-0x000001DADBA25000-memory.dmp

Filesize
724KB

Download
memory/1584-3060-0x000001DADBA30000-0x000001DADBA3A000-memory.dmp

Filesize
40KB

Download
memory/1584-3061-0x000001DADBBA0000-0x000001DADBBBC000-memory.dmp

Filesize
112KB

Download
memory/1584-3062-0x000001DADBB80000-0x000001DADBB8A000-memory.dmp

Filesize
40KB

Download
memory/1584-3066-0x000001DADBBD0000-0x000001DADBBDA000-memory.dmp

Filesize
40KB

Download
memory/1584-3064-0x000001DADBB90000-0x000001DADBB98000-memory.dmp

Filesize
32KB

Download
memory/1584-3063-0x000001DADBBE0000-0x000001DADBBFA000-memory.dmp

Filesize
104KB

Download
memory/2080-3025-0x00000261242B0000-0x00000261242D2000-memory.dmp

Filesize
136KB

Download
memory/2576-3012-0x00000000009F0000-0x0000000000A0C000-memory.dmp

Filesize
112KB

Download
memory/5824-3069-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5824-3073-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5824-3076-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5824-3071-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5824-3072-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/5824-3070-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download