umbral | hxxps://disk[.]yandex[.]ru/d/jwqtAWcXaasUZg

Analysis

max time kernel
135s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://disk.yandex.ru/d/jwqtAWcXaasUZg

Score

10^/10

umbral execution spyware stealer

Malware Config

Extracted

Family

umbral

https://discordapp.com/api/webhooks/1200901244135424020/I4v5pzJX0UjVd0FwK3ixFuD8uLYkkqVZ88yww4W1VnZTtqyRvVWACe1Ju91ncRYErY68

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023b64-2243.dat	family_umbral
behavioral1/memory/5624-2245-0x000001C1E83B0000-0x000001C1E8412000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1212	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector v3.7.3.exe

Executes dropped EXE 1 IoCs

pid	Process
5624	Extreme Injector v3.7.3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
198	ip-api.com

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2084	wmic.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\RustCheat v2524.rar:Zone.Identifier	firefox.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1572	PING.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
5624	Extreme Injector v3.7.3.exe
5624	Extreme Injector v3.7.3.exe
1212	powershell.exe
1212	powershell.exe
1212	powershell.exe
5328	powershell.exe
5328	powershell.exe
5328	powershell.exe
5364	powershell.exe
5364	powershell.exe
5364	powershell.exe
3056	powershell.exe
3056	powershell.exe
3056	powershell.exe
2172	powershell.exe
2172	powershell.exe
2172	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5024	firefox.exe
Token: SeDebugPrivilege	5024	firefox.exe
Token: SeDebugPrivilege	5024	firefox.exe
Token: SeRestorePrivilege	4676	7zG.exe
Token: 35	4676	7zG.exe
Token: SeSecurityPrivilege	4676	7zG.exe
Token: SeSecurityPrivilege	4676	7zG.exe
Token: SeRestorePrivilege	4812	7zG.exe
Token: 35	4812	7zG.exe
Token: SeSecurityPrivilege	4812	7zG.exe
Token: SeSecurityPrivilege	4812	7zG.exe
Token: SeDebugPrivilege	5624	Extreme Injector v3.7.3.exe
Token: SeIncreaseQuotaPrivilege	4792	wmic.exe
Token: SeSecurityPrivilege	4792	wmic.exe
Token: SeTakeOwnershipPrivilege	4792	wmic.exe
Token: SeLoadDriverPrivilege	4792	wmic.exe
Token: SeSystemProfilePrivilege	4792	wmic.exe
Token: SeSystemtimePrivilege	4792	wmic.exe
Token: SeProfSingleProcessPrivilege	4792	wmic.exe
Token: SeIncBasePriorityPrivilege	4792	wmic.exe
Token: SeCreatePagefilePrivilege	4792	wmic.exe
Token: SeBackupPrivilege	4792	wmic.exe
Token: SeRestorePrivilege	4792	wmic.exe
Token: SeShutdownPrivilege	4792	wmic.exe
Token: SeDebugPrivilege	4792	wmic.exe
Token: SeSystemEnvironmentPrivilege	4792	wmic.exe
Token: SeRemoteShutdownPrivilege	4792	wmic.exe
Token: SeUndockPrivilege	4792	wmic.exe
Token: SeManageVolumePrivilege	4792	wmic.exe
Token: 33	4792	wmic.exe
Token: 34	4792	wmic.exe
Token: 35	4792	wmic.exe
Token: 36	4792	wmic.exe
Token: SeIncreaseQuotaPrivilege	4792	wmic.exe
Token: SeSecurityPrivilege	4792	wmic.exe
Token: SeTakeOwnershipPrivilege	4792	wmic.exe
Token: SeLoadDriverPrivilege	4792	wmic.exe
Token: SeSystemProfilePrivilege	4792	wmic.exe
Token: SeSystemtimePrivilege	4792	wmic.exe
Token: SeProfSingleProcessPrivilege	4792	wmic.exe
Token: SeIncBasePriorityPrivilege	4792	wmic.exe
Token: SeCreatePagefilePrivilege	4792	wmic.exe
Token: SeBackupPrivilege	4792	wmic.exe
Token: SeRestorePrivilege	4792	wmic.exe
Token: SeShutdownPrivilege	4792	wmic.exe
Token: SeDebugPrivilege	4792	wmic.exe
Token: SeSystemEnvironmentPrivilege	4792	wmic.exe
Token: SeRemoteShutdownPrivilege	4792	wmic.exe
Token: SeUndockPrivilege	4792	wmic.exe
Token: SeManageVolumePrivilege	4792	wmic.exe
Token: 33	4792	wmic.exe
Token: 34	4792	wmic.exe
Token: 35	4792	wmic.exe
Token: 36	4792	wmic.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	5328	powershell.exe
Token: SeDebugPrivilege	5364	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeIncreaseQuotaPrivilege	1560	wmic.exe
Token: SeSecurityPrivilege	1560	wmic.exe
Token: SeTakeOwnershipPrivilege	1560	wmic.exe
Token: SeLoadDriverPrivilege	1560	wmic.exe
Token: SeSystemProfilePrivilege	1560	wmic.exe
Token: SeSystemtimePrivilege	1560	wmic.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
4676	7zG.exe
4812	7zG.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe
5024	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4324 wrote to memory of 5024	4324	firefox.exe	83
PID 4324 wrote to memory of 5024	4324	firefox.exe	83
PID 4324 wrote to memory of 5024	4324	firefox.exe	83
PID 4324 wrote to memory of 5024	4324	firefox.exe	83
PID 4324 wrote to memory of 5024	4324	firefox.exe	83
PID 4324 wrote to memory of 5024	4324	firefox.exe	83
PID 4324 wrote to memory of 5024	4324	firefox.exe	83
PID 4324 wrote to memory of 5024	4324	firefox.exe	83
PID 4324 wrote to memory of 5024	4324	firefox.exe	83
PID 4324 wrote to memory of 5024	4324	firefox.exe	83
PID 4324 wrote to memory of 5024	4324	firefox.exe	83
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 1824	5024	firefox.exe	84
PID 5024 wrote to memory of 3672	5024	firefox.exe	85
PID 5024 wrote to memory of 3672	5024	firefox.exe	85
PID 5024 wrote to memory of 3672	5024	firefox.exe	85
PID 5024 wrote to memory of 3672	5024	firefox.exe	85
PID 5024 wrote to memory of 3672	5024	firefox.exe	85
PID 5024 wrote to memory of 3672	5024	firefox.exe	85
PID 5024 wrote to memory of 3672	5024	firefox.exe	85
PID 5024 wrote to memory of 3672	5024	firefox.exe	85
PID 5024 wrote to memory of 3672	5024	firefox.exe	85
PID 5024 wrote to memory of 3672	5024	firefox.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5248	attrib.exe

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://disk.yandex.ru/d/jwqtAWcXaasUZg"
1⤵
- Suspicious use of WriteProcessMemory
PID:4324
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://disk.yandex.ru/d/jwqtAWcXaasUZg
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.0.693271050\315988249" -parentBuildID 20230214051806 -prefsHandle 1748 -prefMapHandle 1740 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {55559da7-b3a4-4f58-ba5b-d2e266260fd2} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 1856 1a5aac20b58 gpu
    3⤵
    PID:1824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.1.1540187322\1133567073" -parentBuildID 20230214051806 -prefsHandle 2416 -prefMapHandle 2412 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b42e08b-0e2f-48c7-9818-13364b1406f9} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 2428 1a596a89c58 socket
    3⤵
    PID:3672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.2.1026892238\2106170977" -childID 1 -isForBrowser -prefsHandle 3008 -prefMapHandle 3004 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca17d3e6-704c-4564-9e4a-9ffe8cbfff5d} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 3020 1a5ab262758 tab
    3⤵
    PID:3972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.3.136763889\688615612" -childID 2 -isForBrowser -prefsHandle 3660 -prefMapHandle 3656 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a6231a7-2d78-4b68-bfee-b7dd1c14481e} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 3672 1a5af7c4b58 tab
    3⤵
    PID:5008
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.4.909543821\471426621" -childID 3 -isForBrowser -prefsHandle 5116 -prefMapHandle 5112 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fccc137f-8870-4181-ab1d-16c7ea86abdb} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 5132 1a5b0cd4958 tab
    3⤵
    PID:3052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.5.1265392800\2102166165" -childID 4 -isForBrowser -prefsHandle 5276 -prefMapHandle 5284 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0873dc8-3f8c-4515-a206-c87982238d0b} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 5268 1a5b1211558 tab
    3⤵
    PID:4164
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.6.1232778288\382039191" -childID 5 -isForBrowser -prefsHandle 5544 -prefMapHandle 5540 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8de263be-0027-4d40-9f81-24c39cfa9af4} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 5552 1a5b1211b58 tab
    3⤵
    PID:4964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5024.7.1139305812\1395326980" -childID 6 -isForBrowser -prefsHandle 5304 -prefMapHandle 5308 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1308 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9fc33bd1-1bbe-428c-9919-e129aae0f05e} 5024 "\\.\pipe\gecko-crash-server-pipe.5024" 5316 1a5ae5c1058 tab
    3⤵
    PID:4744

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2056

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap613:92:7zEvent28213
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4676

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\RustCheat v2524\" -spe -an -ai#7zMap3295:92:7zEvent3318
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4812

C:\Users\Admin\Downloads\RustCheat v2524\Extreme Injector v3.7.3.exe
"C:\Users\Admin\Downloads\RustCheat v2524\Extreme Injector v3.7.3.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5624
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4792
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\RustCheat v2524\Extreme Injector v3.7.3.exe"
  2⤵
  - Views/modifies file attributes
  PID:5248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\RustCheat v2524\Extreme Injector v3.7.3.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:5400
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:1348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2172
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:2084
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\RustCheat v2524\Extreme Injector v3.7.3.exe" && pause
  2⤵
  PID:5960
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - Runs ping.exe
    PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
b0dc7c3718882fe730dbbc1b681bfc49

SHA1
03a9c793855b3fc4a82d48a70841ab547cfb9943

SHA256
05b199d4f0d7025646593db4f3d2a22a44e4e64438668d34ec6a3a31afe249bb

SHA512
c927720f5387ba226136b57bce9fb7f37917478d42a466aa9b175561bb5aae6837f82b3b45a3b285460cecffd40742302ce607c58dea83b8a8704eef783c9601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cf1b06b44fb8bc1a4f25c85e70937782

SHA1
c4adeae41a97fc11d407c398040dd109873fb2e5

SHA256
04ddc18714503a6c256830af58a731df9d9ad479e87663787e0fa92424c9b743

SHA512
07fcfc741b14ef3551fdc53a08e31020fd9e1d43ab637535a11e318c9f8d48ea37cae3913539838e74299952a868a7824982ad5dc887992686d45050cc1fc7cf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\47kntzet.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
e5d1b6e0607d760a12d9bc33be5e512d

SHA1
45db8bbe2b118da7c625bab6cde8c31955662cc4

SHA256
ab52587a4fc671393eda0bc722a5e3d02ba7b367136ac9f60e0d9a1ad4857fdc

SHA512
c78aee03d4bb84b4f79de79014ab03dd00fc97674c6048c0c96b47a3ae3d5b1020b6fdc5828c7791ef80180c46208c33aaef781f262013b4e5348c37efe12574

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\47kntzet.default-release\cache2\entries\CC9AFF3BE02AD27708D587AE49B3DC68644172BA

Filesize
13KB

MD5
21e45dbf93f55460e4d639dfaaf13be9

SHA1
58adc480980d0e0f2ef9abd6ef0019a44952bcc7

SHA256
210f305af623b27916eb5f4c904699bedaa2ed707fefb80b1d8e6986a2d914cd

SHA512
f5584dd0e9334074792ce36d76898f3609136e63713aa9f79085291f775ed0bdcc9904edc9cf6f2049a26fba61115d592f02c382b13423613db07cdec586be76

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sqab4yrg.mty.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\prefs-1.js

Filesize
6KB

MD5
10cccb8a6286a9728178d36364bd9ec5

SHA1
54c010e83028c9122e2dc585889426d5f20959af

SHA256
84973b07a71790591942d6d30b5b6c6285e88fbba7b4b656c18433319b4060af

SHA512
ce37634481327e5495825e8c02136688396ce1c2e998fd84479a826a2cd145adddc88fc5596468411694148afeb7127bf589c2880d6ac08a27b8f33a78833f55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\prefs-1.js

Filesize
9KB

MD5
bab5cf2454a3fe8b06cb307e90f34b5b

SHA1
2b31cbaab7d449932644da34dc27806b85598245

SHA256
405d892dddcf994af88ae265f9a802a0ad115fc8496e0dab20133ae23664109a

SHA512
99b3bc6beb73742cf627f21c81eab87e30f46559062733f1ca2a506b65a47138462d051d18c5c942e0e957ee2f868eb93fdc942edea1b4156f3e4ad858243c50

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\prefs.js

Filesize
7KB

MD5
ca562943be7c8346d8d9a532be2a8bc8

SHA1
7714118eb1dbbba084072490e192e09fc6f224d2

SHA256
20a946b41b236060544372d8f77c655a0fd1d9c74702111d65b4b43f6da37060

SHA512
d656d763d3029f4fafa05e63a3382789a922a8c8cfd63399c11f8dae50de4868bd65074e4cbaab17a0895753cc24a14c0ed9831a8eb1c61e0c98526b45cf0c70

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\prefs.js

Filesize
6KB

MD5
5fda8212e1ad9bebe1d12ee60a96e814

SHA1
ae964fb0934f4253f70a1358ebbdbebe53068a04

SHA256
764f57fafc4c78ea898050328395aa4a1b4bddc4e6961beeeed1270e09a52360

SHA512
56f19a69c702ea35b74866a179c0c9a52fc410eb6446b2fdc1879e3cf8afdb4aa22e14698c50e6a6e42fbd47ab95ddf55d0414dab9fe2f329e8c8f75377ac0f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
7f10c76a930f1a32a45dd188b7c131a5

SHA1
0a17b7837a006d70ad1648b7340cc73c696b53cd

SHA256
0fd55c78c67cad562c344a9072cc98a2c96c45998790052fa1bb55c586627620

SHA512
6d762fba8574d7e8228d93f53ba150774def72de4f4b771333705e2a017d66b1da7c6030c704406f5b8aca71ad2365f3531d5f97cb47342a1198bb44aac9abfd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
1df30bf55cfc16e3742f46b3d408f87f

SHA1
375d48e56e9aef42530bf957f657f850486893ba

SHA256
d14f4910069882bd5735fba18d1d2a9fbf2e6bc446eab730d6d38b3eeaabe42d

SHA512
faedcda1616650808143ef9bcda5baceadb2d1cf3f70fe254a160be4997740564f9b33a37f236957c84030b71e5d939d1a81c398fd0aa37014a3fcf09a024ae7

Download Submit
C:\Users\Admin\Downloads\RustCheat v2524.U8dbOil2.rar.part

Filesize
7KB

MD5
08e38c372b7640d24c195979a7fac209

SHA1
e4afc5c5cc414172cbb6a1597f114c6ef086c886

SHA256
370c27124711046854631a84e81b29ddd0957c14611f754305f03160a6f6330c

SHA512
3c16da4b03ddc78f6e14bae6275584b11692497501091c794499ae6b32a1ee3f77392bc2310231daf8fd5ceb48bd8fa877501bdd622f00a4ce27de8b8235ecb2

Download Submit
C:\Users\Admin\Downloads\RustCheat v2524.rar

Filesize
32.3MB

MD5
a9c0b047ee53b0a689caf805f87cb45b

SHA1
59c638b583967bcf5df4838b99bd366df75c4756

SHA256
10b238b691d514288408533782651833896f9136243400f62337dcfed0273df1

SHA512
cb31fd3785e9fa6cdfbf49d05c34ae623d207c29e322c16ad449fa7de48f28b22f3ef1de0ed657a82f5bbe0e209b217f143599b9ce28e88e3c786003351dcee8

Download Submit
C:\Users\Admin\Downloads\RustCheat v2524\Extreme Injector v3.7.3.exe

Filesize
362KB

MD5
f84ca43394a28532e3df687dc3bed6ca

SHA1
ea8a33a5ef3df7668d9fca03e5ff3292055be4b3

SHA256
0269257059e4f652aa21917cbb11a4aaf42f063e485edb49a07b9b8f42ed3f67

SHA512
26f66d89549659451997aeb9e5ab2d00daf880d93e999cec15e9bad07b1e8628b9992c51eb3a72c926bbfdac9892ce0264cc47db9fb925546bd63f8afeb508b8

Download Submit
memory/1212-2252-0x000001E9F4650000-0x000001E9F4672000-memory.dmp

Filesize
136KB

Download
memory/5624-2246-0x00007FF883123000-0x00007FF883125000-memory.dmp

Filesize
8KB

Download
memory/5624-2275-0x000001C1EA070000-0x000001C1EA08E000-memory.dmp

Filesize
120KB

Download
memory/5624-2274-0x000001C1EAAA0000-0x000001C1EAAF0000-memory.dmp

Filesize
320KB

Download
memory/5624-2273-0x000001C1EA100000-0x000001C1EA176000-memory.dmp

Filesize
472KB

Download
memory/5624-2311-0x000001C1EA090000-0x000001C1EA09A000-memory.dmp

Filesize
40KB

Download
memory/5624-2312-0x000001C1EA0C0000-0x000001C1EA0D2000-memory.dmp

Filesize
72KB

Download
memory/5624-2245-0x000001C1E83B0000-0x000001C1E8412000-memory.dmp

Filesize
392KB

Download