44caliber | 5792e2d18bf6bb75708a630b4bd2d5bd56992dac49aef6e37ce194d7229346a0

Analysis

max time kernel
258s
max time network
260s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rust_Kfg (4).rar
Size

218KB
MD5

24e5ebcc022f0735f35737a8dc358b75
SHA1

b820dbecbbcb565365557a9d16aed97622816f8b
SHA256

5792e2d18bf6bb75708a630b4bd2d5bd56992dac49aef6e37ce194d7229346a0
SHA512

8de8b3fa6b7e30e5a38778a9c547109d9562179f9e3b610a25af62d10dba6511fcbc87cc4de963f0a807bef9372f1cc2525071b8203061f3ea8bfa6a4fc572ac
SSDEEP

6144:/a/EIYhHdteaYHJxzEKOKE5myFELElV+bczVnK:/KYBHQJxz9OVsLElV+r

Score

10^/10

44caliber umbral xworm credential_access defense_evasion discovery execution persistence privilege_escalation rat spyware stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1276982380623822909/-ZYqYnZeoG8yutLtDD9buwOWh8z-ENLfgSoEesmu5LYvfPnRgh3KuZ2RXTmQ_aGzc_7m

Extracted

Family

xworm

127.0.0.1:59668

21.ip.gl.ply.gg:59668

Attributes

Install_directory
%AppData%

Extracted

Family

44caliber

https://discord.com/api/webhooks/1276982380623822909/-ZYqYnZeoG8yutLtDD9buwOWh8z-ENLfgSoEesmu5LYvfPnRgh3KuZ2RXTmQ_aGzc_7m

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Detect Umbral payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x00070000000234c6-951.dat	family_umbral
behavioral1/memory/5588-953-0x0000020284C90000-0x0000020284CD0000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x00070000000234c7-1040.dat	family_xworm
behavioral1/memory/4084-1041-0x00000000007B0000-0x00000000007C6000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
2464	powershell.exe
4980	powershell.exe
5308	powershell.exe
1784	powershell.exe
1764	powershell.exe
3032	powershell.exe
3644	powershell.exe
5500	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

Processes:

Fix_Error (2).exe

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Fix_Error (2).exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Rust_Kfg.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	Rust_Kfg.exe

Drops startup file 2 IoCs

Processes:

Rust_Kfg.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.lnk	Rust_Kfg.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Steam.lnk	Rust_Kfg.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 6 IoCs

Processes:

7z2408-x64.exe7zFM.exe7zG.exeFix_Error (2).exeRust_Kfg.exeДополнение.exe

pid	Process
628	7z2408-x64.exe
6128	7zFM.exe
5112	7zG.exe
5588	Fix_Error (2).exe
4084	Rust_Kfg.exe
5716	Дополнение.exe

Loads dropped DLL 3 IoCs

Processes:

7zFM.exe7zG.exe

pid	Process
3440
6128	7zFM.exe
5112	7zG.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Rust_Kfg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\AppData\\Roaming\\Steam"	Rust_Kfg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
223	discord.com
224	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
227	freegeoip.app
218	ip-api.com
226	freegeoip.app

Drops file in Program Files directory 64 IoCs

Processes:

7z2408-x64.exe

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	7z2408-x64.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

firefox.exe

description	ioc	Process
File created	C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

7z2408-x64.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2408-x64.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

cmd.exePING.EXE

pid	Process
3420	cmd.exe
4144	PING.EXE

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exeДополнение.exefirefox.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Дополнение.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Дополнение.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

wmic.exe

pid	Process
4804	wmic.exe

Modifies registry class 23 IoCs

Processes:

firefox.exe7z2408-x64.execmd.exeOpenWith.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description	ioc	Process
File created	C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier	firefox.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

Processes:

PING.EXE

pid	Process
4144	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
3496	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

Fix_Error (2).exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeДополнение.exe

pid	Process
5588	Fix_Error (2).exe
5588	Fix_Error (2).exe
3644	powershell.exe
3644	powershell.exe
3644	powershell.exe
2464	powershell.exe
2464	powershell.exe
2464	powershell.exe
4980	powershell.exe
4980	powershell.exe
4980	powershell.exe
5696	powershell.exe
5696	powershell.exe
5696	powershell.exe
5308	powershell.exe
5308	powershell.exe
5308	powershell.exe
5500	powershell.exe
5500	powershell.exe
5500	powershell.exe
1784	powershell.exe
1784	powershell.exe
1784	powershell.exe
1764	powershell.exe
1764	powershell.exe
1764	powershell.exe
3032	powershell.exe
3032	powershell.exe
3032	powershell.exe
5716	Дополнение.exe
5716	Дополнение.exe
5716	Дополнение.exe
5716	Дополнение.exe
5716	Дополнение.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exe7zFM.exe

pid	Process
4864	OpenWith.exe
6128	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exe7zFM.exe7zG.exeFix_Error (2).exewmic.exepowershell.exepowershell.exepowershell.exepowershell.exewmic.exe

description	pid	Process
Token: SeDebugPrivilege	748	firefox.exe
Token: SeDebugPrivilege	748	firefox.exe
Token: SeDebugPrivilege	748	firefox.exe
Token: SeDebugPrivilege	748	firefox.exe
Token: SeDebugPrivilege	748	firefox.exe
Token: SeDebugPrivilege	748	firefox.exe
Token: SeRestorePrivilege	6128	7zFM.exe
Token: 35	6128	7zFM.exe
Token: SeRestorePrivilege	5112	7zG.exe
Token: 35	5112	7zG.exe
Token: SeSecurityPrivilege	5112	7zG.exe
Token: SeSecurityPrivilege	5112	7zG.exe
Token: SeDebugPrivilege	5588	Fix_Error (2).exe
Token: SeIncreaseQuotaPrivilege	4120	wmic.exe
Token: SeSecurityPrivilege	4120	wmic.exe
Token: SeTakeOwnershipPrivilege	4120	wmic.exe
Token: SeLoadDriverPrivilege	4120	wmic.exe
Token: SeSystemProfilePrivilege	4120	wmic.exe
Token: SeSystemtimePrivilege	4120	wmic.exe
Token: SeProfSingleProcessPrivilege	4120	wmic.exe
Token: SeIncBasePriorityPrivilege	4120	wmic.exe
Token: SeCreatePagefilePrivilege	4120	wmic.exe
Token: SeBackupPrivilege	4120	wmic.exe
Token: SeRestorePrivilege	4120	wmic.exe
Token: SeShutdownPrivilege	4120	wmic.exe
Token: SeDebugPrivilege	4120	wmic.exe
Token: SeSystemEnvironmentPrivilege	4120	wmic.exe
Token: SeRemoteShutdownPrivilege	4120	wmic.exe
Token: SeUndockPrivilege	4120	wmic.exe
Token: SeManageVolumePrivilege	4120	wmic.exe
Token: 33	4120	wmic.exe
Token: 34	4120	wmic.exe
Token: 35	4120	wmic.exe
Token: 36	4120	wmic.exe
Token: SeIncreaseQuotaPrivilege	4120	wmic.exe
Token: SeSecurityPrivilege	4120	wmic.exe
Token: SeTakeOwnershipPrivilege	4120	wmic.exe
Token: SeLoadDriverPrivilege	4120	wmic.exe
Token: SeSystemProfilePrivilege	4120	wmic.exe
Token: SeSystemtimePrivilege	4120	wmic.exe
Token: SeProfSingleProcessPrivilege	4120	wmic.exe
Token: SeIncBasePriorityPrivilege	4120	wmic.exe
Token: SeCreatePagefilePrivilege	4120	wmic.exe
Token: SeBackupPrivilege	4120	wmic.exe
Token: SeRestorePrivilege	4120	wmic.exe
Token: SeShutdownPrivilege	4120	wmic.exe
Token: SeDebugPrivilege	4120	wmic.exe
Token: SeSystemEnvironmentPrivilege	4120	wmic.exe
Token: SeRemoteShutdownPrivilege	4120	wmic.exe
Token: SeUndockPrivilege	4120	wmic.exe
Token: SeManageVolumePrivilege	4120	wmic.exe
Token: 33	4120	wmic.exe
Token: 34	4120	wmic.exe
Token: 35	4120	wmic.exe
Token: 36	4120	wmic.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	4980	powershell.exe
Token: SeDebugPrivilege	5696	powershell.exe
Token: SeIncreaseQuotaPrivilege	5984	wmic.exe
Token: SeSecurityPrivilege	5984	wmic.exe
Token: SeTakeOwnershipPrivilege	5984	wmic.exe
Token: SeLoadDriverPrivilege	5984	wmic.exe
Token: SeSystemProfilePrivilege	5984	wmic.exe

Suspicious use of FindShellTrayWindow 24 IoCs

Processes:

firefox.exe7zFM.exe7zG.exe

pid	Process
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
6128	7zFM.exe
6128	7zFM.exe
5112	7zG.exe

Suspicious use of SendNotifyMessage 20 IoCs

Processes:

firefox.exe

pid	Process
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe

Suspicious use of SetWindowsHookEx 35 IoCs

Processes:

OpenWith.exefirefox.exe7z2408-x64.exe

pid	Process
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
4864	OpenWith.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
748	firefox.exe
628	7z2408-x64.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

OpenWith.exefirefox.exefirefox.exe

description	pid	Process	procid_target
PID 4864 wrote to memory of 1028	4864	OpenWith.exe	97
PID 4864 wrote to memory of 1028	4864	OpenWith.exe	97
PID 1028 wrote to memory of 748	1028	firefox.exe	99
PID 1028 wrote to memory of 748	1028	firefox.exe	99
PID 1028 wrote to memory of 748	1028	firefox.exe	99
PID 1028 wrote to memory of 748	1028	firefox.exe	99
PID 1028 wrote to memory of 748	1028	firefox.exe	99
PID 1028 wrote to memory of 748	1028	firefox.exe	99
PID 1028 wrote to memory of 748	1028	firefox.exe	99
PID 1028 wrote to memory of 748	1028	firefox.exe	99
PID 1028 wrote to memory of 748	1028	firefox.exe	99
PID 1028 wrote to memory of 748	1028	firefox.exe	99
PID 1028 wrote to memory of 748	1028	firefox.exe	99
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 4812	748	firefox.exe	100
PID 748 wrote to memory of 2228	748	firefox.exe	101
PID 748 wrote to memory of 2228	748	firefox.exe	101
PID 748 wrote to memory of 2228	748	firefox.exe	101
PID 748 wrote to memory of 2228	748	firefox.exe	101
PID 748 wrote to memory of 2228	748	firefox.exe	101
PID 748 wrote to memory of 2228	748	firefox.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
396	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Rust_Kfg (4).rar"
1⤵
- Modifies registry class
PID:2776

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Rust_Kfg (4).rar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\Rust_Kfg (4).rar"
    3⤵
    - Subvert Trust Controls: Mark-of-the-Web Bypass
    - Checks processor information in registry
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1984 -parentBuildID 20240401114208 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {707ba260-5038-4413-933f-e8c3d789c5b8} 748 "\\.\pipe\gecko-crash-server-pipe.748" gpu
      4⤵
      PID:4812
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2420 -parentBuildID 20240401114208 -prefsHandle 2396 -prefMapHandle 2392 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8a37ca7-cff5-42c5-8cce-92ea4d95d572} 748 "\\.\pipe\gecko-crash-server-pipe.748" socket
      4⤵
      PID:2228
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3024 -childID 1 -isForBrowser -prefsHandle 3076 -prefMapHandle 2980 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dfb36ed5-3805-4154-beb8-0331b351fb58} 748 "\\.\pipe\gecko-crash-server-pipe.748" tab
      4⤵
      PID:2776
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3748 -childID 2 -isForBrowser -prefsHandle 3648 -prefMapHandle 3220 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {937e109e-935d-4982-9fca-fab3ce9a28e9} 748 "\\.\pipe\gecko-crash-server-pipe.748" tab
      4⤵
      PID:2220
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4988 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5012 -prefMapHandle 5008 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42c6e060-0d3b-479e-9b32-fde6131a04f8} 748 "\\.\pipe\gecko-crash-server-pipe.748" utility
      4⤵
      Checks processor information in registry
      PID:5380
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5448 -childID 3 -isForBrowser -prefsHandle 5444 -prefMapHandle 5440 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3763c72f-2e84-4a90-b3f9-c616e8660b36} 748 "\\.\pipe\gecko-crash-server-pipe.748" tab
      4⤵
      PID:5748
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5676 -childID 4 -isForBrowser -prefsHandle 5596 -prefMapHandle 5604 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {479c4360-c4a7-4fd9-89a4-fabe72043a95} 748 "\\.\pipe\gecko-crash-server-pipe.748" tab
      4⤵
      PID:5760
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5800 -childID 5 -isForBrowser -prefsHandle 5756 -prefMapHandle 5580 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0dcec29-4f82-4424-8661-1a1d5668ba2d} 748 "\\.\pipe\gecko-crash-server-pipe.748" tab
      4⤵
      PID:5772
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1568 -childID 6 -isForBrowser -prefsHandle 1588 -prefMapHandle 1584 -prefsLen 29397 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68209a96-5752-4abe-820e-95b23fc8f727} 748 "\\.\pipe\gecko-crash-server-pipe.748" tab
      4⤵
      PID:4040
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6344 -childID 7 -isForBrowser -prefsHandle 4120 -prefMapHandle 4140 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68555c9b-b301-40a9-a603-460c802f4541} 748 "\\.\pipe\gecko-crash-server-pipe.748" tab
      4⤵
      PID:5608
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5668 -childID 8 -isForBrowser -prefsHandle 5980 -prefMapHandle 5976 -prefsLen 28282 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecb45218-484b-4a0a-b435-dd9849abdadf} 748 "\\.\pipe\gecko-crash-server-pipe.748" tab
      4⤵
      PID:6068

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3540

C:\Users\Admin\Downloads\7z2408-x64.exe
"C:\Users\Admin\Downloads\7z2408-x64.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:628

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Rust_Kfg (4).rar"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6128

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Rust_Kfg (4)\" -spe -an -ai#7zMap16288:86:7zEvent8401
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5112

C:\Users\Admin\Desktop\Rust_Kfg (4)\Fix_Error (2).exe
"C:\Users\Admin\Desktop\Rust_Kfg (4)\Fix_Error (2).exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5588
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4120
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Desktop\Rust_Kfg (4)\Fix_Error (2).exe"
  2⤵
  - Views/modifies file attributes
  PID:396
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Rust_Kfg (4)\Fix_Error (2).exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5696
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5984
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:6048
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:4992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5308
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:4804
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Desktop\Rust_Kfg (4)\Fix_Error (2).exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3420
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4144

C:\Users\Admin\Desktop\Rust_Kfg (4)\Rust_Kfg.exe
"C:\Users\Admin\Desktop\Rust_Kfg (4)\Rust_Kfg.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:4084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Rust_Kfg (4)\Rust_Kfg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Rust_Kfg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Steam'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Steam'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3032
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Steam" /tr "C:\Users\Admin\AppData\Roaming\Steam"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3496

C:\Users\Admin\Desktop\Rust_Kfg (4)\Дополнение.exe
"C:\Users\Admin\Desktop\Rust_Kfg (4)\Дополнение.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.dll

Filesize
99KB

MD5
d346530e648e15887ae88ea34c82efc9

SHA1
5644d95910852e50a4b42375bddfef05f6b3490f

SHA256
f972b164d9a90821be0ea2f46da84dd65f85cd0f29cd1abba0c8e9a7d0140902

SHA512
62db21717f79702cbdd805109f30f51a7f7ff5f751dc115f4c95d052c5405eb34d5e8c5a83f426d73875591b7d463f00f686c182ef3850db2e25989ae2d83673

Download Submit
C:\Program Files\7-Zip\7z.dll

Filesize
1.8MB

MD5
1143c4905bba16d8cc02c6ba8f37f365

SHA1
db38ac221275acd087cf87ebad393ef7f6e04656

SHA256
e79ddfb6319dbf9bac6382035d23597dad979db5e71a605d81a61ee817c1e812

SHA512
b918ae107c179d0b96c8fb14c2d5f019cad381ba4dcdc760c918dfcd5429d1c9fb6ce23f4648823a0449cb8a842af47f25ede425a4e37a7b67eb291ce8cce894

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
963KB

MD5
004d7851f74f86704152ecaaa147f0ce

SHA1
45a9765c26eb0b1372cb711120d90b5f111123b3

SHA256
028cf2158df45889e9a565c9ce3c6648fb05c286b97f39c33317163e35d6f6be

SHA512
16ebda34803977a324f5592f947b32f5bb2362dd520dc2e97088d12729024498ddfa6800694d37f2e6e5c6fc8d4c6f603414f0c033df9288efc66a2c39b5ec29

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
692KB

MD5
4159ff3f09b72e504e25a5f3c7ed3a5b

SHA1
b79ab2c83803e1d6da1dcd902f41e45d6cd26346

SHA256
0163ec83208b4902a2846de998a915de1b9e72aba33d98d5c8a14a8fbf0f6101

SHA512
48f54f0ab96be620db392b4c459a49a0fa8fbe95b1c1b7df932de565cf5f77adfaae98ef1e5998f326172b5ae4ffa9896aeac0f7b98568fcde6f7b1480df4e2d

Download Submit
C:\ProgramData\44\Process.txt

Filesize
343B

MD5
2e29056c52816cbc271b70c6be54fba6

SHA1
e559e2bd0eb98c25d1b54199ce4bf9c694d71c7a

SHA256
0519ca8070b286d147ba50f85ea2231a78dcf45a9659e9a66353f78c54eda1f7

SHA512
70ec0d2d7bf5757969b7bad3ee9ad12c8edf3f36fdf1831cd6b41110459a4b926126b43414ab5456ce3ca07a446d57b8f9ee7a7830d12e43d1540e56c2c26d17

Download Submit
C:\ProgramData\44\Process.txt

Filesize
1KB

MD5
b0cbbcafdd8fe1c62c9c65ddf7b1c354

SHA1
3d8152929f7181cc1461adbd11b8151b08313580

SHA256
2a650a0babf845fac20558454ab19a1eca51e9a648b4d3ff17cc0612962971d9

SHA512
995b6fb8b76ba28d2219642dca57ee42578129a778531e685cf2513baa01c8efaa10b5b1e68259b7667dbb594bfd63e13309b7ea06b6556d1e96e684459b3e33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
58b80fe8da7d23cd3c9707f4ce93457e

SHA1
7d1c58b992631d82cabd38d738ccca072c91c124

SHA256
4479db3e2faf952801a1506140f3612e267e9bb4f5d509b0d63204429de8eef3

SHA512
82ef5d29aaf46b5fef467185193f03612058c4bbd7b9926293a79c18deefe137811f95dc59feaa649376c8711ca3253177177b538d2d953147db1ed719cba5e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
8a424e81b5a6078deff05e153c04a0ee

SHA1
bf209de0dbc1dbe7c5b5b511bd34bf447a3c049b

SHA256
79ce6d6caea4a9eabf8fdbb2a1c58d43fb5a3c500c2dec3fce87c160d2c6bda3

SHA512
aa01195e5c1d641304b08fed4a3bffc916972aa0bc20e928204cef1783f38922a03b761cf2010ccbace1ea0d2f18cda4eaeee4d8969f32fbae5f580e4e38522d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
de9d4ddc62daa4444b9178c9fc079438

SHA1
f8cb6cc6942a31142b169047ca8b0610201b7882

SHA256
d8f14ccc4389c7313eef1948a13f45a1e4e16007d45c90c309baba365641e57a

SHA512
206ca2532369f1eeddd2efec2b77512d64f6957554e4c8e8e58ac1c5db6bb567aecdb49d6bfa2e99c9647387d19052546b2e7b644394371773ec6d9190d90241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a7cc007980e419d553568a106210549a

SHA1
c03099706b75071f36c3962fcc60a22f197711e0

SHA256
a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

SHA512
b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3671431dc9392fbccf1c030579b01ede

SHA1
dd49638304a4d3ce6fcfa7e7897005a78e7a2d84

SHA256
d44c1a57c996301027e803dfa7fe85c363e1483d2dac5804851ffe68184f56bb

SHA512
81cc9edddb2698ea9d2325b31551781b4006c51d2d3e50541ccd87166a392c4c466d9f2bae48f0524ab460f6fa0f36a29bf755498abab7c1ccb7ff9339cb46a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
b0dc7c3718882fe730dbbc1b681bfc49

SHA1
03a9c793855b3fc4a82d48a70841ab547cfb9943

SHA256
05b199d4f0d7025646593db4f3d2a22a44e4e64438668d34ec6a3a31afe249bb

SHA512
c927720f5387ba226136b57bce9fb7f37917478d42a466aa9b175561bb5aae6837f82b3b45a3b285460cecffd40742302ce607c58dea83b8a8704eef783c9601

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\illkw0pr.default-release\activity-stream.discovery_stream.json

Filesize
44KB

MD5
161ad3f1e499715cba32a41eb1e602cb

SHA1
7b11c431b85feec3b77df8a36372d68fb5f6f048

SHA256
04caf7d9d7839a3a96329925873e7b4e5538d6cc476024f0339c3e4b680a82d9

SHA512
ae92e863996d16cf3738931f3b207efbc6a99f63f596ffb40fdaaea95ecafd36a094054c29c69c99d972b3ed936e0459c7d554c465c85f52ffe5683457c5fc59

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hqmaufar.305.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
16KB

MD5
35a8580009f316dd975a0a01d09dc1e3

SHA1
52c6f76a1fb7e6e975336c72e926c821da26ff25

SHA256
19ba43da6795bf6a6c5779351d20dac9e8f409f6b61690f00c297faa7dd93ff8

SHA512
5693f9fe27d0eda42f3869c2125df9947b22b256073a41fde7b56ad1eba91e11fffd3cca9071a208f633ad80c9ad0f759be37cc9a507d65d10c7bc6a1307ac95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
9KB

MD5
ae8897465fc40e807b63279afd545911

SHA1
0efe3394c2ecde718de75d28dac362fa74c5aea3

SHA256
dccb8b598bbe562a39f831b9542a9afa2a6fbb9113652095e507928b692fee6f

SHA512
9eb0c426ad19bebce2ea79fd624770077e01475c0283c8a14d319a28063814404a9bf7a506f63f87450c8c0c7a8f4f51c9869303723e607de4b4b6b97ceae11c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\AlternateServices.bin

Filesize
8KB

MD5
07905c83acf75d7adb3ca4ab37542ac9

SHA1
8580ed605ca7ce92d47054a87ae4efaa106a57d3

SHA256
7893a5f1a97dbfcf94515540fecab6b24558977e6d6b9333065b7d5aa87f77bd

SHA512
5070c2a464e01db14938380cf460d846a30e819b2d39f28e92fe3b90bacbe1a082ffa2ac892ade7f6f50be0626c5d648024dff639729bd876b4fddb2314669b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\cert9.db

Filesize
224KB

MD5
7bc16cf3b52fffccced605c750ccf36d

SHA1
d3f5549cbb6428742f4a8fe4334e64c96be2b6b9

SHA256
b1099354636f1ae01dff3aa6d20d49fd00d641c1cf04ebb2dc0ae96958f03206

SHA512
08c20a8328be011ca3149e5dffec72270324ed6780a92a14c5e4467323031a612ad3c950eaf90e555dae0c60a2920826a3d185812b27c9f780aa9550870e3e08

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\cookies.sqlite

Filesize
512KB

MD5
79f1f52580d802fa130a3b78efb2a271

SHA1
08f2439550b5e1d4cc459aa98b57a4993444843b

SHA256
96212d36cc29712d5d39d5535743e6e8409f58d73ad7a6eec41364c2d89e7b3d

SHA512
a8dfff34864a399ff12be6ca03983f24101d8036f7815dc6386db99c545c70dbddf527f94b6f19526364b3f938fc029f31406cb0e892d6cc0713469fc42a401c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
d3406678659ba680de0a47eeb00d199d

SHA1
f5bf1930e71ca02584cbfa87b046e1c497701bfc

SHA256
1e238ee2f08c7ad84df6a7553ced25625c91fcf8f24b9acf118b6f7913ab2352

SHA512
1ab7fbf5ee58d5a2ec7030fbd73d05b9767d4c45b945b0f1bbde5e8915cfb899d18c60bb149ca77e0aa9f2b51318eae9a2ef806ee6798e48a5769b66c3362d24

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
7f2921502f4daf8539ccd7bb1fe00638

SHA1
d00e43ff94cd84f5ce3ce6c40c8fe1d73171733c

SHA256
117424903474438b9e484a6b5ba83ccfc206f51c971f4fa01926798afe7f2043

SHA512
d5bdce2964b4e27c8bded3a26cff7a9d8946a543fdfb0e23b55d96d3439d723d624892d29136d26e237ef77186ba71c83e614cf1cbeae2ea3283ec6696dd6407

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\70e15db1-0f92-4e85-a23a-a5618e6e14c1

Filesize
671B

MD5
6ed53e7c5b90ddfee31d1022242910ea

SHA1
e53007c733edc2d7a266f04a7ba8f0cbda95d400

SHA256
76a07ea306adc819488ed197177295bd1e9e9973f9d342a11ef65fecc1c02c22

SHA512
ce70cc5a659f609b8e0570320c912d100ae24de1bc4821c50b666b126cf59c9a34db8a7a64a4c1c36b4fe6f57d69c4c43e13d5e191bbeb3ef7faa4cd99a99b46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\cb3032b4-ae9f-46ca-9cb4-deb18740e8af

Filesize
25KB

MD5
00637a2ee2006eb09e84e9e7de44dd2d

SHA1
40a53bf1aac6b9daeafad4678baf62397d43aadd

SHA256
ff2ed1a5a276e5c13cd8436e64bff971816e49e16a679482eb291552065c5f85

SHA512
1d5bb61626721ea3fa940d9f5679a05d9ad1bd19a256febb0456e68d5598fe7513627f0940420440822e46278a063f83866ca3b1d2b0ba8dac262542de82f7d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\datareporting\glean\pending_pings\cf59c9d8-6735-44eb-a043-804028f4b685

Filesize
982B

MD5
95c3edc098cb0d8db64d3cbe7ffdfc40

SHA1
e46b0796582bfe24297a3ecdd01929827bfca3bc

SHA256
ba4d61f23cf51123d96b07ece205acc33447343c698dbbce0b70fbf2e38e8119

SHA512
d0c576554513052d5cfa0bbb5fc5ad99597fa2749b0b06c0da83ff80a4bf77ff0dfb75726dfcb4168975b05939d5f4dea376ac1f8645b628dab300bfa47249a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\places.sqlite

Filesize
5.0MB

MD5
c4a35d2a65df8d84d65d980b41ccd79c

SHA1
6dd3e5ac205dc0b05327e064b6fc89c8b1023a58

SHA256
fff4b2b73034666ef3097ccb273251688a4d844946d716d11a9672caca584ea2

SHA512
659416e28de7b30cc3027db4e3b3537d4cdf4c3075575fd9365d9808965f94238a7438dfb13284340c364b664cf6eed2294ccad85924b1d0495be871fa4ea21c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs-1.js

Filesize
12KB

MD5
d8f6935f43875281e8e57876e30f1c5c

SHA1
86a71ceee79f59e1c52fa51369d2fec8254da2c3

SHA256
b48d74e68ec8a8e2907bbd44165518b638247d0c67e546bac44443fb410433ac

SHA512
35d2f744efc836efab59e41f2a992bdaf0d11b23aef9ed53bf47626c57edcdfc2f63618775ffb49435e622984a945add692f4345d0e24caf7f93dbe08f95099b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs-1.js

Filesize
11KB

MD5
96fcd8131adce10d9422ea0cc90a3400

SHA1
6615f5904a25a9d4dd1c76c72b5e79c56ce9eea4

SHA256
c8d856c03ed68c20130545c7dd2329338cca2689dd5ada4f8d2fc6cc093e9ff1

SHA512
a4b3150994c5c551eceec4dc56ab669813165b60415dd9e1a975f33165559f86877e73a99828e2f252450ff8e4be87189bd661a32f300a6ff27f4f82524d9f17

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\prefs.js

Filesize
11KB

MD5
ca3a06c91102dae9149c5499a91d5431

SHA1
d1661713dbb7594c96f2cbb788b31e6009646c10

SHA256
40c73cb4e31c885b78f12012d9d60a52668c288e7e328389b80b88a2b28cf784

SHA512
3b5e674eb740054496c6060478550b04862098c1386d4ba3567393efd27f1cfd2206fc1632cef51ac3f49ed0473c554b0015d94a318dc6d9c14f51cb7e8cb01b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
78ae618068d608cb3d28baba125c2966

SHA1
e9f322560c73fb01c2ba46503ff5a46713d89d7a

SHA256
dc4a65e368ecac54c3974dd99823fa85841c51246e69419a9e4ca7884f5dd65c

SHA512
8c6e53a48232c9d7da14029374ae8d84be496e8447520bca507b966958fd90d496e4ecf93aef23993d079f855f10193067226e2834178545e5e7fd5f88669748

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
328fbe48207359d61c3fbc992448b5c0

SHA1
12f31055ca3bd62436f589fecf3d0a4fc0e8e567

SHA256
f9d5e33b29c5a99201ad586aef953b4471c15c7277e19c6a63cdd76ca4ab029a

SHA512
c18a7e847caca58c15ef92a40d83b50618b93fb770019712cef3f4eef61ef2fbfadeb52a8bc595d99bc13c5f49ece4dc07e181f898c4b384949d1524c8d704b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
c97e3de5bac14e0660cd384074fccbf4

SHA1
a3b6e85d51928320fee9c9d8329f64530ec21f2e

SHA256
e14666668811cc8baab05784cd0eb12c7a9bc33c481c6a68827356a4f4b7b976

SHA512
9883f19f92a00adfa52b4d5ea410a91209ab12d4a37752f5fdd633a210a3d75a5d5f7077280915fc4921e4d3b2aa151e02a7853ec23b904d91ad01b02e48e483

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
6887eb7440331fe2da35125171a0559c

SHA1
062e8ae97175c17bef24743beff31ce67400b0da

SHA256
1cb894fc201622271c91707bf92fd7ef1af2f160e5fbf34c2a7210670e9bbe01

SHA512
1ba1efcc6bac8575742f81eaa377934e6b7c9f39e4a4a2aba6fe9268b0e7c366bf3f12d909b2a8f9ae7da7d334eaf8b5e04eec7e6b9abcff726d09c233d4b176

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
fe356c0560344bc2600f283d72ae1561

SHA1
e1d4f62d02a09a338fdf14313736e8c74927e3a0

SHA256
56498944bc3aa7bd595988a6051ee154348267de9b7b5043b46be80fbb8c371a

SHA512
db9748d3f1641c955bb2b3fc05a2cac8c08f379d7e1ac0a0037484d1668c29bcb338abf7c2d37b8f5b116c5216c8084677354de1eb4cbdb97342252bb93ea286

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
9ed82df1f254938f6dcfea3f71bd143f

SHA1
4d993dcf11d5b2972a7aa00c580adbc01cf43bb2

SHA256
7d2915c8b294d2d5387ff188440dbfd29c0c41f60639695316dc31cd51f67e7f

SHA512
382370f5cb93eaba517c638c9636b3a72ddd25e35da504f3c58c775880868ae1341362f5d5ae5404b35ccd1e29e05f629c906b489195621440fb4d8881d58937

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\illkw0pr.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
084286cb4583835b8cf27996d11db02d

SHA1
18667168269a2a627847aa6e54415dd3b9235f0a

SHA256
f057cf9a63d9d8627fec376d82b55afc4998ce989f17314f615f75d6cb67196c

SHA512
3b5703e98da55e321fd32d0e8e4c51b8d5137c0525f219aca7c9a79ac3cf3151b1459b53aa9fce9e7c3e5d2f7f900c759a9e7653183140d81cb6c8809c1af7e5

Download Submit
C:\Users\Admin\Desktop\Rust_Kfg (4)\Fix_Error (2).exe

Filesize
229KB

MD5
454846ff145dfea740caf62ff2971bcc

SHA1
f680fa362bf082ed52b90d4e2ea9b23feada4a78

SHA256
9b3fe197f1d5ca560db170f8a183e3d89c35fa61476d1e90c4cb2bb0ae4fc6f7

SHA512
0fdafac7cbea1d896b44bd944485f3edbe7576e92aca2229149c0d4199142b591a5a7fac16880deeb613e6c1ddae9e3a3c39f6996a3dd58edd48c7ee918ba43a

Download Submit
C:\Users\Admin\Desktop\Rust_Kfg (4)\Rust_Kfg.exe

Filesize
62KB

MD5
398886ef4e4808f89c60e5dc9bb57c08

SHA1
ce84d7e93e6cec5633b7b6b9c5b5d1594c3b050d

SHA256
1bae8feed8d8d9b4040d37ca130b875a6b94e1bc88f06cc749343a7b69a24585

SHA512
05d4eb3285e8ce609790c7db4e5101a56570b180f738dd7ccd8d166e164ee740fbc7466a4ba72ef5295ecb30f61f6c6937a21a01f7717e8d377efef1cc514f41

Download Submit
C:\Users\Admin\Desktop\Rust_Kfg (4)\Дополнение.exe

Filesize
274KB

MD5
2af21c82532c531a55cd680d7f914ce5

SHA1
67e105d7be6de7064af7026c1fad2420aa0df599

SHA256
829ee49ab07870f42e00fc90f402ce617966544c9bd99ef88217e4976b1bb561

SHA512
69aff2a9df553f0a4dfca1a7db6de51227f646cc518c7cf0e3f9bd2233552c70a545b76f5291ede3531778cf2c6ddb52a56be4672329390d7bf16408b6a12db1

Download Submit
C:\Users\Admin\Downloads\7z2408-x64.s7g0P7wy.exe.part

Filesize
1.5MB

MD5
0330d0bd7341a9afe5b6d161b1ff4aa1

SHA1
86918e72f2e43c9c664c246e62b41452d662fbf3

SHA256
67cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b

SHA512
850382414d9d33eab134f8bd89dc99759f8d0459b7ad48bd9588405a3705aeb2cd727898529e3f71d9776a42e141c717e844e0b5c358818bbeac01d096907ad1

Download Submit
C:\Users\Admin\Downloads\Vmt2c4DD.rar.part

Filesize
218KB

MD5
24e5ebcc022f0735f35737a8dc358b75

SHA1
b820dbecbbcb565365557a9d16aed97622816f8b

SHA256
5792e2d18bf6bb75708a630b4bd2d5bd56992dac49aef6e37ce194d7229346a0

SHA512
8de8b3fa6b7e30e5a38778a9c547109d9562179f9e3b610a25af62d10dba6511fcbc87cc4de963f0a807bef9372f1cc2525071b8203061f3ea8bfa6a4fc572ac

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3644-959-0x00000167C3360000-0x00000167C3382000-memory.dmp

Filesize
136KB

Download
memory/4084-1041-0x00000000007B0000-0x00000000007C6000-memory.dmp

Filesize
88KB

Download
memory/5588-1019-0x000002029F3B0000-0x000002029F3C2000-memory.dmp

Filesize
72KB

Download
memory/5588-953-0x0000020284C90000-0x0000020284CD0000-memory.dmp

Filesize
256KB

Download
memory/5588-980-0x000002029F3E0000-0x000002029F456000-memory.dmp

Filesize
472KB

Download
memory/5588-981-0x000002029F460000-0x000002029F4B0000-memory.dmp

Filesize
320KB

Download
memory/5588-982-0x000002029F330000-0x000002029F34E000-memory.dmp

Filesize
120KB

Download
memory/5588-1018-0x000002029F380000-0x000002029F38A000-memory.dmp

Filesize
40KB

Download
memory/5716-1092-0x0000022B89520000-0x0000022B8956A000-memory.dmp

Filesize
296KB

Download