nanocore | 8c53fc138ab93483314185026bec3ddc9e41aeb22ca1025a08f5b55238836f4c

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
27-07-2023 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8.exe
Size

24.4MB
MD5

20d9ace6b4fff715f204ea2cf008e0ee
SHA1

988354b0667c23f749f9ade68b624d0525e95d10
SHA256

6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8
SHA512

b4930e4e9ddc0d5b163962c3fd70ff782f965154e3f16f275d1b261bf20ee864116c46c4de86df594ce602fc4b004464ab109389958cc646c3e7fc0533e7eb75
SSDEEP

393216:+7sxAlnJLFg3GT6+K7btWp3EqO97hu/m3pDnL8nbVB3Q7MP2sjwCfgM2p:+7xlVFFW+K7cG3GK03A7i2sjvgM2p

Score

10^/10

nanocore umbral evasion keylogger persistence pyinstaller spyware stealer trojan upx

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

8.tcp.ngrok.io:18184

Mutex

b3c03861-ff64-46a0-bbf6-30bd7e451c17

Attributes

activate_away_mode
true
backup_connection_host
8.tcp.ngrok.io
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2023-02-14T21:06:46.097983836Z
bypass_user_account_control
true
bypass_user_account_control_data
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
18184
default_group
Default
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
b3c03861-ff64-46a0-bbf6-30bd7e451c17
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
8.tcp.ngrok.io
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Extracted

Family

umbral

https://ptb.discord.com/api/webhooks/1103062061308711013/DXAN2znESQvEc6dLNnLsauh1TMcs5L72kY-0mrCYe41GPo6f1JIFjlGouqYLTWexBszo

Signatures

Detect Umbral payload 6 IoCs

resource	yara_rule
behavioral1/files/0x000b00000001224e-64.dat	family_umbral
behavioral1/files/0x000b00000001224e-71.dat	family_umbral
behavioral1/files/0x000b00000001224e-66.dat	family_umbral
behavioral1/files/0x000b00000001224e-65.dat	family_umbral
behavioral1/files/0x000b00000001224e-72.dat	family_umbral
behavioral1/memory/1180-99-0x0000000001050000-0x000000000108C000-memory.dmp	family_umbral

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Executes dropped EXE 5 IoCs

pid	Process
1940	KRNL (WORKING).EXE
1180	LOGZ UMBRAL.EXE
2936	LOGZ.EXE
1968	LOGZ.EXE
1284	Process not Found

Loads dropped DLL 14 IoCs

pid	Process
2492	6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8.exe
2492	6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8.exe
2492	6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8.exe
2492	6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8.exe
2492	6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8.exe
2936	LOGZ.EXE
1968	LOGZ.EXE
1968	LOGZ.EXE
1968	LOGZ.EXE
1968	LOGZ.EXE
1968	LOGZ.EXE
1968	LOGZ.EXE
1968	LOGZ.EXE
1284	Process not Found

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001a49d-264.dat	upx
behavioral1/files/0x000500000001a49d-265.dat	upx
behavioral1/memory/1968-266-0x000007FEF2530000-0x000007FEF2996000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Subsystem = "C:\\Program Files (x86)\\SCSI Subsystem\\scsiss.exe"	KRNL (WORKING).EXE

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	KRNL (WORKING).EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\SCSI Subsystem\scsiss.exe	KRNL (WORKING).EXE
File opened for modification	C:\Program Files (x86)\SCSI Subsystem\scsiss.exe	KRNL (WORKING).EXE

Detects Pyinstaller 7 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000a000000015c2f-75.dat	pyinstaller
behavioral1/files/0x000a000000015c2f-77.dat	pyinstaller
behavioral1/files/0x000a000000015c2f-78.dat	pyinstaller
behavioral1/files/0x000a000000015c2f-251.dat	pyinstaller
behavioral1/files/0x000a000000015c2f-250.dat	pyinstaller
behavioral1/files/0x000a000000015c2f-270.dat	pyinstaller
behavioral1/files/0x000a000000015c2f-271.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1940	KRNL (WORKING).EXE
1940	KRNL (WORKING).EXE
1940	KRNL (WORKING).EXE
1940	KRNL (WORKING).EXE
1940	KRNL (WORKING).EXE
1940	KRNL (WORKING).EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1940	KRNL (WORKING).EXE

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	1180	LOGZ UMBRAL.EXE
Token: SeDebugPrivilege	1940	KRNL (WORKING).EXE
Token: SeIncreaseQuotaPrivilege	2456	wmic.exe
Token: SeSecurityPrivilege	2456	wmic.exe
Token: SeTakeOwnershipPrivilege	2456	wmic.exe
Token: SeLoadDriverPrivilege	2456	wmic.exe
Token: SeSystemProfilePrivilege	2456	wmic.exe
Token: SeSystemtimePrivilege	2456	wmic.exe
Token: SeProfSingleProcessPrivilege	2456	wmic.exe
Token: SeIncBasePriorityPrivilege	2456	wmic.exe
Token: SeCreatePagefilePrivilege	2456	wmic.exe
Token: SeBackupPrivilege	2456	wmic.exe
Token: SeRestorePrivilege	2456	wmic.exe
Token: SeShutdownPrivilege	2456	wmic.exe
Token: SeDebugPrivilege	2456	wmic.exe
Token: SeSystemEnvironmentPrivilege	2456	wmic.exe
Token: SeRemoteShutdownPrivilege	2456	wmic.exe
Token: SeUndockPrivilege	2456	wmic.exe
Token: SeManageVolumePrivilege	2456	wmic.exe
Token: 33	2456	wmic.exe
Token: 34	2456	wmic.exe
Token: 35	2456	wmic.exe
Token: SeIncreaseQuotaPrivilege	2456	wmic.exe
Token: SeSecurityPrivilege	2456	wmic.exe
Token: SeTakeOwnershipPrivilege	2456	wmic.exe
Token: SeLoadDriverPrivilege	2456	wmic.exe
Token: SeSystemProfilePrivilege	2456	wmic.exe
Token: SeSystemtimePrivilege	2456	wmic.exe
Token: SeProfSingleProcessPrivilege	2456	wmic.exe
Token: SeIncBasePriorityPrivilege	2456	wmic.exe
Token: SeCreatePagefilePrivilege	2456	wmic.exe
Token: SeBackupPrivilege	2456	wmic.exe
Token: SeRestorePrivilege	2456	wmic.exe
Token: SeShutdownPrivilege	2456	wmic.exe
Token: SeDebugPrivilege	2456	wmic.exe
Token: SeSystemEnvironmentPrivilege	2456	wmic.exe
Token: SeRemoteShutdownPrivilege	2456	wmic.exe
Token: SeUndockPrivilege	2456	wmic.exe
Token: SeManageVolumePrivilege	2456	wmic.exe
Token: 33	2456	wmic.exe
Token: 34	2456	wmic.exe
Token: 35	2456	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 1940	2492	6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8.exe	28
PID 2492 wrote to memory of 1940	2492	6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8.exe	28
PID 2492 wrote to memory of 1940	2492	6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8.exe	28
PID 2492 wrote to memory of 1940	2492	6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8.exe	28
PID 2492 wrote to memory of 1180	2492	6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8.exe	29
PID 2492 wrote to memory of 1180	2492	6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8.exe	29
PID 2492 wrote to memory of 1180	2492	6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8.exe	29
PID 2492 wrote to memory of 1180	2492	6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8.exe	29
PID 2492 wrote to memory of 2936	2492	6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8.exe	30
PID 2492 wrote to memory of 2936	2492	6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8.exe	30
PID 2492 wrote to memory of 2936	2492	6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8.exe	30
PID 2492 wrote to memory of 2936	2492	6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8.exe	30
PID 2936 wrote to memory of 1968	2936	LOGZ.EXE	31
PID 2936 wrote to memory of 1968	2936	LOGZ.EXE	31
PID 2936 wrote to memory of 1968	2936	LOGZ.EXE	31
PID 1180 wrote to memory of 2456	1180	LOGZ UMBRAL.EXE	32
PID 1180 wrote to memory of 2456	1180	LOGZ UMBRAL.EXE	32
PID 1180 wrote to memory of 2456	1180	LOGZ UMBRAL.EXE	32

C:\Users\Admin\AppData\Local\Temp\6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8.exe
"C:\Users\Admin\AppData\Local\Temp\6dd21975f4cab86ed7af322c38e9825971e13cc0b826e278f56d2e411ad4f6f8.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\KRNL (WORKING).EXE
  "C:\Users\Admin\AppData\Local\Temp\KRNL (WORKING).EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Users\Admin\AppData\Local\Temp\LOGZ UMBRAL.EXE
  "C:\Users\Admin\AppData\Local\Temp\LOGZ UMBRAL.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1180
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- C:\Users\Admin\AppData\Local\Temp\LOGZ.EXE
  "C:\Users\Admin\AppData\Local\Temp\LOGZ.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Users\Admin\AppData\Local\Temp\LOGZ.EXE
    "C:\Users\Admin\AppData\Local\Temp\LOGZ.EXE"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\KRNL (WORKING).EXE

Filesize
202KB

MD5
abd1b166ab1703f4b3558b0c66d77556

SHA1
d28ee7135fbb4da81904aa0cc97e772f200dcb29

SHA256
e7fbd0f33ca20caae55da9423c81241c9bced4018456d5fbd27cc9f93f912310

SHA512
0be3b50a5b5d14e13743fb8f7ef6da6dc629abf1bfcf548cba015fc18671541c5df12700e0d1a096e909ef5979691883269b56c71dfb67b912a0380b85fe6d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRNL (WORKING).EXE

Filesize
202KB

MD5
abd1b166ab1703f4b3558b0c66d77556

SHA1
d28ee7135fbb4da81904aa0cc97e772f200dcb29

SHA256
e7fbd0f33ca20caae55da9423c81241c9bced4018456d5fbd27cc9f93f912310

SHA512
0be3b50a5b5d14e13743fb8f7ef6da6dc629abf1bfcf548cba015fc18671541c5df12700e0d1a096e909ef5979691883269b56c71dfb67b912a0380b85fe6d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRNL (WORKING).EXE

Filesize
202KB

MD5
abd1b166ab1703f4b3558b0c66d77556

SHA1
d28ee7135fbb4da81904aa0cc97e772f200dcb29

SHA256
e7fbd0f33ca20caae55da9423c81241c9bced4018456d5fbd27cc9f93f912310

SHA512
0be3b50a5b5d14e13743fb8f7ef6da6dc629abf1bfcf548cba015fc18671541c5df12700e0d1a096e909ef5979691883269b56c71dfb67b912a0380b85fe6d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOGZ UMBRAL.EXE

Filesize
214KB

MD5
a7f686424354f0ea81f9e0bebe62a304

SHA1
61e2e50f5e6169ba83be573be08a6ba3d2a20017

SHA256
20c6fd1ecd7a3fe407b81ac8cb2b99ceb5fc3608249b65bee1246ffbc7ab4235

SHA512
cd9d204946185d240e932fe1cc87b2d2b9c18686acc417004e007e3e5af15c73d6c81cf28c57452a5ca9085a64d427895b09de258f38c73f2d5d95c0a598a6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOGZ UMBRAL.EXE

Filesize
214KB

MD5
a7f686424354f0ea81f9e0bebe62a304

SHA1
61e2e50f5e6169ba83be573be08a6ba3d2a20017

SHA256
20c6fd1ecd7a3fe407b81ac8cb2b99ceb5fc3608249b65bee1246ffbc7ab4235

SHA512
cd9d204946185d240e932fe1cc87b2d2b9c18686acc417004e007e3e5af15c73d6c81cf28c57452a5ca9085a64d427895b09de258f38c73f2d5d95c0a598a6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOGZ UMBRAL.EXE

Filesize
214KB

MD5
a7f686424354f0ea81f9e0bebe62a304

SHA1
61e2e50f5e6169ba83be573be08a6ba3d2a20017

SHA256
20c6fd1ecd7a3fe407b81ac8cb2b99ceb5fc3608249b65bee1246ffbc7ab4235

SHA512
cd9d204946185d240e932fe1cc87b2d2b9c18686acc417004e007e3e5af15c73d6c81cf28c57452a5ca9085a64d427895b09de258f38c73f2d5d95c0a598a6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOGZ.EXE

Filesize
23.9MB

MD5
4229a757e1ac98195ea4a3f2d08cecd3

SHA1
91dc93770084297e2bce031d28925c1d3586ae7d

SHA256
bd9dc79f9c8ac8d6ed1f2aa60ee19186cb6c147f0674e66a1124471865c3cba2

SHA512
2a602d754954713935d4c0497b41ef7dccddc5a5bbe9905d97b22a095dd8430e63b462fa326a6abce2c0cdff44d1bf98acfbb9a582f6ff892eef98f1044c748c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOGZ.EXE

Filesize
23.9MB

MD5
4229a757e1ac98195ea4a3f2d08cecd3

SHA1
91dc93770084297e2bce031d28925c1d3586ae7d

SHA256
bd9dc79f9c8ac8d6ed1f2aa60ee19186cb6c147f0674e66a1124471865c3cba2

SHA512
2a602d754954713935d4c0497b41ef7dccddc5a5bbe9905d97b22a095dd8430e63b462fa326a6abce2c0cdff44d1bf98acfbb9a582f6ff892eef98f1044c748c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LOGZ.EXE

Filesize
23.9MB

MD5
4229a757e1ac98195ea4a3f2d08cecd3

SHA1
91dc93770084297e2bce031d28925c1d3586ae7d

SHA256
bd9dc79f9c8ac8d6ed1f2aa60ee19186cb6c147f0674e66a1124471865c3cba2

SHA512
2a602d754954713935d4c0497b41ef7dccddc5a5bbe9905d97b22a095dd8430e63b462fa326a6abce2c0cdff44d1bf98acfbb9a582f6ff892eef98f1044c748c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29362\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
4454791276f4716342de12eaa6ab5007

SHA1
cfeab7a4aed07adf0e22bb40ca408046896173fa

SHA256
0545cfcb511dcca7764a31465c211ff3d6b91ed5070c00a8613599edff4b7979

SHA512
e86ae200f473ffc00b4e4f3fcdb094cdf896184dd048aed3c408f145282cf5da67889e11334460984c60f332d2faecf9a89a5f3774c81b488aeaadb5e1520497

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29362\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29362\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
584935f54f7a9947a2fec9a6d827e558

SHA1
3ee71afa08464bab300983a2bc627cd791d574dc

SHA256
78b921153dd5776295b464f6b887d6cf3e24097d53305a0c584256b8f569f9fb

SHA512
933658ceeb0a79d968b1ad32fa392f0e9f630c0264919fc729986f0d97ce72c5e5c554a42c068eacbbea24e4adca686ce10701803c6e80c77f7ed6d121cff749

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29362\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
fb60a721cfca0b3307067a7db90a996e

SHA1
fd4d776f3b9f1f7b658a2abdb5d321721eb19488

SHA256
2f031764abb092fa03732d27876a29f62d40ba0fdce08b66559915dc2879d10c

SHA512
b510c8a1436463ee4206cc6d3585a883bb195cdb3ed134eda286939ba50027ae2c01e409654252966717ccb0fbd2d09aae9d9412fa94491bf403103e7b62a5bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29362\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
9be41c3476bdf52936e25368c14b87c4

SHA1
22a068671f0e3fc9041a193158cfb95fa3618419

SHA256
9c208b51ad3331ae87ce2642d9a8b119add74798524ea1c3cb1e995045f452b9

SHA512
0756986284b8ea16cc1d35c8a87352e70b7b44a892b3b4a1266c64607aa0dd161e5da4b0286c6dbb38f040d538c85e6c4af26148a31d1382f86b12b4b389463d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29362\python310.dll

Filesize
1.4MB

MD5
72c65de0cc88d6a26d5a7040aaf1fb60

SHA1
68dae332ade43106c72e68a497b6b7df6b314425

SHA256
769f20bcec63eb6567cca095ea59ffcda2c87e2b8600503f0e4f976dfb8da2bb

SHA512
5f658e0bee185613a37f946069ac6723fff93e542a4eb6e3435766c58d09d82894b85502f1686ffc9318bdf4b3a858490866ca56b90238c8c903e794c3a4e3fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29362\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
\Users\Admin\AppData\Local\Temp\KRNL (WORKING).EXE

Filesize
202KB

MD5
abd1b166ab1703f4b3558b0c66d77556

SHA1
d28ee7135fbb4da81904aa0cc97e772f200dcb29

SHA256
e7fbd0f33ca20caae55da9423c81241c9bced4018456d5fbd27cc9f93f912310

SHA512
0be3b50a5b5d14e13743fb8f7ef6da6dc629abf1bfcf548cba015fc18671541c5df12700e0d1a096e909ef5979691883269b56c71dfb67b912a0380b85fe6d51

Download Submit
\Users\Admin\AppData\Local\Temp\KRNL (WORKING).EXE

Filesize
202KB

MD5
abd1b166ab1703f4b3558b0c66d77556

SHA1
d28ee7135fbb4da81904aa0cc97e772f200dcb29

SHA256
e7fbd0f33ca20caae55da9423c81241c9bced4018456d5fbd27cc9f93f912310

SHA512
0be3b50a5b5d14e13743fb8f7ef6da6dc629abf1bfcf548cba015fc18671541c5df12700e0d1a096e909ef5979691883269b56c71dfb67b912a0380b85fe6d51

Download Submit
\Users\Admin\AppData\Local\Temp\LOGZ UMBRAL.EXE

Filesize
214KB

MD5
a7f686424354f0ea81f9e0bebe62a304

SHA1
61e2e50f5e6169ba83be573be08a6ba3d2a20017

SHA256
20c6fd1ecd7a3fe407b81ac8cb2b99ceb5fc3608249b65bee1246ffbc7ab4235

SHA512
cd9d204946185d240e932fe1cc87b2d2b9c18686acc417004e007e3e5af15c73d6c81cf28c57452a5ca9085a64d427895b09de258f38c73f2d5d95c0a598a6f0

Download Submit
\Users\Admin\AppData\Local\Temp\LOGZ UMBRAL.EXE

Filesize
214KB

MD5
a7f686424354f0ea81f9e0bebe62a304

SHA1
61e2e50f5e6169ba83be573be08a6ba3d2a20017

SHA256
20c6fd1ecd7a3fe407b81ac8cb2b99ceb5fc3608249b65bee1246ffbc7ab4235

SHA512
cd9d204946185d240e932fe1cc87b2d2b9c18686acc417004e007e3e5af15c73d6c81cf28c57452a5ca9085a64d427895b09de258f38c73f2d5d95c0a598a6f0

Download Submit
\Users\Admin\AppData\Local\Temp\LOGZ.EXE

Filesize
23.9MB

MD5
4229a757e1ac98195ea4a3f2d08cecd3

SHA1
91dc93770084297e2bce031d28925c1d3586ae7d

SHA256
bd9dc79f9c8ac8d6ed1f2aa60ee19186cb6c147f0674e66a1124471865c3cba2

SHA512
2a602d754954713935d4c0497b41ef7dccddc5a5bbe9905d97b22a095dd8430e63b462fa326a6abce2c0cdff44d1bf98acfbb9a582f6ff892eef98f1044c748c

Download Submit
\Users\Admin\AppData\Local\Temp\LOGZ.EXE

Filesize
23.9MB

MD5
4229a757e1ac98195ea4a3f2d08cecd3

SHA1
91dc93770084297e2bce031d28925c1d3586ae7d

SHA256
bd9dc79f9c8ac8d6ed1f2aa60ee19186cb6c147f0674e66a1124471865c3cba2

SHA512
2a602d754954713935d4c0497b41ef7dccddc5a5bbe9905d97b22a095dd8430e63b462fa326a6abce2c0cdff44d1bf98acfbb9a582f6ff892eef98f1044c748c

Download Submit
\Users\Admin\AppData\Local\Temp\LOGZ.EXE

Filesize
23.9MB

MD5
4229a757e1ac98195ea4a3f2d08cecd3

SHA1
91dc93770084297e2bce031d28925c1d3586ae7d

SHA256
bd9dc79f9c8ac8d6ed1f2aa60ee19186cb6c147f0674e66a1124471865c3cba2

SHA512
2a602d754954713935d4c0497b41ef7dccddc5a5bbe9905d97b22a095dd8430e63b462fa326a6abce2c0cdff44d1bf98acfbb9a582f6ff892eef98f1044c748c

Download Submit
\Users\Admin\AppData\Local\Temp\LOGZ.EXE

Filesize
23.9MB

MD5
4229a757e1ac98195ea4a3f2d08cecd3

SHA1
91dc93770084297e2bce031d28925c1d3586ae7d

SHA256
bd9dc79f9c8ac8d6ed1f2aa60ee19186cb6c147f0674e66a1124471865c3cba2

SHA512
2a602d754954713935d4c0497b41ef7dccddc5a5bbe9905d97b22a095dd8430e63b462fa326a6abce2c0cdff44d1bf98acfbb9a582f6ff892eef98f1044c748c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29362\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
4454791276f4716342de12eaa6ab5007

SHA1
cfeab7a4aed07adf0e22bb40ca408046896173fa

SHA256
0545cfcb511dcca7764a31465c211ff3d6b91ed5070c00a8613599edff4b7979

SHA512
e86ae200f473ffc00b4e4f3fcdb094cdf896184dd048aed3c408f145282cf5da67889e11334460984c60f332d2faecf9a89a5f3774c81b488aeaadb5e1520497

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29362\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29362\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
584935f54f7a9947a2fec9a6d827e558

SHA1
3ee71afa08464bab300983a2bc627cd791d574dc

SHA256
78b921153dd5776295b464f6b887d6cf3e24097d53305a0c584256b8f569f9fb

SHA512
933658ceeb0a79d968b1ad32fa392f0e9f630c0264919fc729986f0d97ce72c5e5c554a42c068eacbbea24e4adca686ce10701803c6e80c77f7ed6d121cff749

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29362\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
fb60a721cfca0b3307067a7db90a996e

SHA1
fd4d776f3b9f1f7b658a2abdb5d321721eb19488

SHA256
2f031764abb092fa03732d27876a29f62d40ba0fdce08b66559915dc2879d10c

SHA512
b510c8a1436463ee4206cc6d3585a883bb195cdb3ed134eda286939ba50027ae2c01e409654252966717ccb0fbd2d09aae9d9412fa94491bf403103e7b62a5bb

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29362\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
9be41c3476bdf52936e25368c14b87c4

SHA1
22a068671f0e3fc9041a193158cfb95fa3618419

SHA256
9c208b51ad3331ae87ce2642d9a8b119add74798524ea1c3cb1e995045f452b9

SHA512
0756986284b8ea16cc1d35c8a87352e70b7b44a892b3b4a1266c64607aa0dd161e5da4b0286c6dbb38f040d538c85e6c4af26148a31d1382f86b12b4b389463d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29362\python310.dll

Filesize
1.4MB

MD5
72c65de0cc88d6a26d5a7040aaf1fb60

SHA1
68dae332ade43106c72e68a497b6b7df6b314425

SHA256
769f20bcec63eb6567cca095ea59ffcda2c87e2b8600503f0e4f976dfb8da2bb

SHA512
5f658e0bee185613a37f946069ac6723fff93e542a4eb6e3435766c58d09d82894b85502f1686ffc9318bdf4b3a858490866ca56b90238c8c903e794c3a4e3fb

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI29362\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
memory/1180-191-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/1180-269-0x000000001B070000-0x000000001B0F0000-memory.dmp

Filesize
512KB

Download
memory/1180-99-0x0000000001050000-0x000000000108C000-memory.dmp

Filesize
240KB

Download
memory/1180-272-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/1180-273-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/1940-210-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/1940-212-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/1940-213-0x00000000003D0000-0x0000000000410000-memory.dmp

Filesize
256KB

Download
memory/1940-274-0x0000000074B30000-0x00000000750DB000-memory.dmp

Filesize
5.7MB

Download
memory/1940-275-0x00000000003D0000-0x0000000000410000-memory.dmp

Filesize
256KB

Download
memory/1968-266-0x000007FEF2530000-0x000007FEF2996000-memory.dmp

Filesize
4.4MB

Download