umbral | a85235b38f90be244eb57d131951ff69a562714221d640ab9da0480af4aed06c

Analysis

max time kernel
139s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2023 15:30

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Cheat_by_DioZ.exe
Size

15.3MB
MD5

7e8d421582aacc3651a5f8ae391e4605
SHA1

0cff4ece5e75a5dc0c5e6076ad782ecf42ad7c16
SHA256

a85235b38f90be244eb57d131951ff69a562714221d640ab9da0480af4aed06c
SHA512

7eb24ed0bddb9a681c231c92c50b52015b09466262dbdf1c1e47219f4fe76cff9adf65860d2c03cf61e8d4e7aa7ee46a7a81464773c56a81fee4a2ebec8192f1
SSDEEP

196608:0KMurhe046YIw782LRg5lA7B+juGhgdKDW/vDhoOocQ4cfVqwc7Mzg:0hurhf4Qm8MR8gwRh+n/lvoPDc70

Score

10^/10

umbral evasion stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1143115606330200074/pyKgc8H0hMiolN7TnRv_a5UZxMEV9hMyMPcyMEE79xLCjkKRbFA2ce8qYJuxmfb_M-83

Signatures

Detect Umbral payload 5 IoCs

resource	yara_rule
behavioral2/memory/4072-133-0x0000000000400000-0x000000000135C000-memory.dmp	family_umbral
behavioral2/files/0x0007000000023094-138.dat	family_umbral
behavioral2/files/0x0007000000023094-191.dat	family_umbral
behavioral2/files/0x0007000000023094-192.dat	family_umbral
behavioral2/memory/2220-194-0x000001BB0C6B0000-0x000001BB0C6F0000-memory.dmp	family_umbral

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 4696 created 3128	4696	MS.exe	38
PID 4696 created 3128	4696	MS.exe	38
PID 4696 created 3128	4696	MS.exe	38
PID 4696 created 3128	4696	MS.exe	38
PID 4696 created 3128	4696	MS.exe	38

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	MS.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 2 IoCs

pid	Process
2220	3S.exe
4696	MS.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4696 set thread context of 1736	4696	MS.exe	107

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3264	sc.exe
1068	sc.exe
3492	sc.exe
4876	sc.exe
2864	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4872	400	WerFault.exe	77
2380	680	WerFault.exe	5
2936	628	WerFault.exe	7

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Cheat_by_DioZ.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4696	MS.exe
4696	MS.exe
3820	powershell.exe
3820	powershell.exe
4696	MS.exe
4696	MS.exe
4696	MS.exe
4696	MS.exe
4696	MS.exe
4696	MS.exe
4696	MS.exe
4696	MS.exe
1736	dialer.exe
1736	dialer.exe
3640	powershell.exe
3640	powershell.exe
1736	dialer.exe
1736	dialer.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
3320	Process not Found
5004	Process not Found
3392	Process not Found
2036	Process not Found
3168	Process not Found
3116	Process not Found
924	Process not Found
3044	Process not Found
1420	Process not Found
1068	Process not Found
4088	Process not Found
1992	Process not Found
2100	Process not Found
3892	Process not Found
4204	Process not Found
3148	Process not Found
2332	Process not Found
1864	Process not Found
4448	Process not Found
552	Process not Found
2392	Process not Found
4672	Process not Found
1676	Process not Found
3632	Process not Found
4784	Process not Found
3572	Process not Found
5016	Process not Found
4328	Process not Found
4736	Process not Found
1184	Process not Found
488	Process not Found
4996	Process not Found
4684	Process not Found
1284	Process not Found
3860	Process not Found
1628	Process not Found
1508	Process not Found
1832	smss.exe
4488	Process not Found
1432	Process not Found
3084	Process not Found
3036	Process not Found
528	Process not Found
3740	Process not Found
3328	Process not Found
3260	Process not Found
1608	Process not Found
1208	Process not Found
4660	Process not Found
1792	Process not Found
900	Process not Found
392	Process not Found
1908	Process not Found
3048	Process not Found
1684	Process not Found
2484	Process not Found
852	Process not Found
1124	Process not Found
3924	Process not Found
4884	Process not Found
5116	Process not Found
1700	Process not Found
2972	Process not Found
2188	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	3S.exe
Token: SeIncreaseQuotaPrivilege	3792	wmic.exe
Token: SeSecurityPrivilege	3792	wmic.exe
Token: SeTakeOwnershipPrivilege	3792	wmic.exe
Token: SeLoadDriverPrivilege	3792	wmic.exe
Token: SeSystemProfilePrivilege	3792	wmic.exe
Token: SeSystemtimePrivilege	3792	wmic.exe
Token: SeProfSingleProcessPrivilege	3792	wmic.exe
Token: SeIncBasePriorityPrivilege	3792	wmic.exe
Token: SeCreatePagefilePrivilege	3792	wmic.exe
Token: SeBackupPrivilege	3792	wmic.exe
Token: SeRestorePrivilege	3792	wmic.exe
Token: SeShutdownPrivilege	3792	wmic.exe
Token: SeDebugPrivilege	3792	wmic.exe
Token: SeSystemEnvironmentPrivilege	3792	wmic.exe
Token: SeRemoteShutdownPrivilege	3792	wmic.exe
Token: SeUndockPrivilege	3792	wmic.exe
Token: SeManageVolumePrivilege	3792	wmic.exe
Token: 33	3792	wmic.exe
Token: 34	3792	wmic.exe
Token: 35	3792	wmic.exe
Token: 36	3792	wmic.exe
Token: SeIncreaseQuotaPrivilege	3792	wmic.exe
Token: SeSecurityPrivilege	3792	wmic.exe
Token: SeTakeOwnershipPrivilege	3792	wmic.exe
Token: SeLoadDriverPrivilege	3792	wmic.exe
Token: SeSystemProfilePrivilege	3792	wmic.exe
Token: SeSystemtimePrivilege	3792	wmic.exe
Token: SeProfSingleProcessPrivilege	3792	wmic.exe
Token: SeIncBasePriorityPrivilege	3792	wmic.exe
Token: SeCreatePagefilePrivilege	3792	wmic.exe
Token: SeBackupPrivilege	3792	wmic.exe
Token: SeRestorePrivilege	3792	wmic.exe
Token: SeShutdownPrivilege	3792	wmic.exe
Token: SeDebugPrivilege	3792	wmic.exe
Token: SeSystemEnvironmentPrivilege	3792	wmic.exe
Token: SeRemoteShutdownPrivilege	3792	wmic.exe
Token: SeUndockPrivilege	3792	wmic.exe
Token: SeManageVolumePrivilege	3792	wmic.exe
Token: 33	3792	wmic.exe
Token: 34	3792	wmic.exe
Token: 35	3792	wmic.exe
Token: 36	3792	wmic.exe
Token: SeDebugPrivilege	3820	powershell.exe
Token: SeShutdownPrivilege	4052	powercfg.exe
Token: SeCreatePagefilePrivilege	4052	powercfg.exe
Token: SeDebugPrivilege	1736	dialer.exe
Token: SeShutdownPrivilege	552	powercfg.exe
Token: SeCreatePagefilePrivilege	552	powercfg.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeShutdownPrivilege	4316	powercfg.exe
Token: SeCreatePagefilePrivilege	4316	powercfg.exe
Token: SeShutdownPrivilege	1832	smss.exe
Token: SeCreatePagefilePrivilege	1832	smss.exe
Token: SeIncreaseQuotaPrivilege	3640	powershell.exe
Token: SeSecurityPrivilege	3640	powershell.exe
Token: SeTakeOwnershipPrivilege	3640	powershell.exe
Token: SeLoadDriverPrivilege	3640	powershell.exe
Token: SeSystemProfilePrivilege	3640	powershell.exe
Token: SeSystemtimePrivilege	3640	powershell.exe
Token: SeProfSingleProcessPrivilege	3640	powershell.exe
Token: SeIncBasePriorityPrivilege	3640	powershell.exe
Token: SeCreatePagefilePrivilege	3640	powershell.exe
Token: SeBackupPrivilege	3640	powershell.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 4072 wrote to memory of 2220	4072	Cheat_by_DioZ.exe	83
PID 4072 wrote to memory of 2220	4072	Cheat_by_DioZ.exe	83
PID 4072 wrote to memory of 4696	4072	Cheat_by_DioZ.exe	84
PID 4072 wrote to memory of 4696	4072	Cheat_by_DioZ.exe	84
PID 2220 wrote to memory of 3792	2220	3S.exe	87
PID 2220 wrote to memory of 3792	2220	3S.exe	87
PID 692 wrote to memory of 3492	692	cmd.exe	98
PID 692 wrote to memory of 3492	692	cmd.exe	98
PID 692 wrote to memory of 4876	692	cmd.exe	99
PID 692 wrote to memory of 4876	692	cmd.exe	99
PID 692 wrote to memory of 2864	692	cmd.exe	101
PID 692 wrote to memory of 2864	692	cmd.exe	101
PID 692 wrote to memory of 3264	692	cmd.exe	102
PID 692 wrote to memory of 3264	692	cmd.exe	102
PID 692 wrote to memory of 1068	692	cmd.exe	103
PID 692 wrote to memory of 1068	692	cmd.exe	103
PID 1500 wrote to memory of 4052	1500	cmd.exe	106
PID 1500 wrote to memory of 4052	1500	cmd.exe	106
PID 4696 wrote to memory of 1736	4696	MS.exe	107
PID 1500 wrote to memory of 552	1500	cmd.exe	110
PID 1500 wrote to memory of 552	1500	cmd.exe	110
PID 1500 wrote to memory of 4316	1500	cmd.exe	111
PID 1500 wrote to memory of 4316	1500	cmd.exe	111
PID 1500 wrote to memory of 1832	1500	cmd.exe	162
PID 1500 wrote to memory of 1832	1500	cmd.exe	162
PID 1736 wrote to memory of 628	1736	dialer.exe	7
PID 1736 wrote to memory of 680	1736	dialer.exe	5
PID 1736 wrote to memory of 980	1736	dialer.exe	9
PID 680 wrote to memory of 2732	680	lsass.exe	45
PID 1736 wrote to memory of 400	1736	dialer.exe	77
PID 1736 wrote to memory of 432	1736	dialer.exe	76
PID 680 wrote to memory of 2732	680	lsass.exe	45
PID 680 wrote to memory of 2732	680	lsass.exe	45
PID 680 wrote to memory of 2732	680	lsass.exe	45
PID 1736 wrote to memory of 1048	1736	dialer.exe	74
PID 680 wrote to memory of 2732	680	lsass.exe	45
PID 680 wrote to memory of 2732	680	lsass.exe	45
PID 680 wrote to memory of 2732	680	lsass.exe	45
PID 1736 wrote to memory of 1092	1736	dialer.exe	73
PID 1736 wrote to memory of 1100	1736	dialer.exe	72
PID 1736 wrote to memory of 1220	1736	dialer.exe	71
PID 1736 wrote to memory of 1252	1736	dialer.exe	70
PID 1736 wrote to memory of 1308	1736	dialer.exe	69
PID 1736 wrote to memory of 1356	1736	dialer.exe	68
PID 1736 wrote to memory of 1372	1736	dialer.exe	67
PID 1736 wrote to memory of 1408	1736	dialer.exe	66
PID 1736 wrote to memory of 1492	1736	dialer.exe	65
PID 1736 wrote to memory of 1556	1736	dialer.exe	64
PID 1736 wrote to memory of 1564	1736	dialer.exe	63
PID 1736 wrote to memory of 1692	1736	dialer.exe	62
PID 1372 wrote to memory of 4860	1372	svchost.exe	120
PID 1372 wrote to memory of 4860	1372	svchost.exe	120
PID 680 wrote to memory of 2732	680	lsass.exe	45
PID 1372 wrote to memory of 3284	1372	svchost.exe	121
PID 1372 wrote to memory of 3284	1372	svchost.exe	121
PID 1372 wrote to memory of 2840	1372	svchost.exe	122
PID 1372 wrote to memory of 2840	1372	svchost.exe	122
PID 1372 wrote to memory of 3208	1372	svchost.exe	123
PID 1372 wrote to memory of 3208	1372	svchost.exe	123
PID 1372 wrote to memory of 1996	1372	svchost.exe	124
PID 1372 wrote to memory of 1996	1372	svchost.exe	124

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:680
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 680 -s 4288
  2⤵
  - Program crash
  PID:2380

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:628
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:400
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 400 -s 3620
    3⤵
    - Program crash
    PID:4872
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 628 -s 1132
  2⤵
  - Program crash
  PID:2936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:980

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3128
- C:\Users\Admin\AppData\Local\Temp\Cheat_by_DioZ.exe
  "C:\Users\Admin\AppData\Local\Temp\Cheat_by_DioZ.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Users\Admin\AppData\Local\Temp\3S.exe
    "C:\Users\Admin\AppData\Local\Temp\3S.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3792
- - C:\Users\Admin\AppData\Local\Temp\MS.exe
    "C:\Users\Admin\AppData\Local\Temp\MS.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3820
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:692
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3492
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4876
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2864
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:3264
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1068
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4052
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:552
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4316
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    PID:1832
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#cnxaozlt#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3640

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:4860
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3284
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2840
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:3208
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1356

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1092

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:432

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 464 -p 628 -ip 628
1⤵
PID:1036

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 480 -p 400 -ip 400
1⤵
PID:4388

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 508 -p 680 -ip 680
1⤵
PID:2976

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f0 00000084
1⤵
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:1832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3S.exe

Filesize
227KB

MD5
0c6f57e34c60e926869925974c0ba0c6

SHA1
c2c96e1a4da5fe008796801569ebdfcde4d3c07b

SHA256
3818bc71c250768baec123373d2e873428509f7dcef12a56f4d428d488661c71

SHA512
70281ccd28331260e0808d00a0965753e4f8d9c4b8a0e211abd97556429ad7cb3a647a017f53a8d111468639fe9c05e0022cb034f6069b6b9fff214d389ac193

Download Submit
C:\Users\Admin\AppData\Local\Temp\3S.exe

Filesize
227KB

MD5
0c6f57e34c60e926869925974c0ba0c6

SHA1
c2c96e1a4da5fe008796801569ebdfcde4d3c07b

SHA256
3818bc71c250768baec123373d2e873428509f7dcef12a56f4d428d488661c71

SHA512
70281ccd28331260e0808d00a0965753e4f8d9c4b8a0e211abd97556429ad7cb3a647a017f53a8d111468639fe9c05e0022cb034f6069b6b9fff214d389ac193

Download Submit
C:\Users\Admin\AppData\Local\Temp\3S.exe

Filesize
227KB

MD5
0c6f57e34c60e926869925974c0ba0c6

SHA1
c2c96e1a4da5fe008796801569ebdfcde4d3c07b

SHA256
3818bc71c250768baec123373d2e873428509f7dcef12a56f4d428d488661c71

SHA512
70281ccd28331260e0808d00a0965753e4f8d9c4b8a0e211abd97556429ad7cb3a647a017f53a8d111468639fe9c05e0022cb034f6069b6b9fff214d389ac193

Download Submit
C:\Users\Admin\AppData\Local\Temp\MS.exe

Filesize
9.9MB

MD5
ed1da88dca5699f9e01a7e4fa08be78c

SHA1
1cc67cbe8cf95217bd7f22a1e30702bf9d45e806

SHA256
9773bcd1383410649884abe2985277f4d51e839f6f49446d13ab67e0bd18f413

SHA512
4e5a80bbe65c90a25b6f7907acf269c46ddb0ad09ac859c806e03e3aa0854afcb4d08e1e4176b8dfe9b852b91f7bf1ab510f53ae6945b654083561ecc7a7e2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\MS.exe

Filesize
9.9MB

MD5
ed1da88dca5699f9e01a7e4fa08be78c

SHA1
1cc67cbe8cf95217bd7f22a1e30702bf9d45e806

SHA256
9773bcd1383410649884abe2985277f4d51e839f6f49446d13ab67e0bd18f413

SHA512
4e5a80bbe65c90a25b6f7907acf269c46ddb0ad09ac859c806e03e3aa0854afcb4d08e1e4176b8dfe9b852b91f7bf1ab510f53ae6945b654083561ecc7a7e2ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sbrprcu1.bex.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/400-305-0x00000284215B0000-0x00000284215D7000-memory.dmp

Filesize
156KB

Download
memory/400-309-0x00007FF8E0430000-0x00007FF8E0440000-memory.dmp

Filesize
64KB

Download
memory/400-318-0x00000284215B0000-0x00000284215D7000-memory.dmp

Filesize
156KB

Download
memory/432-311-0x0000019DCE360000-0x0000019DCE387000-memory.dmp

Filesize
156KB

Download
memory/432-313-0x00007FF8E0430000-0x00007FF8E0440000-memory.dmp

Filesize
64KB

Download
memory/432-321-0x0000019DCE360000-0x0000019DCE387000-memory.dmp

Filesize
156KB

Download
memory/628-369-0x00007FF8E0430000-0x00007FF8E0440000-memory.dmp

Filesize
64KB

Download
memory/628-299-0x00007FF92044D000-0x00007FF92044E000-memory.dmp

Filesize
4KB

Download
memory/628-296-0x00000263C3BE0000-0x00000263C3C07000-memory.dmp

Filesize
156KB

Download
memory/628-302-0x00007FF92044F000-0x00007FF920450000-memory.dmp

Filesize
4KB

Download
memory/628-293-0x00000263C3B40000-0x00000263C3B61000-memory.dmp

Filesize
132KB

Download
memory/628-370-0x00000263C3BE0000-0x00000263C3C07000-memory.dmp

Filesize
156KB

Download
memory/628-354-0x00000263C3BE0000-0x00000263C3C07000-memory.dmp

Filesize
156KB

Download
memory/680-300-0x00007FF8E0430000-0x00007FF8E0440000-memory.dmp

Filesize
64KB

Download
memory/680-316-0x00007FF92044F000-0x00007FF920450000-memory.dmp

Filesize
4KB

Download
memory/680-314-0x00007FF92044D000-0x00007FF92044E000-memory.dmp

Filesize
4KB

Download
memory/680-297-0x0000020B5EE40000-0x0000020B5EE67000-memory.dmp

Filesize
156KB

Download
memory/680-312-0x0000020B5EE40000-0x0000020B5EE67000-memory.dmp

Filesize
156KB

Download
memory/980-319-0x00007FF92044C000-0x00007FF92044D000-memory.dmp

Filesize
4KB

Download
memory/980-317-0x00000293F1040000-0x00000293F1067000-memory.dmp

Filesize
156KB

Download
memory/980-304-0x00000293F1040000-0x00000293F1067000-memory.dmp

Filesize
156KB

Download
memory/980-308-0x00007FF8E0430000-0x00007FF8E0440000-memory.dmp

Filesize
64KB

Download
memory/1048-322-0x0000016E9C390000-0x0000016E9C3B7000-memory.dmp

Filesize
156KB

Download
memory/1048-324-0x0000016E9C390000-0x0000016E9C3B7000-memory.dmp

Filesize
156KB

Download
memory/1048-403-0x0000016E9C390000-0x0000016E9C3B7000-memory.dmp

Filesize
156KB

Download
memory/1048-323-0x00007FF8E0430000-0x00007FF8E0440000-memory.dmp

Filesize
64KB

Download
memory/1092-329-0x0000025353F10000-0x0000025353F37000-memory.dmp

Filesize
156KB

Download
memory/1092-331-0x00007FF8E0430000-0x00007FF8E0440000-memory.dmp

Filesize
64KB

Download
memory/1092-404-0x0000025353F10000-0x0000025353F37000-memory.dmp

Filesize
156KB

Download
memory/1100-332-0x000002AD38E60000-0x000002AD38E87000-memory.dmp

Filesize
156KB

Download
memory/1100-340-0x000002AD38E60000-0x000002AD38E87000-memory.dmp

Filesize
156KB

Download
memory/1100-334-0x00007FF8E0430000-0x00007FF8E0440000-memory.dmp

Filesize
64KB

Download
memory/1220-335-0x000002575A110000-0x000002575A137000-memory.dmp

Filesize
156KB

Download
memory/1220-337-0x00007FF8E0430000-0x00007FF8E0440000-memory.dmp

Filesize
64KB

Download
memory/1220-341-0x000002575A110000-0x000002575A137000-memory.dmp

Filesize
156KB

Download
memory/1252-346-0x000001E50A1B0000-0x000001E50A1D7000-memory.dmp

Filesize
156KB

Download
memory/1252-349-0x00007FF8E0430000-0x00007FF8E0440000-memory.dmp

Filesize
64KB

Download
memory/1252-351-0x000001E50A1B0000-0x000001E50A1D7000-memory.dmp

Filesize
156KB

Download
memory/1308-348-0x000001F786B60000-0x000001F786B87000-memory.dmp

Filesize
156KB

Download
memory/1308-405-0x000001F786B60000-0x000001F786B87000-memory.dmp

Filesize
156KB

Download
memory/1308-352-0x00007FF8E0430000-0x00007FF8E0440000-memory.dmp

Filesize
64KB

Download
memory/1308-353-0x000001F786B60000-0x000001F786B87000-memory.dmp

Filesize
156KB

Download
memory/1356-361-0x00007FF8E0430000-0x00007FF8E0440000-memory.dmp

Filesize
64KB

Download
memory/1356-359-0x000001A8B5290000-0x000001A8B52B7000-memory.dmp

Filesize
156KB

Download
memory/1356-408-0x000001A8B5290000-0x000001A8B52B7000-memory.dmp

Filesize
156KB

Download
memory/1372-407-0x0000022E65550000-0x0000022E65577000-memory.dmp

Filesize
156KB

Download
memory/1372-366-0x00007FF8E0430000-0x00007FF8E0440000-memory.dmp

Filesize
64KB

Download
memory/1372-363-0x0000022E65550000-0x0000022E65577000-memory.dmp

Filesize
156KB

Download
memory/1408-373-0x00007FF8E0430000-0x00007FF8E0440000-memory.dmp

Filesize
64KB

Download
memory/1408-406-0x000002848F490000-0x000002848F4B7000-memory.dmp

Filesize
156KB

Download
memory/1408-368-0x000002848F490000-0x000002848F4B7000-memory.dmp

Filesize
156KB

Download
memory/1492-399-0x000002A039C60000-0x000002A039C87000-memory.dmp

Filesize
156KB

Download
memory/1556-400-0x0000025EED6E0000-0x0000025EED707000-memory.dmp

Filesize
156KB

Download
memory/1564-402-0x00000228D2890000-0x00000228D28B7000-memory.dmp

Filesize
156KB

Download
memory/1692-401-0x000002277F2C0000-0x000002277F2E7000-memory.dmp

Filesize
156KB

Download
memory/1736-347-0x00007FF6CFE00000-0x00007FF6CFE29000-memory.dmp

Filesize
164KB

Download
memory/1736-277-0x00007FF9203B0000-0x00007FF9205A5000-memory.dmp

Filesize
2.0MB

Download
memory/1736-278-0x00007FF91EB50000-0x00007FF91EC0E000-memory.dmp

Filesize
760KB

Download
memory/2220-256-0x00007FF902450000-0x00007FF902F11000-memory.dmp

Filesize
10.8MB

Download
memory/2220-194-0x000001BB0C6B0000-0x000001BB0C6F0000-memory.dmp

Filesize
256KB

Download
memory/2220-250-0x00007FF902450000-0x00007FF902F11000-memory.dmp

Filesize
10.8MB

Download
memory/2220-254-0x000001BB26BF0000-0x000001BB26C00000-memory.dmp

Filesize
64KB

Download
memory/3640-280-0x00007FF901C80000-0x00007FF902741000-memory.dmp

Filesize
10.8MB

Download
memory/3640-281-0x0000025D5E900000-0x0000025D5E910000-memory.dmp

Filesize
64KB

Download
memory/3640-343-0x0000025D5E900000-0x0000025D5E910000-memory.dmp

Filesize
64KB

Download
memory/3640-342-0x0000025D5E900000-0x0000025D5E910000-memory.dmp

Filesize
64KB

Download
memory/3640-338-0x00007FF901C80000-0x00007FF902741000-memory.dmp

Filesize
10.8MB

Download
memory/3640-396-0x00007FF901C80000-0x00007FF902741000-memory.dmp

Filesize
10.8MB

Download
memory/3640-282-0x0000025D5E900000-0x0000025D5E910000-memory.dmp

Filesize
64KB

Download
memory/3820-270-0x000001C9E0920000-0x000001C9E0942000-memory.dmp

Filesize
136KB

Download
memory/3820-258-0x00007FF901C80000-0x00007FF902741000-memory.dmp

Filesize
10.8MB

Download
memory/3820-259-0x000001C9C60C0000-0x000001C9C60D0000-memory.dmp

Filesize
64KB

Download
memory/3820-260-0x000001C9C60C0000-0x000001C9C60D0000-memory.dmp

Filesize
64KB

Download
memory/3820-271-0x000001C9C60C0000-0x000001C9C60D0000-memory.dmp

Filesize
64KB

Download
memory/3820-274-0x00007FF901C80000-0x00007FF902741000-memory.dmp

Filesize
10.8MB

Download
memory/4072-133-0x0000000000400000-0x000000000135C000-memory.dmp

Filesize
15.4MB

Download
memory/4696-257-0x00007FF766B10000-0x00007FF76750D000-memory.dmp

Filesize
10.0MB

Download
memory/4696-307-0x00007FF766B10000-0x00007FF76750D000-memory.dmp

Filesize
10.0MB

Download