umbral | 932efb570cd8045499675443a910394b5c6bec45511aa2c517a636bd3e385766

Analysis

max time kernel
141s
max time network
158s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
25/02/2024, 06:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

IO tootls.exe
Size

209KB
MD5

841d1c344cc00671b25a80e6db3b1e06
SHA1

1952391bfc777b4cd2acc403d895dd7e198aa013
SHA256

932efb570cd8045499675443a910394b5c6bec45511aa2c517a636bd3e385766
SHA512

75af1637e76c307c6241a4ac26859a9260c2198d2aa83e5a6c52e0ec6bb37fac4cecf4f002f05d861356f833fc306869682e3195c0e6ba603e8ebf4b9a98f96e
SSDEEP

6144:v5DmisKDLvohc1Y3o40bbwhpn8+jPmqSQj33zO9Y:xXLDor440y8oPmZW

Score

10^/10

umbral xworm persistence rat spyware stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1211176678466916392/99VOwP9dc7iQz2Is-QlZ872KZaiUa4r3sEvXqZ6NmS-fFuTojiUjOg2SjIUWBCIoPNFA

Extracted

Family

xworm

hai1723rat-60039.portmap.io:60039

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral5/files/0x000200000002a7fb-56.dat	family_umbral
behavioral5/memory/4052-57-0x0000026D05420000-0x0000026D0546E000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral5/files/0x000200000002a7fa-34.dat	family_xworm
behavioral5/memory/4956-59-0x0000000000190000-0x00000000001B6000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	controllloader.exe

Executes dropped EXE 2 IoCs

pid	Process
4956	systemload.exe
4052	controllloader.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Software\Microsoft\Windows\CurrentVersion\Run\updatee = "C:\\Windows\\.NET\\netloader.exe"	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	discord.com
15	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4864 set thread context of 3076	4864	IO tootls.exe	85

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\.NET\netloader.exe	IO tootls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2908	wmic.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4864	IO tootls.exe
4864	IO tootls.exe
4864	IO tootls.exe
4864	IO tootls.exe
3144	powershell.exe
3144	powershell.exe
3076	IO tootls.exe
3076	IO tootls.exe
3076	IO tootls.exe
3076	IO tootls.exe
3076	IO tootls.exe
3076	IO tootls.exe
3076	IO tootls.exe
3076	IO tootls.exe
3076	IO tootls.exe
3076	IO tootls.exe
3076	IO tootls.exe
3076	IO tootls.exe
3076	IO tootls.exe
3076	IO tootls.exe
3076	IO tootls.exe
3076	IO tootls.exe
3076	IO tootls.exe
3076	IO tootls.exe
3076	IO tootls.exe
1516	powershell.exe
1516	powershell.exe
3408	powershell.exe
3408	powershell.exe
4756	powershell.exe
4756	powershell.exe
1000	powershell.exe
1000	powershell.exe
1528	powershell.exe
1528	powershell.exe
4736	powershell.exe
4736	powershell.exe
3712	powershell.exe
3712	powershell.exe
4956	systemload.exe
2252	powershell.exe
2252	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4864	IO tootls.exe
Token: SeDebugPrivilege	3144	powershell.exe
Token: SeDebugPrivilege	3076	IO tootls.exe
Token: SeDebugPrivilege	4052	controllloader.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	3408	powershell.exe
Token: SeDebugPrivilege	4956	systemload.exe
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	4736	powershell.exe
Token: SeDebugPrivilege	3712	powershell.exe
Token: SeDebugPrivilege	4956	systemload.exe
Token: SeIncreaseQuotaPrivilege	4408	wmic.exe
Token: SeSecurityPrivilege	4408	wmic.exe
Token: SeTakeOwnershipPrivilege	4408	wmic.exe
Token: SeLoadDriverPrivilege	4408	wmic.exe
Token: SeSystemProfilePrivilege	4408	wmic.exe
Token: SeSystemtimePrivilege	4408	wmic.exe
Token: SeProfSingleProcessPrivilege	4408	wmic.exe
Token: SeIncBasePriorityPrivilege	4408	wmic.exe
Token: SeCreatePagefilePrivilege	4408	wmic.exe
Token: SeBackupPrivilege	4408	wmic.exe
Token: SeRestorePrivilege	4408	wmic.exe
Token: SeShutdownPrivilege	4408	wmic.exe
Token: SeDebugPrivilege	4408	wmic.exe
Token: SeSystemEnvironmentPrivilege	4408	wmic.exe
Token: SeRemoteShutdownPrivilege	4408	wmic.exe
Token: SeUndockPrivilege	4408	wmic.exe
Token: SeManageVolumePrivilege	4408	wmic.exe
Token: 33	4408	wmic.exe
Token: 34	4408	wmic.exe
Token: 35	4408	wmic.exe
Token: 36	4408	wmic.exe
Token: SeIncreaseQuotaPrivilege	4408	wmic.exe
Token: SeSecurityPrivilege	4408	wmic.exe
Token: SeTakeOwnershipPrivilege	4408	wmic.exe
Token: SeLoadDriverPrivilege	4408	wmic.exe
Token: SeSystemProfilePrivilege	4408	wmic.exe
Token: SeSystemtimePrivilege	4408	wmic.exe
Token: SeProfSingleProcessPrivilege	4408	wmic.exe
Token: SeIncBasePriorityPrivilege	4408	wmic.exe
Token: SeCreatePagefilePrivilege	4408	wmic.exe
Token: SeBackupPrivilege	4408	wmic.exe
Token: SeRestorePrivilege	4408	wmic.exe
Token: SeShutdownPrivilege	4408	wmic.exe
Token: SeDebugPrivilege	4408	wmic.exe
Token: SeSystemEnvironmentPrivilege	4408	wmic.exe
Token: SeRemoteShutdownPrivilege	4408	wmic.exe
Token: SeUndockPrivilege	4408	wmic.exe
Token: SeManageVolumePrivilege	4408	wmic.exe
Token: 33	4408	wmic.exe
Token: 34	4408	wmic.exe
Token: 35	4408	wmic.exe
Token: 36	4408	wmic.exe
Token: SeIncreaseQuotaPrivilege	348	wmic.exe
Token: SeSecurityPrivilege	348	wmic.exe
Token: SeTakeOwnershipPrivilege	348	wmic.exe
Token: SeLoadDriverPrivilege	348	wmic.exe
Token: SeSystemProfilePrivilege	348	wmic.exe
Token: SeSystemtimePrivilege	348	wmic.exe
Token: SeProfSingleProcessPrivilege	348	wmic.exe
Token: SeIncBasePriorityPrivilege	348	wmic.exe
Token: SeCreatePagefilePrivilege	348	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4956	systemload.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 3144	4864	IO tootls.exe	81
PID 4864 wrote to memory of 3144	4864	IO tootls.exe	81
PID 4864 wrote to memory of 3144	4864	IO tootls.exe	81
PID 4864 wrote to memory of 3752	4864	IO tootls.exe	83
PID 4864 wrote to memory of 3752	4864	IO tootls.exe	83
PID 4864 wrote to memory of 3752	4864	IO tootls.exe	83
PID 4864 wrote to memory of 2988	4864	IO tootls.exe	84
PID 4864 wrote to memory of 2988	4864	IO tootls.exe	84
PID 4864 wrote to memory of 2988	4864	IO tootls.exe	84
PID 4864 wrote to memory of 3076	4864	IO tootls.exe	85
PID 4864 wrote to memory of 3076	4864	IO tootls.exe	85
PID 4864 wrote to memory of 3076	4864	IO tootls.exe	85
PID 4864 wrote to memory of 3076	4864	IO tootls.exe	85
PID 4864 wrote to memory of 3076	4864	IO tootls.exe	85
PID 4864 wrote to memory of 3076	4864	IO tootls.exe	85
PID 4864 wrote to memory of 3076	4864	IO tootls.exe	85
PID 4864 wrote to memory of 3076	4864	IO tootls.exe	85
PID 3076 wrote to memory of 4956	3076	IO tootls.exe	87
PID 3076 wrote to memory of 4956	3076	IO tootls.exe	87
PID 3076 wrote to memory of 4052	3076	IO tootls.exe	88
PID 3076 wrote to memory of 4052	3076	IO tootls.exe	88
PID 3076 wrote to memory of 2340	3076	IO tootls.exe	89
PID 3076 wrote to memory of 2340	3076	IO tootls.exe	89
PID 3076 wrote to memory of 2340	3076	IO tootls.exe	89
PID 2340 wrote to memory of 1516	2340	cmd.exe	91
PID 2340 wrote to memory of 1516	2340	cmd.exe	91
PID 2340 wrote to memory of 1516	2340	cmd.exe	91
PID 4052 wrote to memory of 3408	4052	controllloader.exe	92
PID 4052 wrote to memory of 3408	4052	controllloader.exe	92
PID 4052 wrote to memory of 4756	4052	controllloader.exe	95
PID 4052 wrote to memory of 4756	4052	controllloader.exe	95
PID 4956 wrote to memory of 1000	4956	systemload.exe	96
PID 4956 wrote to memory of 1000	4956	systemload.exe	96
PID 4052 wrote to memory of 1528	4052	controllloader.exe	98
PID 4052 wrote to memory of 1528	4052	controllloader.exe	98
PID 4956 wrote to memory of 4736	4956	systemload.exe	101
PID 4956 wrote to memory of 4736	4956	systemload.exe	101
PID 4052 wrote to memory of 3712	4052	controllloader.exe	103
PID 4052 wrote to memory of 3712	4052	controllloader.exe	103
PID 4052 wrote to memory of 4408	4052	controllloader.exe	104
PID 4052 wrote to memory of 4408	4052	controllloader.exe	104
PID 4052 wrote to memory of 348	4052	controllloader.exe	106
PID 4052 wrote to memory of 348	4052	controllloader.exe	106
PID 4052 wrote to memory of 4108	4052	controllloader.exe	108
PID 4052 wrote to memory of 4108	4052	controllloader.exe	108
PID 4052 wrote to memory of 2252	4052	controllloader.exe	110
PID 4052 wrote to memory of 2252	4052	controllloader.exe	110
PID 4052 wrote to memory of 2908	4052	controllloader.exe	112
PID 4052 wrote to memory of 2908	4052	controllloader.exe	112

C:\Users\Admin\AppData\Local\Temp\IO tootls.exe
"C:\Users\Admin\AppData\Local\Temp\IO tootls.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'updatee';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'updatee' -Value '"C:\Windows\.NET\netloader.exe"' -PropertyType 'String'
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3144
- C:\Users\Admin\AppData\Local\Temp\IO tootls.exe
  #cmd
  2⤵
  PID:3752
- C:\Users\Admin\AppData\Local\Temp\IO tootls.exe
  #cmd
  2⤵
  PID:2988
- C:\Users\Admin\AppData\Local\Temp\IO tootls.exe
  #cmd
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3076
- - C:\Users\Admin\AppData\Local\Temp\systemload.exe
    "C:\Users\Admin\AppData\Local\Temp\systemload.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4956
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\systemload.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'systemload.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4736
- - C:\Users\Admin\AppData\Local\Temp\controllloader.exe
    "C:\Users\Admin\AppData\Local\Temp\controllloader.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\controllloader.exe'
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4756
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3712
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4408
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:348
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:4108
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2252
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start.cmd" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\'"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IO tootls.exe.log

Filesize
321B

MD5
f67fe6df08d4663b0496e9a0cc94640a

SHA1
d07396cfcf0c6ac3baef97ce55da213a87923095

SHA256
f7ebc9ed3149ecb8a190fbcb1d4e5524e1bdd0e603ab695d8ebff41da59fa2d4

SHA512
4f92d4a762675eee10856d08921c75cf3f9a6f92e94c21f0ef0aa5147f9a84e168e6cdb001e9a66986b0cff1c454d50a5b44715676875cf5343a3cbc5c0d5e31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d0c46cad6c0778401e21910bd6b56b70

SHA1
7be418951ea96326aca445b8dfe449b2bfa0dca6

SHA256
9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

SHA512
057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6903d57eed54e89b68ebb957928d1b99

SHA1
fade011fbf2e4bc044d41e380cf70bd6a9f73212

SHA256
36cbb00b016c9f97645fb628ef72b524dfbdf6e08d626e5c837bbbb9075dcb52

SHA512
c192ea9810fd22de8378269235c1035aa1fe1975a53c876fe4a7acc726c020f94773c21e4e4771133f9fcedb0209f0a5324c594c1db5b28fe1b27644db4fdc9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b7c43e0b1fc1ad4076303eb555d8e21e

SHA1
d8c6041f1a62f2774fe0060438e331dc1d535e10

SHA256
ef3988dcc93a65aa3caec9eef226111288a084ea3c236b2993b2bab36605d11f

SHA512
016cab7514f37bbd8b7266e8192a4d7e07b56ba7d3807de7c00c7022faa6aec0d9dbfecb6703f09aa216bed03b966da086e6e9318fcaf25a282c75ff93b89238

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0c19866ed372c0ad1493bc700a4f665

SHA1
8deff01b187d761334563e0faaad767bc26b9477

SHA256
92097d4c09a66ed6c057e968122d723605c4dd9cd39d7ea8c610fa5551c22d79

SHA512
02e077ff944e9489dc61a3e905546b1b2a66bc1b5a468c0322bcbc9e491d5cf7e9a7ab1729cf3ed0c9f3cb091ecaa63f6e4b35c138eb5110578405060a080548

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9c35ddbdeb88ca3eb1378c5374e350f3

SHA1
ec62318d5f8a256d108e5a5bc27c86885272fd2d

SHA256
e36f1588e22b42a6751935c19c18b0bcdbe713dcaaefec9fd7c31a49f5e060ff

SHA512
ee268c35b735cdc1814bda03d92fa90a3c86924b25ff622b93cbd231291ebd6c7007fb0178ac8e2fe248c7bc41144fa49d3afeb1859b9daa1c544cbdf51ff677

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
4a7f03a7ad1cae046d8ceac04256e5ae

SHA1
ef0bf767c91cba32b33c0b48f74f5eb153ae43d3

SHA256
e8aa3162f519e3670b0fc79dfbeeca68ea2b65a17900cf3aafc6a48de3296d60

SHA512
382a91848be121734bce9f533bcb4747e5f21db5b1ea5dfc8cc567005f5be0f1dcc73a55516b83feb931cdc90601ed4d36fb890687f08e1056ff98da2365f01d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e9b566727cb5221bb493be205e71856d

SHA1
64a2d48396f349d219e592d4b1fef00ea8bf3e0a

SHA256
7749c060199c4a42ed0fb0dba84aeed8bef0c8b7c66ab3c75878baf18c52bb19

SHA512
78f64a34ef1851aaefed563460f208fcd14e3449699a4da8f7baef4c75894baccb9d37f3437ee11cd686cbed5503d8de95c8d93e6888801f6f07f97b67d4c638

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_whxtwa2g.2tm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\controllloader.exe

Filesize
286KB

MD5
e41a0fa0c1e39af92d22090d4df61a1f

SHA1
c971a4089b1ab116c34b5ab0dc54d9977f86e834

SHA256
c0966533c2bc8c8b9ee176d774eae0ca1c4d6fe6e8efe5d87d4cac8c04b84372

SHA512
d42798fa9115f3c3775798a26ef7c28e4f173bdc2b74884b01a4e7905b17a2da09508766a626652eec3622a15a891b6859f4e9a422eb052a59b3fd3eafe1a7fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\systemload.exe

Filesize
130KB

MD5
352a162df9ca5605e1a1910c7a24cb7c

SHA1
4b4ed1c740a03c15eb47d875b65c76941debcaf7

SHA256
87e9d9a7a197a0cd483f8e73f307af53a7518cabc001257c8235743181b9a7b8

SHA512
0c2bae3f66748cc3448eaf60c5079ae3afba6d585e19e54857f7c152a1bd69c3b8e3df7feb413f3eb2df0f2bc01b44be5bcdefd5427af154a221f2b808a2399d

Download Submit
memory/1000-144-0x00007FFC3AC00000-0x00007FFC3B6C2000-memory.dmp

Filesize
10.8MB

Download
memory/1000-132-0x000001F69F200000-0x000001F69F210000-memory.dmp

Filesize
64KB

Download
memory/1000-199-0x000001F69F2C0000-0x000001F69F40F000-memory.dmp

Filesize
1.3MB

Download
memory/1516-82-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

Filesize
64KB

Download
memory/1516-157-0x0000000074310000-0x0000000074AC1000-memory.dmp

Filesize
7.7MB

Download
memory/1516-133-0x0000000070190000-0x00000000701DC000-memory.dmp

Filesize
304KB

Download
memory/1516-79-0x0000000074310000-0x0000000074AC1000-memory.dmp

Filesize
7.7MB

Download
memory/1516-81-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

Filesize
64KB

Download
memory/1528-218-0x000002BEFEB50000-0x000002BEFEC9F000-memory.dmp

Filesize
1.3MB

Download
memory/2252-257-0x0000024176B80000-0x0000024176CCF000-memory.dmp

Filesize
1.3MB

Download
memory/3076-13-0x0000000074310000-0x0000000074AC1000-memory.dmp

Filesize
7.7MB

Download
memory/3076-8-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3076-63-0x0000000074310000-0x0000000074AC1000-memory.dmp

Filesize
7.7MB

Download
memory/3076-14-0x0000000004F70000-0x000000000500C000-memory.dmp

Filesize
624KB

Download
memory/3076-15-0x0000000004ED0000-0x0000000004F36000-memory.dmp

Filesize
408KB

Download
memory/3076-17-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/3144-29-0x0000000005B30000-0x0000000005B7C000-memory.dmp

Filesize
304KB

Download
memory/3144-155-0x000000007FB80000-0x000000007FB90000-memory.dmp

Filesize
64KB

Download
memory/3144-4-0x0000000000DE0000-0x0000000000E16000-memory.dmp

Filesize
216KB

Download
memory/3144-67-0x000000007FB80000-0x000000007FB90000-memory.dmp

Filesize
64KB

Download
memory/3144-68-0x00000000060A0000-0x00000000060D4000-memory.dmp

Filesize
208KB

Download
memory/3144-69-0x0000000070190000-0x00000000701DC000-memory.dmp

Filesize
304KB

Download
memory/3144-78-0x0000000006040000-0x000000000605E000-memory.dmp

Filesize
120KB

Download
memory/3144-6-0x0000000004E60000-0x000000000548A000-memory.dmp

Filesize
6.2MB

Download
memory/3144-80-0x0000000006D00000-0x0000000006DA4000-memory.dmp

Filesize
656KB

Download
memory/3144-7-0x0000000004820000-0x0000000004830000-memory.dmp

Filesize
64KB

Download
memory/3144-9-0x0000000004820000-0x0000000004830000-memory.dmp

Filesize
64KB

Download
memory/3144-91-0x0000000007430000-0x0000000007AAA000-memory.dmp

Filesize
6.5MB

Download
memory/3144-93-0x0000000006DB0000-0x0000000006DCA000-memory.dmp

Filesize
104KB

Download
memory/3144-5-0x0000000074310000-0x0000000074AC1000-memory.dmp

Filesize
7.7MB

Download
memory/3144-16-0x0000000004CD0000-0x0000000004CF2000-memory.dmp

Filesize
136KB

Download
memory/3144-120-0x0000000004820000-0x0000000004830000-memory.dmp

Filesize
64KB

Download
memory/3144-104-0x0000000006E30000-0x0000000006E3A000-memory.dmp

Filesize
40KB

Download
memory/3144-105-0x0000000074310000-0x0000000074AC1000-memory.dmp

Filesize
7.7MB

Download
memory/3144-154-0x0000000007100000-0x000000000711A000-memory.dmp

Filesize
104KB

Download
memory/3144-106-0x0000000004820000-0x0000000004830000-memory.dmp

Filesize
64KB

Download
memory/3144-108-0x0000000007040000-0x00000000070D6000-memory.dmp

Filesize
600KB

Download
memory/3144-145-0x0000000007000000-0x0000000007015000-memory.dmp

Filesize
84KB

Download
memory/3144-112-0x0000000004820000-0x0000000004830000-memory.dmp

Filesize
64KB

Download
memory/3144-113-0x0000000006FC0000-0x0000000006FD1000-memory.dmp

Filesize
68KB

Download
memory/3144-18-0x0000000005500000-0x0000000005566000-memory.dmp

Filesize
408KB

Download
memory/3144-54-0x0000000004820000-0x0000000004830000-memory.dmp

Filesize
64KB

Download
memory/3144-131-0x0000000006FF0000-0x0000000006FFE000-memory.dmp

Filesize
56KB

Download
memory/3144-27-0x0000000005650000-0x00000000059A7000-memory.dmp

Filesize
3.3MB

Download
memory/3144-28-0x0000000005AF0000-0x0000000005B0E000-memory.dmp

Filesize
120KB

Download
memory/3408-94-0x000001AAFE4F0000-0x000001AAFE500000-memory.dmp

Filesize
64KB

Download
memory/3408-92-0x00007FFC3AC00000-0x00007FFC3B6C2000-memory.dmp

Filesize
10.8MB

Download
memory/3408-114-0x00007FFC3AC00000-0x00007FFC3B6C2000-memory.dmp

Filesize
10.8MB

Download
memory/3408-111-0x000001AAFE670000-0x000001AAFE7BF000-memory.dmp

Filesize
1.3MB

Download
memory/3408-107-0x000001AAFE4F0000-0x000001AAFE500000-memory.dmp

Filesize
64KB

Download
memory/3408-95-0x000001AAFE4A0000-0x000001AAFE4C2000-memory.dmp

Filesize
136KB

Download
memory/3712-238-0x000001EDC42F0000-0x000001EDC443F000-memory.dmp

Filesize
1.3MB

Download
memory/4052-65-0x0000026D07260000-0x0000026D07270000-memory.dmp

Filesize
64KB

Download
memory/4052-64-0x00007FFC3AC00000-0x00007FFC3B6C2000-memory.dmp

Filesize
10.8MB

Download
memory/4052-57-0x0000026D05420000-0x0000026D0546E000-memory.dmp

Filesize
312KB

Download
memory/4052-143-0x0000026D07260000-0x0000026D07270000-memory.dmp

Filesize
64KB

Download
memory/4052-142-0x00007FFC3AC00000-0x00007FFC3B6C2000-memory.dmp

Filesize
10.8MB

Download
memory/4736-233-0x0000020C74600000-0x0000020C7474F000-memory.dmp

Filesize
1.3MB

Download
memory/4756-156-0x000001C5B6770000-0x000001C5B6780000-memory.dmp

Filesize
64KB

Download
memory/4756-130-0x000001C5B6770000-0x000001C5B6780000-memory.dmp

Filesize
64KB

Download
memory/4756-162-0x000001C5B6830000-0x000001C5B697F000-memory.dmp

Filesize
1.3MB

Download
memory/4756-118-0x000001C5B6770000-0x000001C5B6780000-memory.dmp

Filesize
64KB

Download
memory/4756-117-0x000001C5B6770000-0x000001C5B6780000-memory.dmp

Filesize
64KB

Download
memory/4756-116-0x00007FFC3AC00000-0x00007FFC3B6C2000-memory.dmp

Filesize
10.8MB

Download
memory/4864-11-0x0000000004D30000-0x0000000004D40000-memory.dmp

Filesize
64KB

Download
memory/4864-12-0x0000000074310000-0x0000000074AC1000-memory.dmp

Filesize
7.7MB

Download
memory/4864-2-0x0000000005130000-0x00000000056D6000-memory.dmp

Filesize
5.6MB

Download
memory/4864-0-0x0000000000190000-0x00000000001CA000-memory.dmp

Filesize
232KB

Download
memory/4864-1-0x0000000074310000-0x0000000074AC1000-memory.dmp

Filesize
7.7MB

Download
memory/4956-59-0x0000000000190000-0x00000000001B6000-memory.dmp

Filesize
152KB

Download
memory/4956-62-0x00007FFC3AC00000-0x00007FFC3B6C2000-memory.dmp

Filesize
10.8MB

Download
memory/4956-119-0x00007FFC3AC00000-0x00007FFC3B6C2000-memory.dmp

Filesize
10.8MB

Download