umbral | a9e16fdb1ad53a73784a03803410b238e2de590eb1f7a1d6e4dfa0354ef99ca0

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-02-2024 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nursultan.exe
Size

231KB
MD5

0a40e097ff34f2786e6a1b1c2695db2d
SHA1

7701f374e627f5624ee7b792c777d2b59b41ac20
SHA256

a9e16fdb1ad53a73784a03803410b238e2de590eb1f7a1d6e4dfa0354ef99ca0
SHA512

3ed97fbbd49460b582c51059b7e96535a951820179e89492f16668d176c8bb33ebaf8f4e056e5e909fcda74167dfa71cd8f83db840b10fb084019ae675982c47
SSDEEP

6144:xloZMArIkd8g+EtXHkv/iD44gTVBPUonRWvRsY94Fb8e1mFrQi:DoZHL+EP84gTVBPUonRWvRsY9sOJ

Score

10^/10

umbral spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1212013600261279754/pS2kUk8X8HLTwlZ_TrdPXO-susrMQC81SOpxO7zVm1bHHQsqYw40zPb6UlXkaCeSSy_l

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/memory/3332-0-0x0000020BF22C0000-0x0000020BF2300000-memory.dmp	family_umbral
behavioral2/files/0x0008000000023215-82.dat	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	nursultan.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	6U1mh.scr
File opened for modification	C:\Windows\System32\drivers\etc\hosts	6U1mh.scr
File opened for modification	C:\Windows\System32\drivers\etc\hosts	6U1mh.scr

Executes dropped EXE 4 IoCs

pid	Process
3116	6U1mh.scr
4820	6U1mh.scr
4924	6U1mh.scr
3480	6U1mh.scr

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
69	discord.com
77	discord.com
78	discord.com
38	discord.com
39	discord.com
51	discord.com
55	discord.com
68	discord.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
45	ip-api.com
63	ip-api.com
75	ip-api.com
35	ip-api.com

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Detects videocard installed 1 TTPs 4 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1736	wmic.exe
2836	wmic.exe
4368	wmic.exe
3768	wmic.exe

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop\ScreenSaveActive = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop\ScreenSaveTimeOut = "900"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\PROGRA~3\\MICROS~1\\Windows\\STARTM~1\\Programs\\StartUp\\6U1mh.scr"	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\TypedURLs	taskmgr.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1412	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2748	powershell.exe
2748	powershell.exe
3180	powershell.exe
4152	taskmgr.exe
4152	taskmgr.exe
3180	powershell.exe
4432	powershell.exe
4432	powershell.exe
4152	taskmgr.exe
4152	taskmgr.exe
2232	powershell.exe
4152	taskmgr.exe
2232	powershell.exe
2232	powershell.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
3400	powershell.exe
3400	powershell.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
952	powershell.exe
952	powershell.exe
952	powershell.exe
4152	taskmgr.exe
2380	powershell.exe
4152	taskmgr.exe
2380	powershell.exe
4152	taskmgr.exe
4152	taskmgr.exe
2616	powershell.exe
2616	powershell.exe
2616	powershell.exe
4152	taskmgr.exe
4152	taskmgr.exe
3548	powershell.exe
3548	powershell.exe
3548	powershell.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3332	nursultan.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	3180	powershell.exe
Token: SeDebugPrivilege	4152	taskmgr.exe
Token: SeSystemProfilePrivilege	4152	taskmgr.exe
Token: SeCreateGlobalPrivilege	4152	taskmgr.exe
Token: SeDebugPrivilege	4432	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeIncreaseQuotaPrivilege	1256	wmic.exe
Token: SeSecurityPrivilege	1256	wmic.exe
Token: SeTakeOwnershipPrivilege	1256	wmic.exe
Token: SeLoadDriverPrivilege	1256	wmic.exe
Token: SeSystemProfilePrivilege	1256	wmic.exe
Token: SeSystemtimePrivilege	1256	wmic.exe
Token: SeProfSingleProcessPrivilege	1256	wmic.exe
Token: SeIncBasePriorityPrivilege	1256	wmic.exe
Token: SeCreatePagefilePrivilege	1256	wmic.exe
Token: SeBackupPrivilege	1256	wmic.exe
Token: SeRestorePrivilege	1256	wmic.exe
Token: SeShutdownPrivilege	1256	wmic.exe
Token: SeDebugPrivilege	1256	wmic.exe
Token: SeSystemEnvironmentPrivilege	1256	wmic.exe
Token: SeRemoteShutdownPrivilege	1256	wmic.exe
Token: SeUndockPrivilege	1256	wmic.exe
Token: SeManageVolumePrivilege	1256	wmic.exe
Token: 33	1256	wmic.exe
Token: 34	1256	wmic.exe
Token: 35	1256	wmic.exe
Token: 36	1256	wmic.exe
Token: SeIncreaseQuotaPrivilege	1256	wmic.exe
Token: SeSecurityPrivilege	1256	wmic.exe
Token: SeTakeOwnershipPrivilege	1256	wmic.exe
Token: SeLoadDriverPrivilege	1256	wmic.exe
Token: SeSystemProfilePrivilege	1256	wmic.exe
Token: SeSystemtimePrivilege	1256	wmic.exe
Token: SeProfSingleProcessPrivilege	1256	wmic.exe
Token: SeIncBasePriorityPrivilege	1256	wmic.exe
Token: SeCreatePagefilePrivilege	1256	wmic.exe
Token: SeBackupPrivilege	1256	wmic.exe
Token: SeRestorePrivilege	1256	wmic.exe
Token: SeShutdownPrivilege	1256	wmic.exe
Token: SeDebugPrivilege	1256	wmic.exe
Token: SeSystemEnvironmentPrivilege	1256	wmic.exe
Token: SeRemoteShutdownPrivilege	1256	wmic.exe
Token: SeUndockPrivilege	1256	wmic.exe
Token: SeManageVolumePrivilege	1256	wmic.exe
Token: 33	1256	wmic.exe
Token: 34	1256	wmic.exe
Token: 35	1256	wmic.exe
Token: 36	1256	wmic.exe
Token: SeIncreaseQuotaPrivilege	4236	wmic.exe
Token: SeSecurityPrivilege	4236	wmic.exe
Token: SeTakeOwnershipPrivilege	4236	wmic.exe
Token: SeLoadDriverPrivilege	4236	wmic.exe
Token: SeSystemProfilePrivilege	4236	wmic.exe
Token: SeSystemtimePrivilege	4236	wmic.exe
Token: SeProfSingleProcessPrivilege	4236	wmic.exe
Token: SeIncBasePriorityPrivilege	4236	wmic.exe
Token: SeCreatePagefilePrivilege	4236	wmic.exe
Token: SeBackupPrivilege	4236	wmic.exe
Token: SeRestorePrivilege	4236	wmic.exe
Token: SeShutdownPrivilege	4236	wmic.exe
Token: SeDebugPrivilege	4236	wmic.exe
Token: SeSystemEnvironmentPrivilege	4236	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe
4152	taskmgr.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
1316	OpenWith.exe
1316	OpenWith.exe
1316	OpenWith.exe
1316	OpenWith.exe
1316	OpenWith.exe
1316	OpenWith.exe
1316	OpenWith.exe
1316	OpenWith.exe
1316	OpenWith.exe
1316	OpenWith.exe
1316	OpenWith.exe
1316	OpenWith.exe
1316	OpenWith.exe
1316	OpenWith.exe
1316	OpenWith.exe
1316	OpenWith.exe
1316	OpenWith.exe
1316	OpenWith.exe
1316	OpenWith.exe
1316	OpenWith.exe
1316	OpenWith.exe
1316	OpenWith.exe
1316	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 2748	3332	nursultan.exe	89
PID 3332 wrote to memory of 2748	3332	nursultan.exe	89
PID 3332 wrote to memory of 3180	3332	nursultan.exe	91
PID 3332 wrote to memory of 3180	3332	nursultan.exe	91
PID 3332 wrote to memory of 4432	3332	nursultan.exe	94
PID 3332 wrote to memory of 4432	3332	nursultan.exe	94
PID 3332 wrote to memory of 2232	3332	nursultan.exe	99
PID 3332 wrote to memory of 2232	3332	nursultan.exe	99
PID 3332 wrote to memory of 1256	3332	nursultan.exe	100
PID 3332 wrote to memory of 1256	3332	nursultan.exe	100
PID 3332 wrote to memory of 4236	3332	nursultan.exe	103
PID 3332 wrote to memory of 4236	3332	nursultan.exe	103
PID 3332 wrote to memory of 4896	3332	nursultan.exe	105
PID 3332 wrote to memory of 4896	3332	nursultan.exe	105
PID 3332 wrote to memory of 3400	3332	nursultan.exe	107
PID 3332 wrote to memory of 3400	3332	nursultan.exe	107
PID 3332 wrote to memory of 1736	3332	nursultan.exe	109
PID 3332 wrote to memory of 1736	3332	nursultan.exe	109
PID 3116 wrote to memory of 952	3116	6U1mh.scr	114
PID 3116 wrote to memory of 952	3116	6U1mh.scr	114
PID 3116 wrote to memory of 2380	3116	6U1mh.scr	116
PID 3116 wrote to memory of 2380	3116	6U1mh.scr	116
PID 3116 wrote to memory of 2616	3116	6U1mh.scr	118
PID 3116 wrote to memory of 2616	3116	6U1mh.scr	118
PID 3116 wrote to memory of 3548	3116	6U1mh.scr	122
PID 3116 wrote to memory of 3548	3116	6U1mh.scr	122
PID 3116 wrote to memory of 2860	3116	6U1mh.scr	123
PID 3116 wrote to memory of 2860	3116	6U1mh.scr	123
PID 3116 wrote to memory of 2232	3116	6U1mh.scr	125
PID 3116 wrote to memory of 2232	3116	6U1mh.scr	125
PID 3116 wrote to memory of 2248	3116	6U1mh.scr	127
PID 3116 wrote to memory of 2248	3116	6U1mh.scr	127
PID 3116 wrote to memory of 4572	3116	6U1mh.scr	129
PID 3116 wrote to memory of 4572	3116	6U1mh.scr	129
PID 3116 wrote to memory of 2836	3116	6U1mh.scr	132
PID 3116 wrote to memory of 2836	3116	6U1mh.scr	132
PID 4820 wrote to memory of 4456	4820	6U1mh.scr	137
PID 4820 wrote to memory of 4456	4820	6U1mh.scr	137
PID 4820 wrote to memory of 4828	4820	6U1mh.scr	139
PID 4820 wrote to memory of 4828	4820	6U1mh.scr	139
PID 4820 wrote to memory of 4320	4820	6U1mh.scr	141
PID 4820 wrote to memory of 4320	4820	6U1mh.scr	141
PID 4820 wrote to memory of 228	4820	6U1mh.scr	143
PID 4820 wrote to memory of 228	4820	6U1mh.scr	143
PID 4820 wrote to memory of 4416	4820	6U1mh.scr	146
PID 4820 wrote to memory of 4416	4820	6U1mh.scr	146
PID 4820 wrote to memory of 4160	4820	6U1mh.scr	148
PID 4820 wrote to memory of 4160	4820	6U1mh.scr	148
PID 4820 wrote to memory of 1028	4820	6U1mh.scr	150
PID 4820 wrote to memory of 1028	4820	6U1mh.scr	150
PID 4820 wrote to memory of 1056	4820	6U1mh.scr	152
PID 4820 wrote to memory of 1056	4820	6U1mh.scr	152
PID 4820 wrote to memory of 4368	4820	6U1mh.scr	154
PID 4820 wrote to memory of 4368	4820	6U1mh.scr	154
PID 3332 wrote to memory of 3480	3332	rundll32.exe	157
PID 3332 wrote to memory of 3480	3332	rundll32.exe	157
PID 3480 wrote to memory of 4456	3480	6U1mh.scr	158
PID 3480 wrote to memory of 4456	3480	6U1mh.scr	158
PID 3480 wrote to memory of 4416	3480	6U1mh.scr	160
PID 3480 wrote to memory of 4416	3480	6U1mh.scr	160
PID 3480 wrote to memory of 4900	3480	6U1mh.scr	162
PID 3480 wrote to memory of 4900	3480	6U1mh.scr	162
PID 3480 wrote to memory of 380	3480	6U1mh.scr	164
PID 3480 wrote to memory of 380	3480	6U1mh.scr	164

C:\Users\Admin\AppData\Local\Temp\nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\nursultan.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\nursultan.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1256
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4236
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:4896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3400
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:1736

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4152

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3620

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\6U1mh.scr
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\6U1mh.scr"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\6U1mh.scr'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3548
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:2860
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:2232
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4572
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:2836

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\6U1mh.scr
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\6U1mh.scr" /S
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\6U1mh.scr'
  2⤵
  PID:4456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  PID:4828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  PID:4320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  PID:228
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:4416
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:4160
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:1028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  PID:1056
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:4368

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\6U1mh.scr
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\6U1mh.scr" /S
1⤵
- Executes dropped EXE
PID:4924

C:\Windows\system32\rundll32.exe
"rundll32.exe" desk.cpl,InstallScreenSaver C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\6U1mh.scr
1⤵
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:3332
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\6U1mh.scr
  "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\6U1mh.scr" /p 131996
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\6U1mh.scr'
    3⤵
    PID:4456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    PID:4416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:4900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:380
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:4672
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:1796
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:4656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    PID:2540
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3768

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1316
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Windows\Temp\amc5F46.tmp
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\6U1mh.scr

Filesize
231KB

MD5
0a40e097ff34f2786e6a1b1c2695db2d

SHA1
7701f374e627f5624ee7b792c777d2b59b41ac20

SHA256
a9e16fdb1ad53a73784a03803410b238e2de590eb1f7a1d6e4dfa0354ef99ca0

SHA512
3ed97fbbd49460b582c51059b7e96535a951820179e89492f16668d176c8bb33ebaf8f4e056e5e909fcda74167dfa71cd8f83db840b10fb084019ae675982c47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\6U1mh.scr.log

Filesize
1KB

MD5
547df619456b0e94d1b7663cf2f93ccb

SHA1
8807c99005eaf2cc44b0b5ec4fc6eac289bfb4e3

SHA256
8b7130cc966f3f78e236b4e51eb12e1c82b0bd3f0773275d619b5c545168797a

SHA512
01b4e32fdf6c7f2347075c8153bc75a2f32fe3cec19e1a777e263ec4f607b54e046f0e4c7c0bc22581d44cbbdbb076a63eaa50a742f381faad06c86c2b10f67f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
fb63d07f74657804e61be207a6f04178

SHA1
341c0991ee3125eb4f3db691d3c412408c570c69

SHA256
ab3a7d578f02ebb41e9e608cd12990aa82075f5676c768ccbd1ccce1ce90b266

SHA512
03ec335b47e6d23ad2c086c82074b522e8a0b087edc7aa405715d080e204902a22772e0e2e08a899b1c9699fa1c07eb149a78a09cf9715057b33aeba8d718e6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
7d938922c60b82c232e1dc1d2cb172d6

SHA1
8c5546fbca478815e77f5dff30fe00e5e5fd6a9a

SHA256
463e9ebf5171ef9ead61019e5fa863ecd958d4390e88079394a98c050ad32a1f

SHA512
479ac4d43bcaea8059ff4ae9023e35f81e2d04eba16b3bec76c1b198891b2b8ea27a03e3862ca73dbe2e98dae5538b007df8418f10c2e3f52c93bcbbae10f105

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e61e221a11f1a35464e63ab429db0144

SHA1
f52f48212b48e9d2a237a23c413c9b3b31c77905

SHA256
4f3011257696fdfbadc6e834da1a3441e9d4053609c0c647c8a0818ba7bbe92d

SHA512
01ab9316ad9dc111d2dff777e723ffcc2b7ffbba9416cb385d13cd9c924e449296adf588e54490891ba8861fb13ba41b6fa604c6f4161cdf445ac53213c01657

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a65dc2b9f28d43ccefe3773ba13c3851

SHA1
dc6fb5c844962eec7045cb61f0d3b45e602108e7

SHA256
5349cc697b469057ddb40bdb297e300ae5e91be386abcdf25e0c3970feb66203

SHA512
3535c53069c4d64ad58934a76913fb78174041136872a727e77d3b8eca95924d63340df41f4e1ff211d36dc18c9f531998975c382cb43f5f557b08319ac2eab1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a5a4806ee0a145fbd6e2b6e773ee4b80

SHA1
3443d171833ad32de1752aa9e1c71f283bc2f1f4

SHA256
4b1cc2ac2db231830dd27e529226cad538f22ae8c355880442cc6d7a4732dbbb

SHA512
e93e715ba9e51f72e4bfbc22504208f1d98882643c0b9ec37fc330c2e2e2212cc61fd76ab5c41ea04b052fff5ed484858148127c3089bb1cdc5f53c88db8e31e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ef860415e8d7a10c2c30c2ce473d21f5

SHA1
24adce9cffab4cd4363be481830ecd416937eb52

SHA256
cbd3865d4ba0c425bddd12835183692781aaaed246a0dfd16b7125cc35d2c654

SHA512
8229badc0ca56a9a6f346c92d4a4e9f2ea2ca6bd2ae8a8ddf6b63b058501a255bbd3ebd12a875c7e1d945ea3a829d42f880dfe50b81b285251a11e869813f4e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5900af588d93496ffd44de49e755456d

SHA1
9b619c9c2b78ff291b0adff4a75370cf92710da6

SHA256
318beaed1b99580f905667540615117c83bfd2f1dddf6595edd6699b37f88e1c

SHA512
b4704148d33c9f179877454b5b6d84377ac6a2fdfa8fd5fb39edb03390818fb6ff0c367a1d864d788de7e85a628bf34c438484ae40a9c0d731e96abf57d3a95b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c65738617888921a153bd9b1ef516ee7

SHA1
5245e71ea3c181d76320c857b639272ac9e079b1

SHA256
4640ba4001fd16a593315299cbdd4988dc2c7075820687f1018aac40aca95c26

SHA512
2e2a0ebd93f9d8dd07a7599054bce232683e9add9a35e77b584618040bcfd84a42545352519ec4736cc379002210b6f3ed2d905591c6925c0981b0392b495bfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a9420bfd4fbb5aeaedf8efb6bea84aed

SHA1
a15439ff97303be943723e25dd0539f5dff3776b

SHA256
3b48aadf485fb4c8f211ae59d90b48e1e412133448fcd1fac7aefbd9d82a4f36

SHA512
d3ed934070eefafb398b83201d5503e601cd4dd7d95a5077c88164fe9bf8d1aa52896c3d552708fbeac4e05ab7057e3102884f30a6fa13b062055c5a967d38c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
04dba2e0763acb9b83dcb94ca0f4c2bd

SHA1
626394aea6be984d4817a88a591fea246bf4a362

SHA256
6590267fae391a722c4b8c759c88d9e694daac163148aad7e69faebe045b75e5

SHA512
1f0dff8f0a7d51ba949d994a6194eeb6d376da60769c0ea99d13c39242327a6bb5d4241b890ff0d29b17e39243b4ba1d9aa00ca952c54bbf13ea2abd95d1eb12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e0ec6bf376a6b15852bce768196c5ed0

SHA1
05fe4e592ebbb7e29f36b8d30a6a90ba29bd4f81

SHA256
2d4a39cbbd597a7cfff477817c3c7c541c14974c8d234b4c0de6d229e3a3ce97

SHA512
dc0c7d3d127c88affea9ae402d7358c079cfa7fc3ecb417085e31dc749da1406e72563bfbe42167fdad57e10aa0c6cca7a8ba06921b3a1212ad7ccee1a0f859b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
c69ddacf1056fd15b92e8e96f8126667

SHA1
343c70571094d747d11f81e18d718c67b85de0ef

SHA256
f945ed761adc569e2e4001da5147ea22d0734dbcdc0060330a9b65f9331d51f8

SHA512
e62bda93081171b542bdbf462c6b8167bc2cff7d19a8114be6465ef0c3015f41b89f63437e7d541c31bec07235a8fa58065cddd1aea85059723cd3113cf4ef47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
856ccb770309b129c94de297ae7816fc

SHA1
a7579090897282ff6c4083c2b5edef623ceae17b

SHA256
6fd66bb8d38cdbf2f73a0bd80ee51ba226fb676f0c4d15b15b84fc3a170bfc6d

SHA512
036113f95d0e6c523698ec640a900905c63e92acad24b25cb3cb0a1677872d0ba170d581be00268b11fe78b9508a28d48e7947ff50573b0540de9ab15b79b354

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.theme

Filesize
1KB

MD5
64c6204bc14a9044de5cdafa94ef6f4a

SHA1
c5ae24c4f81fc84cf76826ac83c9fae376273dcd

SHA256
6cb342f28d6736d224b048661d1ff5f95de2d31d2bb8a96ff64891d30b232fc4

SHA512
4a4cdcd58d8cca4302619c33d80d986faf402cc6555599cfcb37c8c19ea8fe9db465d2aa80b6bee5e3d5031bc8199356dfb25cd51c084994593d1d63ff1646c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\94fNYbWxweEtQGI

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\VmrnmahyvX0OQaV

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_notcj0ie.mva.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\rT2D0Zr0tRnsQuh

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\wy0lZWdO6DOh78b

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/952-128-0x0000014A60150000-0x0000014A60160000-memory.dmp

Filesize
64KB

Download
memory/952-142-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

Filesize
10.8MB

Download
memory/952-139-0x0000014A60150000-0x0000014A60160000-memory.dmp

Filesize
64KB

Download
memory/952-140-0x0000014A60150000-0x0000014A60160000-memory.dmp

Filesize
64KB

Download
memory/952-127-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

Filesize
10.8MB

Download
memory/2232-99-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

Filesize
10.8MB

Download
memory/2232-97-0x000001D726190000-0x000001D7261A0000-memory.dmp

Filesize
64KB

Download
memory/2232-86-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

Filesize
10.8MB

Download
memory/2380-155-0x00000260EC3A0000-0x00000260EC3B0000-memory.dmp

Filesize
64KB

Download
memory/2380-143-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

Filesize
10.8MB

Download
memory/2380-157-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

Filesize
10.8MB

Download
memory/2616-160-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

Filesize
10.8MB

Download
memory/2616-161-0x000002AA45BB0000-0x000002AA45BC0000-memory.dmp

Filesize
64KB

Download
memory/2616-162-0x000002AA45BB0000-0x000002AA45BC0000-memory.dmp

Filesize
64KB

Download
memory/2616-186-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

Filesize
10.8MB

Download
memory/2748-13-0x00000226C1FF0000-0x00000226C2012000-memory.dmp

Filesize
136KB

Download
memory/2748-15-0x00000226C1700000-0x00000226C1710000-memory.dmp

Filesize
64KB

Download
memory/2748-16-0x00000226C1700000-0x00000226C1710000-memory.dmp

Filesize
64KB

Download
memory/2748-3-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

Filesize
10.8MB

Download
memory/2748-19-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

Filesize
10.8MB

Download
memory/2748-14-0x00000226C1700000-0x00000226C1710000-memory.dmp

Filesize
64KB

Download
memory/3116-224-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

Filesize
10.8MB

Download
memory/3116-154-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

Filesize
10.8MB

Download
memory/3116-126-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

Filesize
10.8MB

Download
memory/3180-22-0x000001E5A3180000-0x000001E5A3190000-memory.dmp

Filesize
64KB

Download
memory/3180-23-0x000001E5A3180000-0x000001E5A3190000-memory.dmp

Filesize
64KB

Download
memory/3180-36-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

Filesize
10.8MB

Download
memory/3180-34-0x000001E5A3180000-0x000001E5A3190000-memory.dmp

Filesize
64KB

Download
memory/3180-21-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

Filesize
10.8MB

Download
memory/3332-41-0x0000020BF49D0000-0x0000020BF49EE000-memory.dmp

Filesize
120KB

Download
memory/3332-102-0x0000020BF4AC0000-0x0000020BF4AD2000-memory.dmp

Filesize
72KB

Download
memory/3332-65-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

Filesize
10.8MB

Download
memory/3332-85-0x0000020BF3F00000-0x0000020BF3F10000-memory.dmp

Filesize
64KB

Download
memory/3332-101-0x0000020BF4990000-0x0000020BF499A000-memory.dmp

Filesize
40KB

Download
memory/3332-0-0x0000020BF22C0000-0x0000020BF2300000-memory.dmp

Filesize
256KB

Download
memory/3332-1-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

Filesize
10.8MB

Download
memory/3332-124-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

Filesize
10.8MB

Download
memory/3332-39-0x0000020BF49F0000-0x0000020BF4A66000-memory.dmp

Filesize
472KB

Download
memory/3332-40-0x0000020BF4A70000-0x0000020BF4AC0000-memory.dmp

Filesize
320KB

Download
memory/3332-2-0x0000020BF3F00000-0x0000020BF3F10000-memory.dmp

Filesize
64KB

Download
memory/3400-116-0x000001E7EB980000-0x000001E7EB990000-memory.dmp

Filesize
64KB

Download
memory/3400-115-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

Filesize
10.8MB

Download
memory/3400-117-0x000001E7EB980000-0x000001E7EB990000-memory.dmp

Filesize
64KB

Download
memory/3400-119-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

Filesize
10.8MB

Download
memory/3548-202-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

Filesize
10.8MB

Download
memory/3548-196-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

Filesize
10.8MB

Download
memory/3548-198-0x000002092D330000-0x000002092D340000-memory.dmp

Filesize
64KB

Download
memory/3548-200-0x000002092D330000-0x000002092D340000-memory.dmp

Filesize
64KB

Download
memory/3548-197-0x000002092D330000-0x000002092D340000-memory.dmp

Filesize
64KB

Download
memory/4152-43-0x0000019772FE0000-0x0000019772FE1000-memory.dmp

Filesize
4KB

Download
memory/4152-44-0x0000019772FE0000-0x0000019772FE1000-memory.dmp

Filesize
4KB

Download
memory/4152-70-0x0000019772FE0000-0x0000019772FE1000-memory.dmp

Filesize
4KB

Download
memory/4152-42-0x0000019772FE0000-0x0000019772FE1000-memory.dmp

Filesize
4KB

Download
memory/4152-57-0x0000019772FE0000-0x0000019772FE1000-memory.dmp

Filesize
4KB

Download
memory/4152-64-0x0000019772FE0000-0x0000019772FE1000-memory.dmp

Filesize
4KB

Download
memory/4152-69-0x0000019772FE0000-0x0000019772FE1000-memory.dmp

Filesize
4KB

Download
memory/4152-68-0x0000019772FE0000-0x0000019772FE1000-memory.dmp

Filesize
4KB

Download
memory/4152-66-0x0000019772FE0000-0x0000019772FE1000-memory.dmp

Filesize
4KB

Download
memory/4152-54-0x0000019772FE0000-0x0000019772FE1000-memory.dmp

Filesize
4KB

Download
memory/4432-84-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

Filesize
10.8MB

Download
memory/4432-81-0x0000015362E80000-0x0000015362E90000-memory.dmp

Filesize
64KB

Download
memory/4432-52-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

Filesize
10.8MB

Download
memory/4432-67-0x0000015362E80000-0x0000015362E90000-memory.dmp

Filesize
64KB

Download
memory/4432-56-0x0000015362E80000-0x0000015362E90000-memory.dmp

Filesize
64KB

Download
memory/4456-238-0x00007FFEEE530000-0x00007FFEEEFF1000-memory.dmp

Filesize
10.8MB

Download
memory/4456-239-0x0000021899B70000-0x0000021899B80000-memory.dmp

Filesize
64KB

Download
memory/4456-240-0x0000021899B70000-0x0000021899B80000-memory.dmp

Filesize
64KB

Download
memory/4456-243-0x00007FFEEE530000-0x00007FFEEEFF1000-memory.dmp

Filesize
10.8MB

Download
memory/4572-219-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

Filesize
10.8MB

Download
memory/4572-217-0x0000027CB96B0000-0x0000027CB96C0000-memory.dmp

Filesize
64KB

Download
memory/4572-215-0x00007FFEEED70000-0x00007FFEEF831000-memory.dmp

Filesize
10.8MB

Download
memory/4820-228-0x000002AB4A970000-0x000002AB4A980000-memory.dmp

Filesize
64KB

Download
memory/4820-227-0x00007FFEEE530000-0x00007FFEEEFF1000-memory.dmp

Filesize
10.8MB

Download
memory/4828-244-0x00007FFEEE530000-0x00007FFEEEFF1000-memory.dmp

Filesize
10.8MB

Download