umbral | de88a6957905b06ffa24d512b148dd6fee45df029c676f1b0755fe0fa73ea871

Analysis

max time kernel
1198s
max time network
1201s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WexSide.exe
Size

2.2MB
MD5

185d2eb442c0f2c465ff5fc759621de6
SHA1

fceed286074f22e85287570ffa735d5874c8a139
SHA256

de88a6957905b06ffa24d512b148dd6fee45df029c676f1b0755fe0fa73ea871
SHA512

b9b25092fea71f573ca8c42beb376e53d0b9b68bc208990ba726b9c7c935ee243b78cd5fb84ce854445abba9d54b2e59c04ead03f1f5eec28286f2501e85bdeb
SSDEEP

49152:RFUvKLlr9rxyRciFlXKUusoNSAHWlCcHANKMY2Xj:RavGlrJxyRc2XKdSA2hnMY2Xj

Score

10^/10

umbral execution persistence spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Minecraft 1.16.5.exe	family_umbral
behavioral1/memory/1528-33-0x000002A6C9BE0000-0x000002A6C9C20000-memory.dmp	family_umbral

Modifies WinLogon for persistence 2 TTPs 7 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Updater.exeSlasherTeam.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\uk-UA\\services.exe\", \"C:\\Recovery\\WindowsRE\\Minecraft 1.16.5.exe\""	Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\uk-UA\\services.exe\", \"C:\\Recovery\\WindowsRE\\Minecraft 1.16.5.exe\", \"C:\\Users\\Default\\Desktop\\csrss.exe\""	Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\uk-UA\\services.exe\", \"C:\\Recovery\\WindowsRE\\Minecraft 1.16.5.exe\", \"C:\\Users\\Default\\Desktop\\csrss.exe\", \"C:\\Users\\Admin\\Music\\Minecraft 1.16.5.exe\""	Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\uk-UA\\services.exe\", \"C:\\Recovery\\WindowsRE\\Minecraft 1.16.5.exe\", \"C:\\Users\\Default\\Desktop\\csrss.exe\", \"C:\\Users\\Admin\\Music\\Minecraft 1.16.5.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\""	Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\uk-UA\\services.exe\", \"C:\\Recovery\\WindowsRE\\Minecraft 1.16.5.exe\", \"C:\\Users\\Default\\Desktop\\csrss.exe\", \"C:\\Users\\Admin\\Music\\Minecraft 1.16.5.exe\", \"C:\\Recovery\\WindowsRE\\TextInputHost.exe\", \"C:\\Users\\Admin\\AppData\\Roaming\\Discord\\Updater.exe\""	Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\Notepad++ Upgrade.exe"	SlasherTeam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\uk-UA\\services.exe\""	Updater.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	4516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4352	4516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	4516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4484	4516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	4516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	4516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	4516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	4516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	4516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	4516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	4516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	4516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	4516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	4516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	4516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	4516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3340	4516	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	4516	schtasks.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

3264 powershell.exe
1836 powershell.exe
1536 powershell.exe
4852 powershell.exe
1608 powershell.exe
764 powershell.exe
4952 powershell.exe
Drops file in Drivers directory 1 IoCs

Processes:

Minecraft 1.16.5.exe

description ioc process

File opened for modification C:\Windows\System32\drivers\etc\hosts Minecraft 1.16.5.exe

pid	process
3264	powershell.exe
1836	powershell.exe
1536	powershell.exe
4852	powershell.exe
1608	powershell.exe
764	powershell.exe
4952	powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Minecraft 1.16.5.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeUpdater.exeWexSide.exeDCRatBuild.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Updater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WexSide.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	DCRatBuild.exe

Executes dropped EXE 14 IoCs

Processes:

DCRatBuild.exeSlasherTeam.exeMinecraft 1.16.5.exeUpdater.execsrss.execsrss.exeTextInputHost.execsrss.exeMinecraft 1.16.5.exeUpdater.exeTextInputHost.exeservices.execsrss.execsrss.exe

pid	process
1400	DCRatBuild.exe
4748	SlasherTeam.exe
1528	Minecraft 1.16.5.exe
2900	Updater.exe
856	csrss.exe
844	csrss.exe
1572	TextInputHost.exe
4012	csrss.exe
4504	Minecraft 1.16.5.exe
1736	Updater.exe
2408	TextInputHost.exe
1956	services.exe
976	csrss.exe
1540	csrss.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Updater.exeSlasherTeam.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Desktop\\csrss.exe\""	Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Minecraft 1.16.5 = "\"C:\\Users\\Admin\\Music\\Minecraft 1.16.5.exe\""	Updater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pisya = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\Audacity Upgrade.exe"	SlasherTeam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\uk-UA\\services.exe\""	Updater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Minecraft 1.16.5 = "\"C:\\Recovery\\WindowsRE\\Minecraft 1.16.5.exe\""	Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Minecraft 1.16.5 = "\"C:\\Recovery\\WindowsRE\\Minecraft 1.16.5.exe\""	Updater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Minecraft 1.16.5 = "\"C:\\Users\\Admin\\Music\\Minecraft 1.16.5.exe\""	Updater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Recovery\\WindowsRE\\TextInputHost.exe\""	Updater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updater = "\"C:\\Users\\Admin\\AppData\\Roaming\\Discord\\Updater.exe\""	Updater.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Windows\\uk-UA\\services.exe\""	Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updater = "\"C:\\Users\\Admin\\AppData\\Roaming\\Discord\\Updater.exe\""	Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default\\Desktop\\csrss.exe\""	Updater.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Recovery\\WindowsRE\\TextInputHost.exe\""	Updater.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

13 discord.com
14 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

11 ip-api.com

flow	ioc
13	discord.com
14	discord.com

flow	ioc
11	ip-api.com

Drops file in System32 directory 2 IoCs

Processes:

csc.exe

description	ioc	process
File created	\??\c:\Windows\System32\CSC1C225ED9DA3A4C9DB29C779A51F4893B.TMP	csc.exe
File created	\??\c:\Windows\System32\rpvymf.exe	csc.exe

Drops file in Windows directory 2 IoCs

Processes:

Updater.exe

description ioc process

File created C:\Windows\uk-UA\services.exe Updater.exe
File created C:\Windows\uk-UA\c5b4cb5e9653cc Updater.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\uk-UA\services.exe	Updater.exe
File created	C:\Windows\uk-UA\c5b4cb5e9653cc	Updater.exe

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

pid	process
2152	schtasks.exe
5012	schtasks.exe
1504	schtasks.exe
4352	schtasks.exe
464	schtasks.exe
1572	schtasks.exe
4808	schtasks.exe
3340	schtasks.exe
2764	schtasks.exe
672	schtasks.exe
2976	schtasks.exe
3668	schtasks.exe
1456	schtasks.exe
4484	schtasks.exe
1584	schtasks.exe
1440	schtasks.exe
3052	schtasks.exe
2004	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exe

pid process

3664 wmic.exe

pid	process
3664	wmic.exe

Modifies registry class 2 IoCs

Processes:

DCRatBuild.exeUpdater.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	DCRatBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	Updater.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

432 PING.EXE

pid	process
432	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeUpdater.exe

pid	process
1836	powershell.exe
1836	powershell.exe
4696	powershell.exe
4696	powershell.exe
1112	powershell.exe
1112	powershell.exe
2172	powershell.exe
2172	powershell.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe
2900	Updater.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

csrss.exe

pid process

856 csrss.exe

pid	process
856	csrss.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SlasherTeam.exeMinecraft 1.16.5.exepowershell.exepowershell.exepowershell.exeUpdater.exepowershell.exewmic.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	4748	SlasherTeam.exe
Token: SeDebugPrivilege	1528	Minecraft 1.16.5.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	4696	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	2900	Updater.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeIncreaseQuotaPrivilege	4456	wmic.exe
Token: SeSecurityPrivilege	4456	wmic.exe
Token: SeTakeOwnershipPrivilege	4456	wmic.exe
Token: SeLoadDriverPrivilege	4456	wmic.exe
Token: SeSystemProfilePrivilege	4456	wmic.exe
Token: SeSystemtimePrivilege	4456	wmic.exe
Token: SeProfSingleProcessPrivilege	4456	wmic.exe
Token: SeIncBasePriorityPrivilege	4456	wmic.exe
Token: SeCreatePagefilePrivilege	4456	wmic.exe
Token: SeBackupPrivilege	4456	wmic.exe
Token: SeRestorePrivilege	4456	wmic.exe
Token: SeShutdownPrivilege	4456	wmic.exe
Token: SeDebugPrivilege	4456	wmic.exe
Token: SeSystemEnvironmentPrivilege	4456	wmic.exe
Token: SeRemoteShutdownPrivilege	4456	wmic.exe
Token: SeUndockPrivilege	4456	wmic.exe
Token: SeManageVolumePrivilege	4456	wmic.exe
Token: 33	4456	wmic.exe
Token: 34	4456	wmic.exe
Token: 35	4456	wmic.exe
Token: 36	4456	wmic.exe
Token: SeIncreaseQuotaPrivilege	4456	wmic.exe
Token: SeSecurityPrivilege	4456	wmic.exe
Token: SeTakeOwnershipPrivilege	4456	wmic.exe
Token: SeLoadDriverPrivilege	4456	wmic.exe
Token: SeSystemProfilePrivilege	4456	wmic.exe
Token: SeSystemtimePrivilege	4456	wmic.exe
Token: SeProfSingleProcessPrivilege	4456	wmic.exe
Token: SeIncBasePriorityPrivilege	4456	wmic.exe
Token: SeCreatePagefilePrivilege	4456	wmic.exe
Token: SeBackupPrivilege	4456	wmic.exe
Token: SeRestorePrivilege	4456	wmic.exe
Token: SeShutdownPrivilege	4456	wmic.exe
Token: SeDebugPrivilege	4456	wmic.exe
Token: SeSystemEnvironmentPrivilege	4456	wmic.exe
Token: SeRemoteShutdownPrivilege	4456	wmic.exe
Token: SeUndockPrivilege	4456	wmic.exe
Token: SeManageVolumePrivilege	4456	wmic.exe
Token: 33	4456	wmic.exe
Token: 34	4456	wmic.exe
Token: 35	4456	wmic.exe
Token: 36	4456	wmic.exe
Token: SeIncreaseQuotaPrivilege	3032	wmic.exe
Token: SeSecurityPrivilege	3032	wmic.exe
Token: SeTakeOwnershipPrivilege	3032	wmic.exe
Token: SeLoadDriverPrivilege	3032	wmic.exe
Token: SeSystemProfilePrivilege	3032	wmic.exe
Token: SeSystemtimePrivilege	3032	wmic.exe
Token: SeProfSingleProcessPrivilege	3032	wmic.exe
Token: SeIncBasePriorityPrivilege	3032	wmic.exe
Token: SeCreatePagefilePrivilege	3032	wmic.exe
Token: SeBackupPrivilege	3032	wmic.exe
Token: SeRestorePrivilege	3032	wmic.exe
Token: SeShutdownPrivilege	3032	wmic.exe
Token: SeDebugPrivilege	3032	wmic.exe
Token: SeSystemEnvironmentPrivilege	3032	wmic.exe
Token: SeRemoteShutdownPrivilege	3032	wmic.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

WexSide.exeDCRatBuild.exeMinecraft 1.16.5.exeWScript.execmd.exeUpdater.execsc.execmd.execmd.exe

description	pid	process	target process
PID 2676 wrote to memory of 1400	2676	WexSide.exe	DCRatBuild.exe
PID 2676 wrote to memory of 1400	2676	WexSide.exe	DCRatBuild.exe
PID 2676 wrote to memory of 1400	2676	WexSide.exe	DCRatBuild.exe
PID 2676 wrote to memory of 4748	2676	WexSide.exe	SlasherTeam.exe
PID 2676 wrote to memory of 4748	2676	WexSide.exe	SlasherTeam.exe
PID 2676 wrote to memory of 1528	2676	WexSide.exe	Minecraft 1.16.5.exe
PID 2676 wrote to memory of 1528	2676	WexSide.exe	Minecraft 1.16.5.exe
PID 1400 wrote to memory of 1148	1400	DCRatBuild.exe	WScript.exe
PID 1400 wrote to memory of 1148	1400	DCRatBuild.exe	WScript.exe
PID 1400 wrote to memory of 1148	1400	DCRatBuild.exe	WScript.exe
PID 1528 wrote to memory of 3484	1528	Minecraft 1.16.5.exe	attrib.exe
PID 1528 wrote to memory of 3484	1528	Minecraft 1.16.5.exe	attrib.exe
PID 1528 wrote to memory of 1836	1528	Minecraft 1.16.5.exe	powershell.exe
PID 1528 wrote to memory of 1836	1528	Minecraft 1.16.5.exe	powershell.exe
PID 1528 wrote to memory of 4696	1528	Minecraft 1.16.5.exe	powershell.exe
PID 1528 wrote to memory of 4696	1528	Minecraft 1.16.5.exe	powershell.exe
PID 1528 wrote to memory of 1112	1528	Minecraft 1.16.5.exe	powershell.exe
PID 1528 wrote to memory of 1112	1528	Minecraft 1.16.5.exe	powershell.exe
PID 1148 wrote to memory of 2376	1148	WScript.exe	cmd.exe
PID 1148 wrote to memory of 2376	1148	WScript.exe	cmd.exe
PID 1148 wrote to memory of 2376	1148	WScript.exe	cmd.exe
PID 2376 wrote to memory of 2900	2376	cmd.exe	Updater.exe
PID 2376 wrote to memory of 2900	2376	cmd.exe	Updater.exe
PID 1528 wrote to memory of 2172	1528	Minecraft 1.16.5.exe	powershell.exe
PID 1528 wrote to memory of 2172	1528	Minecraft 1.16.5.exe	powershell.exe
PID 1528 wrote to memory of 4456	1528	Minecraft 1.16.5.exe	wmic.exe
PID 1528 wrote to memory of 4456	1528	Minecraft 1.16.5.exe	wmic.exe
PID 1528 wrote to memory of 3032	1528	Minecraft 1.16.5.exe	wmic.exe
PID 1528 wrote to memory of 3032	1528	Minecraft 1.16.5.exe	wmic.exe
PID 2900 wrote to memory of 3572	2900	Updater.exe	csc.exe
PID 2900 wrote to memory of 3572	2900	Updater.exe	csc.exe
PID 1528 wrote to memory of 1852	1528	Minecraft 1.16.5.exe	wmic.exe
PID 1528 wrote to memory of 1852	1528	Minecraft 1.16.5.exe	wmic.exe
PID 3572 wrote to memory of 2016	3572	csc.exe	cvtres.exe
PID 3572 wrote to memory of 2016	3572	csc.exe	cvtres.exe
PID 1528 wrote to memory of 3724	1528	Minecraft 1.16.5.exe	powershell.exe
PID 1528 wrote to memory of 3724	1528	Minecraft 1.16.5.exe	powershell.exe
PID 1528 wrote to memory of 3664	1528	Minecraft 1.16.5.exe	wmic.exe
PID 1528 wrote to memory of 3664	1528	Minecraft 1.16.5.exe	wmic.exe
PID 2900 wrote to memory of 3264	2900	Updater.exe	powershell.exe
PID 2900 wrote to memory of 3264	2900	Updater.exe	powershell.exe
PID 2900 wrote to memory of 4952	2900	Updater.exe	powershell.exe
PID 2900 wrote to memory of 4952	2900	Updater.exe	powershell.exe
PID 2900 wrote to memory of 764	2900	Updater.exe	powershell.exe
PID 2900 wrote to memory of 764	2900	Updater.exe	powershell.exe
PID 2900 wrote to memory of 1536	2900	Updater.exe	powershell.exe
PID 2900 wrote to memory of 1536	2900	Updater.exe	powershell.exe
PID 2900 wrote to memory of 1608	2900	Updater.exe	powershell.exe
PID 2900 wrote to memory of 1608	2900	Updater.exe	powershell.exe
PID 2900 wrote to memory of 4852	2900	Updater.exe	powershell.exe
PID 2900 wrote to memory of 4852	2900	Updater.exe	powershell.exe
PID 2900 wrote to memory of 640	2900	Updater.exe	cmd.exe
PID 2900 wrote to memory of 640	2900	Updater.exe	cmd.exe
PID 640 wrote to memory of 1780	640	cmd.exe	chcp.com
PID 640 wrote to memory of 1780	640	cmd.exe	chcp.com
PID 1528 wrote to memory of 1544	1528	Minecraft 1.16.5.exe	cmd.exe
PID 1528 wrote to memory of 1544	1528	Minecraft 1.16.5.exe	cmd.exe
PID 1544 wrote to memory of 432	1544	cmd.exe	PING.EXE
PID 1544 wrote to memory of 432	1544	cmd.exe	PING.EXE
PID 640 wrote to memory of 1644	640	cmd.exe	w32tm.exe
PID 640 wrote to memory of 1644	640	cmd.exe	w32tm.exe
PID 640 wrote to memory of 856	640	cmd.exe	csrss.exe
PID 640 wrote to memory of 856	640	cmd.exe	csrss.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

3484 attrib.exe

pid	process
3484	attrib.exe

C:\Users\Admin\AppData\Local\Temp\WexSide.exe
"C:\Users\Admin\AppData\Local\Temp\WexSide.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2676

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Discord\T1NFhHkgq1TxEudZp4T5tcPMCxBHzViymHwuXZcM1.vbe"
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Discord\UBpnz6SmdVDq0k17g6u44x.bat" "
4⤵
- Suspicious use of WriteProcessMemory
PID:2376

C:\Users\Admin\AppData\Roaming\Discord\Updater.exe
"C:\Users\Admin\AppData\Roaming\Discord/Updater.exe"
5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jxkw5yfh\jxkw5yfh.cmdline"
6⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DBB.tmp" "c:\Windows\System32\CSC1C225ED9DA3A4C9DB29C779A51F4893B.TMP"
7⤵
PID:2016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\uk-UA\services.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
PID:3264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Minecraft 1.16.5.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
PID:4952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\csrss.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
PID:764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\Minecraft 1.16.5.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
PID:1536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
PID:1608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Discord\Updater.exe'
6⤵
- Command and Scripting Interpreter: PowerShell
PID:4852

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XGZIn2L2aI.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\system32\chcp.com
chcp 65001
7⤵
PID:1780

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:1644

C:\Users\Default\Desktop\csrss.exe
"C:\Users\Default\Desktop\csrss.exe"
7⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:856

C:\Users\Admin\AppData\Local\Temp\SlasherTeam.exe
"C:\Users\Admin\AppData\Local\Temp\SlasherTeam.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Users\Admin\AppData\Local\Temp\Minecraft 1.16.5.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft 1.16.5.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Minecraft 1.16.5.exe"
3⤵
- Views/modifies file attributes
PID:3484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Minecraft 1.16.5.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
3⤵
PID:1852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
3⤵
PID:3724

C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
3⤵
- Detects videocard installed
PID:3664

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Minecraft 1.16.5.exe" && pause
3⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\system32\PING.EXE
ping localhost
4⤵
- Runs ping.exe
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\uk-UA\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\uk-UA\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\uk-UA\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Minecraft 1.16.5M" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\Minecraft 1.16.5.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Minecraft 1.16.5" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Minecraft 1.16.5.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Minecraft 1.16.5M" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Minecraft 1.16.5.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Desktop\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Minecraft 1.16.5M" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Music\Minecraft 1.16.5.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Minecraft 1.16.5" /sc ONLOGON /tr "'C:\Users\Admin\Music\Minecraft 1.16.5.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Minecraft 1.16.5M" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Music\Minecraft 1.16.5.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "UpdaterU" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Roaming\Discord\Updater.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Updater" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Discord\Updater.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "UpdaterU" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Roaming\Discord\Updater.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1504

C:\Users\Default\Desktop\csrss.exe
C:\Users\Default\Desktop\csrss.exe
1⤵
- Executes dropped EXE
PID:844

C:\Recovery\WindowsRE\TextInputHost.exe
C:\Recovery\WindowsRE\TextInputHost.exe
1⤵
- Executes dropped EXE
PID:1572

C:\Users\Default\Desktop\csrss.exe
C:\Users\Default\Desktop\csrss.exe
1⤵
- Executes dropped EXE
PID:4012

C:\Users\Admin\Music\Minecraft 1.16.5.exe
"C:\Users\Admin\Music\Minecraft 1.16.5.exe"
1⤵
- Executes dropped EXE
PID:4504

C:\Users\Admin\AppData\Roaming\Discord\Updater.exe
C:\Users\Admin\AppData\Roaming\Discord\Updater.exe
1⤵
- Executes dropped EXE
PID:1736

C:\Recovery\WindowsRE\TextInputHost.exe
C:\Recovery\WindowsRE\TextInputHost.exe
1⤵
- Executes dropped EXE
PID:2408

C:\Windows\uk-UA\services.exe
C:\Windows\uk-UA\services.exe
1⤵
- Executes dropped EXE
PID:1956

C:\Users\Default\Desktop\csrss.exe
C:\Users\Default\Desktop\csrss.exe
1⤵
- Executes dropped EXE
PID:976

C:\Users\Default\Desktop\csrss.exe
C:\Users\Default\Desktop\csrss.exe
1⤵
- Executes dropped EXE
PID:1540

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Minecraft 1.16.5.exe.log
Filesize
1KB

MD5
547df619456b0e94d1b7663cf2f93ccb

SHA1
8807c99005eaf2cc44b0b5ec4fc6eac289bfb4e3

SHA256
8b7130cc966f3f78e236b4e51eb12e1c82b0bd3f0773275d619b5c545168797a

SHA512
01b4e32fdf6c7f2347075c8153bc75a2f32fe3cec19e1a777e263ec4f607b54e046f0e4c7c0bc22581d44cbbdbb076a63eaa50a742f381faad06c86c2b10f67f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Updater.exe.log
Filesize
1KB

MD5
af6acd95d59de87c04642509c30e81c1

SHA1
f9549ae93fdb0a5861a79a08f60aa81c4b32377b

SHA256
7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

SHA512
93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log
Filesize
847B

MD5
66a0a4aa01208ed3d53a5e131a8d030a

SHA1
ef5312ba2b46b51a4d04b574ca1789ac4ff4a6b1

SHA256
f0ab05c32d6af3c2b559dbce4dec025ce3e730655a2430ade520e89a557cace8

SHA512
626f0dcf0c6bcdc0fef25dc7da058003cf929fd9a39a9f447b79fb139a417532a46f8bca1ff2dbde09abfcd70f5fb4f8d059b1fe91977c377df2f5f751c84c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6317adf4fbc43ea2fd68861fafd57155

SHA1
6b87c718893c83c6eed2767e8d9cbc6443e31913

SHA256
c1ead17eef37b4b461cedc276504a441489e819c7f943037f2001966aeec90af

SHA512
17229aae8622e4bfc3caaac55684f7d4ccd3162af5919c851b1d8ac4060b6bb7b75044ecee116523d05acb55197dcb60780958f629450edef386f1e6f65f49f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
ccf1b703c8f1f34a2faf84a676e0ef0c

SHA1
46dc045aa7dcf8938c0352d4125e796d38c4b7a3

SHA256
789e5eaacf5284c772fd75aab4c445eadff4816410167eea41a185ffe35b36fa

SHA512
c53f8516e7e65f86a0cba52ba2a7aa5c9e0bee4285b6cae525a0c1202d04f779a20225a6b8f8e674daf1ab9b4b225b3ebb7cda7588b3ab062761b136eb86b24a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
948B

MD5
966914e2e771de7a4a57a95b6ecfa8a9

SHA1
7a32282fd51dd032967ed4d9a40cc57e265aeff2

SHA256
98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba

SHA512
dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
Filesize
2.2MB

MD5
424fb02d5e64b46db32c3970cae51b35

SHA1
24cb282a912b26a5d605189076ee0e22c80e6d3f

SHA256
555dc214108341bccff301af88c3286113e18f510a80a1ed9a20adae4215d853

SHA512
7e44cda35bb881182ff43b679fa352991cd2840e20f7f3457ad378e0e8b772eb63854f482fc114bea50474ea717cf2cb09e8eec680194f355671716ccaa2cd9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DHE28udMjE
Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\Minecraft 1.16.5.exe
Filesize
229KB

MD5
a0ba434ae59097bb0d4c6df6ffd3003e

SHA1
b0f6b8a506e550725279a1bbbe7e1e958adf2497

SHA256
5c0e1e217dca21b2dc349419a3bedc19377348cc49a43558806c95e87c46a0fd

SHA512
b496cfaae090f799e80cdfff7a745ce35030dc10332438b25da8c59cc872d24766d2c3471cee9974e272ee2c039fc18b5babe37ee7f2e732fdb13c41a1a22dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7DBB.tmp
Filesize
1KB

MD5
01330aaeac05f8bc105cbdac6eaf8a1f

SHA1
f821c1371700982832fc8e9662bb19d4ed1e0d0e

SHA256
e770b4fe097a69017150e765fa36b1ee18ecd72366b85b1dcf41e613e9f967af

SHA512
90925dd1c6eac3b0584ec97fca7d3887108bdf23fdc2cf67af55faaae4cc51b09983622f0bad4cd7095b8e0c19e7f702647800e419233a339b48ea82a1e6d06b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SlasherTeam.exe
Filesize
417KB

MD5
d2e600062ef2c9cac27cbe618118adc6

SHA1
67e630a705d6ff641fdb9230afa3f3a5e254dbb4

SHA256
efe53bdfdc3fdb24d08ebc045d543e815f576fab3a85118b7ade066172a72df5

SHA512
726a40889f60cffdc107b40dde5945a255b6dfe8fada53cf51025f83eb3a082ba40cc1c97872eb1f60267325bb8b1ecccec522214f80199dc7d22cd96490ff06

Download Submit
C:\Users\Admin\AppData\Local\Temp\XGZIn2L2aI.bat
Filesize
210B

MD5
d1b7f787f5b39290851d12b839edb6e7

SHA1
6180a3039e53025a42bb5835d8abd03e77dc118c

SHA256
8ae370e030e8b505976c4bf9a911ce560cb11f70a3ff4acb30fc14b9f076deb0

SHA512
4f57e5c27639c5a8199e9c8cc481a4b6e31d4566b38dc43a60605fd257cd64db59f3319e7feadc763afa0eca836a8c47b6788e8ada8bb8e3f7614b127c514584

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kaz5p3gt.5q4.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fWuoY0mXfs
Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Roaming\Discord\T1NFhHkgq1TxEudZp4T5tcPMCxBHzViymHwuXZcM1.vbe
Filesize
214B

MD5
346ef2af1a4a5ef35b6900eab7f33b87

SHA1
c30c089fd9dbfab77243aa53aa6da3cc63e6b094

SHA256
e5d343dab584b733ab9cb90104abd917931a9e7d5277972af1cbaf43e481e8f6

SHA512
74244efa29e4e52dfc89b42cd01d7568bb53de9c8b2925fe84da7b1239fe63d1f949fe077a37356f5c3eed72ac60e8872ffafa8d07e4c895f1454220c8c548e8

Download Submit
C:\Users\Admin\AppData\Roaming\Discord\UBpnz6SmdVDq0k17g6u44x.bat
Filesize
81B

MD5
a76857fad71c9a436377c45ca5962ee8

SHA1
b69db6d9c85099e06d245d537974e5450fbea979

SHA256
306792f44938e695acef0afb9ed24832580627dbed71b4d56897487398c02dc9

SHA512
b16d669654c83c979634c300e91b17e4b8cc8aa35a80c3666c527971828cafdf88dd613ca0efa9495b89a8ffdf5aa2e50f281f855474a3a3d32f14c5642e756b

Download Submit
C:\Users\Admin\AppData\Roaming\Discord\Updater.exe
Filesize
1.9MB

MD5
099e63fffc8f0deac89c97708e96e052

SHA1
4578737cbe81da0a1abc801fcba383dad78e5d64

SHA256
4963a2bd629166d7b68f700dc0a3c498000aa93f34fc4427a58e8140a16ce081

SHA512
b1c4bbdf957b0a1641a111dad8bc3586ab3045735d871de9d31aee0dd438949f636a9abeca9715f0b1787dc021a0780888fa63aa244bf5450e609aa1949571f1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jxkw5yfh\jxkw5yfh.0.cs
Filesize
361B

MD5
4fafe49642e90b65850fca383ae30b19

SHA1
352675ccdc35352446a9bab1db6788915ac17a3e

SHA256
0064cd788deea146d53c80c48867b7c77542d7d99e157d0289ae5311427a275a

SHA512
e5f8fcc4b1395fd1cbeb01653023871ff8ec6b6c95b31d9245fc05575b6b01a8578cdaede95570af308a4176081eede2be49320ed3990e2ce6b1a10189d5e67e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jxkw5yfh\jxkw5yfh.cmdline
Filesize
235B

MD5
673a5f719c3defc20b22e15d59a8f353

SHA1
09b9f38ca38ad822ac7390fbd6fab7fbab51f932

SHA256
2233cdb60e7b1d21f4dae34a4cdde376d45946047e1bf6b609c7238b3e7431cd

SHA512
285a260427a2307edd9df68f38e17fcf3d1d355ca95c3fcffae7ffe7d76a380bad497dd62c88b96733cf5c43d05d204f96ef5e6adaa78a5744d26d31740b9930

Download Submit
\??\c:\Windows\System32\CSC1C225ED9DA3A4C9DB29C779A51F4893B.TMP
Filesize
1KB

MD5
76193a570fc043b07f2da69ddc0d2266

SHA1
ff4eaaa5d3abed0831c72bbff23adae30f02e4ff

SHA256
a47b908b5cadfac55e3a1702f4e1bb4cfd9b5d7b27e1f6bfb395bc2b29cd3cc8

SHA512
4588c0ddfd356f096aed916e2aecfec09612595fa3864f1896d642a6d0c9294dd21287dadd6e2ccdfde0b6199de6985eba7b25d71364ef9dc17f2f49b6ac7473

Download Submit
memory/1528-36-0x00007FF9FFBA0000-0x00007FFA00661000-memory.dmp

Filesize
10.8MB

Download
memory/1528-71-0x000002A6E4310000-0x000002A6E4386000-memory.dmp

Filesize
472KB

Download
memory/1528-124-0x000002A6E4390000-0x000002A6E439A000-memory.dmp

Filesize
40KB

Download
memory/1528-72-0x000002A6E42C0000-0x000002A6E4310000-memory.dmp

Filesize
320KB

Download
memory/1528-33-0x000002A6C9BE0000-0x000002A6C9C20000-memory.dmp

Filesize
256KB

Download
memory/1528-125-0x000002A6E43C0000-0x000002A6E43D2000-memory.dmp

Filesize
72KB

Download
memory/1528-73-0x000002A6E4400000-0x000002A6E441E000-memory.dmp

Filesize
120KB

Download
memory/1528-228-0x00007FF9FFBA0000-0x00007FFA00661000-memory.dmp

Filesize
10.8MB

Download
memory/1836-50-0x00000216C4FA0000-0x00000216C4FC2000-memory.dmp

Filesize
136KB

Download
memory/2900-118-0x000000001B5A0000-0x000000001B5B8000-memory.dmp

Filesize
96KB

Download
memory/2900-114-0x0000000002B10000-0x0000000002B1E000-memory.dmp

Filesize
56KB

Download
memory/2900-116-0x000000001B580000-0x000000001B59C000-memory.dmp

Filesize
112KB

Download
memory/2900-100-0x0000000000960000-0x0000000000B46000-memory.dmp

Filesize
1.9MB

Download
memory/2900-120-0x0000000002B20000-0x0000000002B2E000-memory.dmp

Filesize
56KB

Download
memory/2900-122-0x0000000002B30000-0x0000000002B3C000-memory.dmp

Filesize
48KB

Download
memory/4748-331-0x00007FF9FFBA3000-0x00007FF9FFBA5000-memory.dmp

Filesize
8KB

Download
memory/4748-35-0x0000000000FB0000-0x000000000101E000-memory.dmp

Filesize
440KB

Download
memory/4748-34-0x00007FF9FFBA3000-0x00007FF9FFBA5000-memory.dmp

Filesize
8KB

Download