umbral | 20be105c4a33ebf77ef4db7e8b6ebbb39b156fe1dd16473a7255903f33b76846

Resubmissions

02-06-2024 00:57

240602-ba8cradb7z 10

Analysis

max time kernel
1200s
max time network
1172s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loader.exe
Size

365KB
MD5

cbd720ad4f7be1c099ec22f56ee61dd6
SHA1

9989030c7ea1756e1834c464688d418e773919fc
SHA256

20be105c4a33ebf77ef4db7e8b6ebbb39b156fe1dd16473a7255903f33b76846
SHA512

2ad87fdf5046be22eec58fe71326ab0bcc2a2ca019e1b5519ec1ecbdfbb83731a254c7f400ca48cacb9917da6c85d41a913aa0f8f5b21408a3f2d1e8895e9740
SSDEEP

6144:UsLqdufVUNDa4loZM3fsXtioRkts/cnnK6cMlibJksyVtGXTOMdRYspb8e1m+Fii:PFUNDamoZ1tlRk83MlibJksyVtGXTOMX

Score

10^/10

umbral evasion execution persistence spyware stealer

Malware Config

Extracted

Family

umbral

https://discordapp.com/api/webhooks/1246463015998586960/d4v_qESsKe8s7VticwxHvyytkOUO321t7x3oNxoyCNYQuwczEVfPUDFWHLnPpAM4tNJ_

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000233c8-7.dat	family_umbral
behavioral1/memory/1072-10-0x000001A4B9A90000-0x000001A4B9AD0000-memory.dmp	family_umbral

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4528	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	loader.exe

Executes dropped EXE 6 IoCs

pid	Process
1072	loader.exe
888	icsys.icn.exe
2944	explorer.exe
4684	spoolsv.exe
884	svchost.exe
3452	spoolsv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
10	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\tjcm.cmn	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	loader.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2132	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2368	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
5052	loader.exe
1072	loader.exe
4528	powershell.exe
4528	powershell.exe
4752	powershell.exe
4752	powershell.exe
4164	powershell.exe
4164	powershell.exe
4224	powershell.exe
4224	powershell.exe
888	icsys.icn.exe
888	icsys.icn.exe
888	icsys.icn.exe
888	icsys.icn.exe
888	icsys.icn.exe
888	icsys.icn.exe
888	icsys.icn.exe
888	icsys.icn.exe
888	icsys.icn.exe
888	icsys.icn.exe
888	icsys.icn.exe
888	icsys.icn.exe
888	icsys.icn.exe
888	icsys.icn.exe
888	icsys.icn.exe
888	icsys.icn.exe
888	icsys.icn.exe
888	icsys.icn.exe
888	icsys.icn.exe
888	icsys.icn.exe
888	icsys.icn.exe
888	icsys.icn.exe
888	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2944	explorer.exe
884	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1072	loader.exe
Token: SeIncreaseQuotaPrivilege	2464	wmic.exe
Token: SeSecurityPrivilege	2464	wmic.exe
Token: SeTakeOwnershipPrivilege	2464	wmic.exe
Token: SeLoadDriverPrivilege	2464	wmic.exe
Token: SeSystemProfilePrivilege	2464	wmic.exe
Token: SeSystemtimePrivilege	2464	wmic.exe
Token: SeProfSingleProcessPrivilege	2464	wmic.exe
Token: SeIncBasePriorityPrivilege	2464	wmic.exe
Token: SeCreatePagefilePrivilege	2464	wmic.exe
Token: SeBackupPrivilege	2464	wmic.exe
Token: SeRestorePrivilege	2464	wmic.exe
Token: SeShutdownPrivilege	2464	wmic.exe
Token: SeDebugPrivilege	2464	wmic.exe
Token: SeSystemEnvironmentPrivilege	2464	wmic.exe
Token: SeRemoteShutdownPrivilege	2464	wmic.exe
Token: SeUndockPrivilege	2464	wmic.exe
Token: SeManageVolumePrivilege	2464	wmic.exe
Token: 33	2464	wmic.exe
Token: 34	2464	wmic.exe
Token: 35	2464	wmic.exe
Token: 36	2464	wmic.exe
Token: SeIncreaseQuotaPrivilege	2464	wmic.exe
Token: SeSecurityPrivilege	2464	wmic.exe
Token: SeTakeOwnershipPrivilege	2464	wmic.exe
Token: SeLoadDriverPrivilege	2464	wmic.exe
Token: SeSystemProfilePrivilege	2464	wmic.exe
Token: SeSystemtimePrivilege	2464	wmic.exe
Token: SeProfSingleProcessPrivilege	2464	wmic.exe
Token: SeIncBasePriorityPrivilege	2464	wmic.exe
Token: SeCreatePagefilePrivilege	2464	wmic.exe
Token: SeBackupPrivilege	2464	wmic.exe
Token: SeRestorePrivilege	2464	wmic.exe
Token: SeShutdownPrivilege	2464	wmic.exe
Token: SeDebugPrivilege	2464	wmic.exe
Token: SeSystemEnvironmentPrivilege	2464	wmic.exe
Token: SeRemoteShutdownPrivilege	2464	wmic.exe
Token: SeUndockPrivilege	2464	wmic.exe
Token: SeManageVolumePrivilege	2464	wmic.exe
Token: 33	2464	wmic.exe
Token: 34	2464	wmic.exe
Token: 35	2464	wmic.exe
Token: 36	2464	wmic.exe
Token: SeDebugPrivilege	4528	powershell.exe
Token: SeDebugPrivilege	4752	powershell.exe
Token: SeDebugPrivilege	4164	powershell.exe
Token: SeDebugPrivilege	4224	powershell.exe
Token: SeIncreaseQuotaPrivilege	4448	wmic.exe
Token: SeSecurityPrivilege	4448	wmic.exe
Token: SeTakeOwnershipPrivilege	4448	wmic.exe
Token: SeLoadDriverPrivilege	4448	wmic.exe
Token: SeSystemProfilePrivilege	4448	wmic.exe
Token: SeSystemtimePrivilege	4448	wmic.exe
Token: SeProfSingleProcessPrivilege	4448	wmic.exe
Token: SeIncBasePriorityPrivilege	4448	wmic.exe
Token: SeCreatePagefilePrivilege	4448	wmic.exe
Token: SeBackupPrivilege	4448	wmic.exe
Token: SeRestorePrivilege	4448	wmic.exe
Token: SeShutdownPrivilege	4448	wmic.exe
Token: SeDebugPrivilege	4448	wmic.exe
Token: SeSystemEnvironmentPrivilege	4448	wmic.exe
Token: SeRemoteShutdownPrivilege	4448	wmic.exe
Token: SeUndockPrivilege	4448	wmic.exe
Token: SeManageVolumePrivilege	4448	wmic.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
5052	loader.exe
5052	loader.exe
888	icsys.icn.exe
888	icsys.icn.exe
2944	explorer.exe
2944	explorer.exe
4684	spoolsv.exe
4684	spoolsv.exe
884	svchost.exe
884	svchost.exe
3452	spoolsv.exe
3452	spoolsv.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 1072	5052	loader.exe	82
PID 5052 wrote to memory of 1072	5052	loader.exe	82
PID 1072 wrote to memory of 2464	1072	loader.exe	83
PID 1072 wrote to memory of 2464	1072	loader.exe	83
PID 1072 wrote to memory of 4624	1072	loader.exe	86
PID 1072 wrote to memory of 4624	1072	loader.exe	86
PID 1072 wrote to memory of 4528	1072	loader.exe	88
PID 1072 wrote to memory of 4528	1072	loader.exe	88
PID 1072 wrote to memory of 4752	1072	loader.exe	90
PID 1072 wrote to memory of 4752	1072	loader.exe	90
PID 1072 wrote to memory of 4164	1072	loader.exe	92
PID 1072 wrote to memory of 4164	1072	loader.exe	92
PID 1072 wrote to memory of 4224	1072	loader.exe	94
PID 1072 wrote to memory of 4224	1072	loader.exe	94
PID 5052 wrote to memory of 888	5052	loader.exe	98
PID 5052 wrote to memory of 888	5052	loader.exe	98
PID 5052 wrote to memory of 888	5052	loader.exe	98
PID 888 wrote to memory of 2944	888	icsys.icn.exe	99
PID 888 wrote to memory of 2944	888	icsys.icn.exe	99
PID 888 wrote to memory of 2944	888	icsys.icn.exe	99
PID 1072 wrote to memory of 4448	1072	loader.exe	100
PID 1072 wrote to memory of 4448	1072	loader.exe	100
PID 2944 wrote to memory of 4684	2944	explorer.exe	102
PID 2944 wrote to memory of 4684	2944	explorer.exe	102
PID 2944 wrote to memory of 4684	2944	explorer.exe	102
PID 4684 wrote to memory of 884	4684	spoolsv.exe	103
PID 4684 wrote to memory of 884	4684	spoolsv.exe	103
PID 4684 wrote to memory of 884	4684	spoolsv.exe	103
PID 1072 wrote to memory of 5112	1072	loader.exe	104
PID 1072 wrote to memory of 5112	1072	loader.exe	104
PID 884 wrote to memory of 3452	884	svchost.exe	106
PID 884 wrote to memory of 3452	884	svchost.exe	106
PID 884 wrote to memory of 3452	884	svchost.exe	106
PID 1072 wrote to memory of 1832	1072	loader.exe	107
PID 1072 wrote to memory of 1832	1072	loader.exe	107
PID 1072 wrote to memory of 2884	1072	loader.exe	109
PID 1072 wrote to memory of 2884	1072	loader.exe	109
PID 1072 wrote to memory of 2132	1072	loader.exe	112
PID 1072 wrote to memory of 2132	1072	loader.exe	112
PID 1072 wrote to memory of 1360	1072	loader.exe	114
PID 1072 wrote to memory of 1360	1072	loader.exe	114
PID 1360 wrote to memory of 2368	1360	cmd.exe	116
PID 1360 wrote to memory of 2368	1360	cmd.exe	116

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4624	attrib.exe

C:\Users\Admin\AppData\Local\Temp\loader.exe
"C:\Users\Admin\AppData\Local\Temp\loader.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5052
- \??\c:\users\admin\appdata\local\temp\loader.exe
  c:\users\admin\appdata\local\temp\loader.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2464
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "c:\users\admin\appdata\local\temp\loader.exe "
    3⤵
    - Views/modifies file attributes
    PID:4624
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'c:\users\admin\appdata\local\temp\loader.exe '
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4224
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4448
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:5112
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    PID:2884
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2132
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "c:\users\admin\appdata\local\temp\loader.exe " && pause
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:2368
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:888
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4684
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:884
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b5e2fd95470c50743ba121fd6bd03a7b

SHA1
75545ed499d9dde51a1fc1cf535eb4f50ec79250

SHA256
d9c961aaf784b9ce81b0a3aac7a39bd41e9f2702d9c28deb20e786d385b88288

SHA512
76bdc793f8b38f603b5ad0957474660bb09e963a2496564b8ceac6591d532fc9498214b81c3908bafc13ff0b07028457c6c997998adfd2203304cb1c82899423

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
5824a6037c081fda5d46de274b6e2799

SHA1
526367a09300cbde430e8fb44e41cbe7a0937aac

SHA256
4d610d9cd32a20279c7133a726ff61820d6930e5aa18253ee1422f3a6f54953f

SHA512
a109b150f730cda78d5bee106bd232f9dca7500dfb7899c6919de2bd542e345ca271aa11809a24ea0a27dca158067ab3a2d5688ac0a2325185143245f1665582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xtnpctfo.pwh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\loader.exe

Filesize
230KB

MD5
d23ca81d16873706f5e26fbac64eaee9

SHA1
c49585cbcc6e5286fba1c7a3fe582ea0e38ed5ee

SHA256
007ae5e7086ce92765cb6f3877663b04146f14deba2edb9582d90d4451b443d7

SHA512
4a7d4be3f7a1e27e9c925b57a5e53754f8f39ebabf479e041f620ef5271a7154fe57a407ff59f859f02f149bb60925e2f4e2c9c49f415fd42e780c7ea23922d4

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
f343dae6c32a299363ca913bbf4ae43e

SHA1
0c63ddb2d52ec666862fe7fa467032d73f3ebb60

SHA256
83022bfb4e2a9e3d4bce397099f02f2f72681d779a450f1def6b501e231ef971

SHA512
f65547feec907d6b09590715f57507e5bc92e2d00105167d789b1225b89b5926de1947b6d7aa2c0d318bf5906137a874676497d5e39b0537d3b115ba9fb9c2f0

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
b6c6d532091f6de047c1a68a4b69bf10

SHA1
01439b14f2158014ef0255092f4c11a136483889

SHA256
39931e1f612c4cc3ddef588ce4a1d1c1543e85cf16959eb738ed39eb0b2b1a11

SHA512
b652116e7a2ebe98cb8e43d024542fdb5c8daccf85dde4c00738eedd55d7a1195155ed4b4ea26fd8e91ce1bbef54c9cd224cd4606b2028168e82c0c2de45798d

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
5641227cd3227d165c121f78454f99db

SHA1
f9737a18fa9942f59702eb95471bc294d726cfba

SHA256
056db92d8d494627436d0811b5f6a7c5a930dfebaca2987209b708586923e5f5

SHA512
1ab45cb978c7fe818fdb351401910c473c621adfa769d9aab402895c73fcfd70685e513ecdaf0f249b9d3037ca0840c9d9126c44fca5250404d972ec6ce948ec

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
9d0d40870e6fad42237ff687f7f5502b

SHA1
dae9e8d6a60953fb0d9ab45916bea202cc737f9c

SHA256
c28acc692eb75315e86c4dc2b1a4f5622de7191e6dd9370e7127183c638d350a

SHA512
07e248c5055d2382c5e963683d2d102fce86caec72f3f807640b26f6ebda081628e091c1109c2c4d503133b1fd0b126fe4ea4b96cc3284a2941a0fd8c3e751fa

Download Submit
memory/884-136-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/888-78-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/888-117-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1072-11-0x00007FF8E95B0000-0x00007FF8EA071000-memory.dmp

Filesize
10.8MB

Download
memory/1072-82-0x000001A4D41C0000-0x000001A4D41D2000-memory.dmp

Filesize
72KB

Download
memory/1072-81-0x000001A4D4190000-0x000001A4D419A000-memory.dmp

Filesize
40KB

Download
memory/1072-38-0x000001A4D41E0000-0x000001A4D4256000-memory.dmp

Filesize
472KB

Download
memory/1072-9-0x00007FF8E95B3000-0x00007FF8E95B5000-memory.dmp

Filesize
8KB

Download
memory/1072-40-0x000001A4D4160000-0x000001A4D417E000-memory.dmp

Filesize
120KB

Download
memory/1072-39-0x000001A4D4260000-0x000001A4D42B0000-memory.dmp

Filesize
320KB

Download
memory/1072-10-0x000001A4B9A90000-0x000001A4B9AD0000-memory.dmp

Filesize
256KB

Download
memory/1072-134-0x00007FF8E95B0000-0x00007FF8EA071000-memory.dmp

Filesize
10.8MB

Download
memory/2944-135-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3452-115-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4528-13-0x00000121CDEB0000-0x00000121CDED2000-memory.dmp

Filesize
136KB

Download
memory/4684-116-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5052-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5052-118-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download