Overview

overview

10

Static

static

10

release05262024.exe

windows7-x64

10

release05262024.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-06-2024 03:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    release05262024.exe

  • Size

    234KB

  • MD5

    550cecea767138fcf54daabc6af64ff1

  • SHA1

    1b63a5be8367b98d68a3cb190542b65084c22fdb

  • SHA256

    ea94a87b1828d33c0fd1b075ecfdf3cde3856c3b3f173f10c4618e306f1970f8

  • SHA512

    41f94f4845608311908e3abf8640fa9745d368289163304d6759cbf9a94894c3256ce0159b7fb3b612f6cc5432d34ae4571174ace831fa4bd0b3ebe1426ddf3b

  • SSDEEP

    6144:XloZM+rIkd8g+EtXHkv/iD4ZgdtNbYMTvqL9Y0hZOb8e1mXzi4:1oZtL+EP8ZgdtNbYMTvqL9Y0hc6e

Score
10/10
umbralexecutionspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops file in Drivers directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\release05262024.exe
    "C:\Users\Admin\AppData\Local\Temp\release05262024.exe"
    1⤵
    • Drops file in Drivers directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2752
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4356
    • C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\release05262024.exe"
      2⤵
      • Views/modifies file attributes
      PID:3628
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\release05262024.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3032
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1156
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2528
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1112
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
        PID:4100
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        2⤵
          PID:2424
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4064
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic" path win32_VideoController get name
          2⤵
          • Detects videocard installed
          PID:3392
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\release05262024.exe" && pause
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1252
          • C:\Windows\system32\PING.EXE
            ping localhost
            3⤵
            • Runs ping.exe
            PID:4536
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:3440
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
          1⤵
            PID:620
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
            1⤵
            • Enumerates system info in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2380
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb19bf46f8,0x7ffb19bf4708,0x7ffb19bf4718
              2⤵
                PID:2832
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,10801612869514030208,7408109405825971721,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
                2⤵
                  PID:3904
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,10801612869514030208,7408109405825971721,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:1496
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,10801612869514030208,7408109405825971721,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
                  2⤵
                    PID:1036
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10801612869514030208,7408109405825971721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
                    2⤵
                      PID:3392
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10801612869514030208,7408109405825971721,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
                      2⤵
                        PID:2236
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10801612869514030208,7408109405825971721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
                        2⤵
                          PID:2156
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10801612869514030208,7408109405825971721,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
                          2⤵
                            PID:3996
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,10801612869514030208,7408109405825971721,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3624 /prefetch:8
                            2⤵
                              PID:2756
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,10801612869514030208,7408109405825971721,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3624 /prefetch:8
                              2⤵
                              • Suspicious behavior: EnumeratesProcesses
                              PID:4308
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,10801612869514030208,7408109405825971721,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4908 /prefetch:8
                              2⤵
                                PID:4488
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10801612869514030208,7408109405825971721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
                                2⤵
                                  PID:2056
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10801612869514030208,7408109405825971721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
                                  2⤵
                                    PID:3324
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10801612869514030208,7408109405825971721,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
                                    2⤵
                                      PID:3772
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,10801612869514030208,7408109405825971721,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
                                      2⤵
                                        PID:880
                                    • C:\Windows\System32\CompPkgSrv.exe
                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                      1⤵
                                        PID:3456
                                      • C:\Windows\System32\CompPkgSrv.exe
                                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                                        1⤵
                                          PID:1656

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                          Filesize

                                          2KB

                                          MD5

                                          d85ba6ff808d9e5444a4b369f5bc2730

                                          SHA1

                                          31aa9d96590fff6981b315e0b391b575e4c0804a

                                          SHA256

                                          84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                          SHA512

                                          8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                          Filesize

                                          152B

                                          MD5

                                          f61fa5143fe872d1d8f1e9f8dc6544f9

                                          SHA1

                                          df44bab94d7388fb38c63085ec4db80cfc5eb009

                                          SHA256

                                          284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

                                          SHA512

                                          971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                          Filesize

                                          152B

                                          MD5

                                          87f7abeb82600e1e640b843ad50fe0a1

                                          SHA1

                                          045bbada3f23fc59941bf7d0210fb160cb78ae87

                                          SHA256

                                          b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

                                          SHA512

                                          ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                          Filesize

                                          5KB

                                          MD5

                                          29942485d028e99ba9d048ece81a37a5

                                          SHA1

                                          6706b509c44390ab9239e7ea0189bc697df82886

                                          SHA256

                                          d4851f81fa4531a6107b81bfa5aab8933d778ffd67d31a01fd866e3fc8393db1

                                          SHA512

                                          e763e8269ed2b6535743f6bfd99e53d520abfa9963d9efe0efefa99379fe98772849459d7d5b8c4f3e268a8af8e002f81966e4d54a7c68c274676e6b09c73268

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                          Filesize

                                          6KB

                                          MD5

                                          40ecc46101a0cf9fca4e2262af850f35

                                          SHA1

                                          eb2f1c07b0845156591d93d0cc99c8b3df2c0b43

                                          SHA256

                                          105f7fed3b3d1dff05d61f8da72c21504f436711644a4a7bc2fa256708a74712

                                          SHA512

                                          52a7404eb8761a3a41e5c0e4595d96053495e60710b26a056a19f4cc998ab2358f954038648d37d87092dfc4023edaaf919a69a3312444179e2ed9df842b3707

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                          Filesize

                                          6KB

                                          MD5

                                          d875a69c2675891059816b593ca1189e

                                          SHA1

                                          26f359f06e09a578297c0f01c2e69a0bb62f253c

                                          SHA256

                                          88c269feed74e8f509784230e606444a9a7aedc10751bfcdcaa63e05a8d6b8c8

                                          SHA512

                                          8e58d66893e7de0a3397758614eb9a21410d1f095b3d1ae9814d9210706e39f05c1f2310aa73db13d4872eb99546fb2827f3517fbf85f5c841a5313e348a02f8

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                          Filesize

                                          16B

                                          MD5

                                          6752a1d65b201c13b62ea44016eb221f

                                          SHA1

                                          58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                          SHA256

                                          0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                          SHA512

                                          9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                          Filesize

                                          10KB

                                          MD5

                                          182aff66e4eb48d9a2063c554ad9b30c

                                          SHA1

                                          d33ad068e5ead6253c9145f31f4b7913b4d4c216

                                          SHA256

                                          09a1d05525598f7fc89663e80c2c73b60c7cf431ba7b79f196c4f7b7331dbd02

                                          SHA512

                                          9576393ab792eec8c3c6f16487d67ad8b92d54ac9ec79040f00d117235ffc50768476ccf65f240a2b29094f632cda44944712020cb2827c281e3fde753eadeac

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                          Filesize

                                          10KB

                                          MD5

                                          98404ae9bce2c63ac356353966b5c32a

                                          SHA1

                                          ed38b86898df0290ca95e271bead58508e13b6e2

                                          SHA256

                                          e5fdb86d5bea3f0d1a9527c62bb56f91f5cc11b9609b6080201c96129d9c7a73

                                          SHA512

                                          7b308b0a84ff651b0f416f0a5f270af3dd50758a243b8ca1572b2f5a19d30ddafbb59c3e8e8809d2e45e1bce0990d9aab1bfecb507ff505bfab2d0deea4b8872

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
                                          Filesize

                                          264KB

                                          MD5

                                          f50f89a0a91564d0b8a211f8921aa7de

                                          SHA1

                                          112403a17dd69d5b9018b8cede023cb3b54eab7d

                                          SHA256

                                          b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                          SHA512

                                          bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                          Filesize

                                          944B

                                          MD5

                                          6d3e9c29fe44e90aae6ed30ccf799ca8

                                          SHA1

                                          c7974ef72264bbdf13a2793ccf1aed11bc565dce

                                          SHA256

                                          2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

                                          SHA512

                                          60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                          Filesize

                                          948B

                                          MD5

                                          c65738617888921a153bd9b1ef516ee7

                                          SHA1

                                          5245e71ea3c181d76320c857b639272ac9e079b1

                                          SHA256

                                          4640ba4001fd16a593315299cbdd4988dc2c7075820687f1018aac40aca95c26

                                          SHA512

                                          2e2a0ebd93f9d8dd07a7599054bce232683e9add9a35e77b584618040bcfd84a42545352519ec4736cc379002210b6f3ed2d905591c6925c0981b0392b495bfa

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                          Filesize

                                          1KB

                                          MD5

                                          276798eeb29a49dc6e199768bc9c2e71

                                          SHA1

                                          5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

                                          SHA256

                                          cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

                                          SHA512

                                          0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                          Filesize

                                          1KB

                                          MD5

                                          a2e09e5bf7ad0ba2d211ded97abd19db

                                          SHA1

                                          16796ad86f250b1992f6dfb120b3ad93395949ba

                                          SHA256

                                          fb83b21ad87eaaaaf9f38cc6f5c438de6a1168ed7dc6ca72bea64d59191ea639

                                          SHA512

                                          535d1ed1a8c575926a1481e09367a2644611300a0ee06d704eac80333ccc64f3da7ff2eaa0c77785f2ddeadc6d1bd285065b8eae06cbebb337bb1477e03937e0

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1maetqr0.fs1.ps1
                                          Filesize

                                          60B

                                          MD5

                                          d17fe0a3f47be24a6453e9ef58c94641

                                          SHA1

                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                          SHA256

                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                          SHA512

                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                          Download Submit

                                        • C:\Windows\system32\drivers\etc\hosts
                                          Filesize

                                          2KB

                                          MD5

                                          4028457913f9d08b06137643fe3e01bc

                                          SHA1

                                          a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

                                          SHA256

                                          289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

                                          SHA512

                                          c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

                                          Download Submit

                                        • memory/2752-32-0x000001D572C50000-0x000001D572CC6000-memory.dmp

                                          Filesize

                                          472KB

                                          Download

                                        • memory/2752-89-0x00007FFB1AA50000-0x00007FFB1B511000-memory.dmp

                                          Filesize

                                          10.8MB

                                          Download

                                        • memory/2752-70-0x000001D5709A0000-0x000001D5709AA000-memory.dmp

                                          Filesize

                                          40KB

                                          Download

                                        • memory/2752-34-0x000001D570960000-0x000001D57097E000-memory.dmp

                                          Filesize

                                          120KB

                                          Download

                                        • memory/2752-0-0x000001D570490000-0x000001D5704D0000-memory.dmp

                                          Filesize

                                          256KB

                                          Download

                                        • memory/2752-33-0x000001D5722C0000-0x000001D572310000-memory.dmp

                                          Filesize

                                          320KB

                                          Download

                                        • memory/2752-71-0x000001D572290000-0x000001D5722A2000-memory.dmp

                                          Filesize

                                          72KB

                                          Download

                                        • memory/2752-2-0x00007FFB1AA50000-0x00007FFB1B511000-memory.dmp

                                          Filesize

                                          10.8MB

                                          Download

                                        • memory/2752-1-0x00007FFB1AA53000-0x00007FFB1AA55000-memory.dmp

                                          Filesize

                                          8KB

                                          Download

                                        • memory/3032-17-0x00007FFB1AA50000-0x00007FFB1B511000-memory.dmp

                                          Filesize

                                          10.8MB

                                          Download

                                        • memory/3032-11-0x000001B6D6F10000-0x000001B6D6F32000-memory.dmp

                                          Filesize

                                          136KB

                                          Download

                                        • memory/3032-4-0x00007FFB1AA50000-0x00007FFB1B511000-memory.dmp

                                          Filesize

                                          10.8MB

                                          Download

                                        • memory/3032-3-0x00007FFB1AA50000-0x00007FFB1B511000-memory.dmp

                                          Filesize

                                          10.8MB

                                          Download