umbral | 1eac7f1debb3f6c96260977b111028ae3dcf2d7907e1a2c916044c3942e9e05d

Analysis

max time kernel
16s
max time network
35s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
16-08-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LOADER.exe
Size

15.5MB
MD5

5f62b2a17cda80f8ef9bf521fde17e42
SHA1

5086572ec9aa37b50590a36300b374160d8ffacb
SHA256

1eac7f1debb3f6c96260977b111028ae3dcf2d7907e1a2c916044c3942e9e05d
SHA512

24e72654fd5fbe2a646d0e9b9ca239852d630de426002f3b7ac56c5a16c12037c1559a6e8420e535fd4fd7865b4f8ec2c5330f83b0781287251a4076d3a0a139
SSDEEP

393216:HV0WnD+wO04M1o4FJO22+j79cC/QWXtsVy5J58mu+F2f3nDNzxg:1dniwO04L4+l+j79H/QW3zFIPpa

Score

10^/10

umbral credential_access discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1270702077819097171/aH_welMr5BV0d8bcgAcZ1YefXQZm7768r2-61SpHYIVQE_jXaf2nibmp1wX6DuE5bOcQ

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000800000001ab07-12.dat	family_umbral
behavioral1/memory/3740-14-0x0000021DA9E80000-0x0000021DA9EC0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1568	powershell.exe
2228	powershell.exe
4504	powershell.exe
4532	powershell.exe
4452	powershell.exe
4536	powershell.exe
744	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Executes dropped EXE 8 IoCs

pid	Process
3732	loaderexp.exe
3740	Umbral.exe
1564	loaderexp.exe
4756	Umbral.exe
4528	loaderexp.exe
3536	Umbral.exe
4808	loaderexp.exe
1088	Umbral.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
9	discord.com
10	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com
14	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4424	cmd.exe
4708	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4892	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4708	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3740	Umbral.exe
4536	powershell.exe
4536	powershell.exe
4536	powershell.exe
1568	powershell.exe
1568	powershell.exe
1568	powershell.exe
2228	powershell.exe
2228	powershell.exe
2228	powershell.exe
3248	powershell.exe
3248	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3740	Umbral.exe
Token: SeIncreaseQuotaPrivilege	224	wmic.exe
Token: SeSecurityPrivilege	224	wmic.exe
Token: SeTakeOwnershipPrivilege	224	wmic.exe
Token: SeLoadDriverPrivilege	224	wmic.exe
Token: SeSystemProfilePrivilege	224	wmic.exe
Token: SeSystemtimePrivilege	224	wmic.exe
Token: SeProfSingleProcessPrivilege	224	wmic.exe
Token: SeIncBasePriorityPrivilege	224	wmic.exe
Token: SeCreatePagefilePrivilege	224	wmic.exe
Token: SeBackupPrivilege	224	wmic.exe
Token: SeRestorePrivilege	224	wmic.exe
Token: SeShutdownPrivilege	224	wmic.exe
Token: SeDebugPrivilege	224	wmic.exe
Token: SeSystemEnvironmentPrivilege	224	wmic.exe
Token: SeRemoteShutdownPrivilege	224	wmic.exe
Token: SeUndockPrivilege	224	wmic.exe
Token: SeManageVolumePrivilege	224	wmic.exe
Token: 33	224	wmic.exe
Token: 34	224	wmic.exe
Token: 35	224	wmic.exe
Token: 36	224	wmic.exe
Token: SeIncreaseQuotaPrivilege	224	wmic.exe
Token: SeSecurityPrivilege	224	wmic.exe
Token: SeTakeOwnershipPrivilege	224	wmic.exe
Token: SeLoadDriverPrivilege	224	wmic.exe
Token: SeSystemProfilePrivilege	224	wmic.exe
Token: SeSystemtimePrivilege	224	wmic.exe
Token: SeProfSingleProcessPrivilege	224	wmic.exe
Token: SeIncBasePriorityPrivilege	224	wmic.exe
Token: SeCreatePagefilePrivilege	224	wmic.exe
Token: SeBackupPrivilege	224	wmic.exe
Token: SeRestorePrivilege	224	wmic.exe
Token: SeShutdownPrivilege	224	wmic.exe
Token: SeDebugPrivilege	224	wmic.exe
Token: SeSystemEnvironmentPrivilege	224	wmic.exe
Token: SeRemoteShutdownPrivilege	224	wmic.exe
Token: SeUndockPrivilege	224	wmic.exe
Token: SeManageVolumePrivilege	224	wmic.exe
Token: 33	224	wmic.exe
Token: 34	224	wmic.exe
Token: 35	224	wmic.exe
Token: 36	224	wmic.exe
Token: SeDebugPrivilege	4536	powershell.exe
Token: SeIncreaseQuotaPrivilege	4536	powershell.exe
Token: SeSecurityPrivilege	4536	powershell.exe
Token: SeTakeOwnershipPrivilege	4536	powershell.exe
Token: SeLoadDriverPrivilege	4536	powershell.exe
Token: SeSystemProfilePrivilege	4536	powershell.exe
Token: SeSystemtimePrivilege	4536	powershell.exe
Token: SeProfSingleProcessPrivilege	4536	powershell.exe
Token: SeIncBasePriorityPrivilege	4536	powershell.exe
Token: SeCreatePagefilePrivilege	4536	powershell.exe
Token: SeBackupPrivilege	4536	powershell.exe
Token: SeRestorePrivilege	4536	powershell.exe
Token: SeShutdownPrivilege	4536	powershell.exe
Token: SeDebugPrivilege	4536	powershell.exe
Token: SeSystemEnvironmentPrivilege	4536	powershell.exe
Token: SeRemoteShutdownPrivilege	4536	powershell.exe
Token: SeUndockPrivilege	4536	powershell.exe
Token: SeManageVolumePrivilege	4536	powershell.exe
Token: 33	4536	powershell.exe
Token: 34	4536	powershell.exe
Token: 35	4536	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 2404	5112	LOADER.exe	71
PID 5112 wrote to memory of 2404	5112	LOADER.exe	71
PID 5112 wrote to memory of 3732	5112	LOADER.exe	72
PID 5112 wrote to memory of 3732	5112	LOADER.exe	72
PID 5112 wrote to memory of 3740	5112	LOADER.exe	73
PID 5112 wrote to memory of 3740	5112	LOADER.exe	73
PID 3740 wrote to memory of 224	3740	Umbral.exe	75
PID 3740 wrote to memory of 224	3740	Umbral.exe	75
PID 2404 wrote to memory of 4432	2404	loader.exe	77
PID 2404 wrote to memory of 4432	2404	loader.exe	77
PID 2404 wrote to memory of 1564	2404	loader.exe	78
PID 2404 wrote to memory of 1564	2404	loader.exe	78
PID 2404 wrote to memory of 4756	2404	loader.exe	79
PID 2404 wrote to memory of 4756	2404	loader.exe	79
PID 3740 wrote to memory of 4496	3740	Umbral.exe	80
PID 3740 wrote to memory of 4496	3740	Umbral.exe	80
PID 3740 wrote to memory of 4536	3740	Umbral.exe	82
PID 3740 wrote to memory of 4536	3740	Umbral.exe	82
PID 4432 wrote to memory of 4444	4432	loader.exe	84
PID 4432 wrote to memory of 4444	4432	loader.exe	84
PID 4432 wrote to memory of 4528	4432	loader.exe	85
PID 4432 wrote to memory of 4528	4432	loader.exe	85
PID 4432 wrote to memory of 3536	4432	loader.exe	86
PID 4432 wrote to memory of 3536	4432	loader.exe	86
PID 3740 wrote to memory of 1568	3740	Umbral.exe	88
PID 3740 wrote to memory of 1568	3740	Umbral.exe	88
PID 4444 wrote to memory of 3852	4444	loader.exe	90
PID 4444 wrote to memory of 3852	4444	loader.exe	90
PID 4444 wrote to memory of 4808	4444	loader.exe	91
PID 4444 wrote to memory of 4808	4444	loader.exe	91
PID 4444 wrote to memory of 1088	4444	loader.exe	92
PID 4444 wrote to memory of 1088	4444	loader.exe	92
PID 3740 wrote to memory of 2228	3740	Umbral.exe	93
PID 3740 wrote to memory of 2228	3740	Umbral.exe	93
PID 3740 wrote to memory of 3248	3740	Umbral.exe	95
PID 3740 wrote to memory of 3248	3740	Umbral.exe	95

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4496	attrib.exe
2720	attrib.exe

C:\Users\Admin\AppData\Local\Temp\LOADER.exe
"C:\Users\Admin\AppData\Local\Temp\LOADER.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - C:\Users\Admin\AppData\Local\Temp\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\loader.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4444
    - - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        5⤵
        
        PID:3852
      - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        6⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        7⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        8⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        9⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        10⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        10⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        10⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        9⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        9⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        8⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        8⤵
        
        PID:1080
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        9⤵
        
        PID:2956
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        9⤵
        Views/modifies file attributes
        
        PID:2720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        7⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        7⤵
        
        PID:4716
      - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        6⤵
        
        PID:780
      - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        6⤵
        
        PID:4828
    - - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        5⤵
        Executes dropped EXE
        
        PID:4808
    - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        5⤵
        Executes dropped EXE
        
        PID:1088
  - - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
      "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
      4⤵
      Executes dropped EXE
      PID:4528
  - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
      "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      4⤵
      Executes dropped EXE
      PID:3536
- - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
    "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
    3⤵
    - Executes dropped EXE
    PID:1564
- - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Executes dropped EXE
    PID:4756
- C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
  "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
  2⤵
  - Executes dropped EXE
  PID:3732
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3740
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:224
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:4496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3248
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:4912
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:3104
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:4880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4504
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4892
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4424
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

Filesize
1KB

MD5
19fa667a538a7330e0784409cd460887

SHA1
48f1f0a7efd3404dfc38feb106c107ce259382cc

SHA256
45872ce54fd391ad3744d35486e135c692867aef1e1fe897fe9d7ab174948fbf

SHA512
0f9fa8e0342184fde1359ca2cb31a31c65accbe1af8bdd12d41c389b2c32b5410faf7915580aeac62edda9bb5b857c80ce4b6e44608abc123b6eb3400e329dd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\loader.exe.log

Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\loaderexp.exe.log

Filesize
871B

MD5
84a419e80a36d8d1a556ab007368d5fe

SHA1
bfb7c91c661a574c28bea24fac02a821296d58c1

SHA256
998c3cc19fd4c49ace01768f5d67c93d1d468d06ad80525c5638419007c23ee0

SHA512
fd93266ae38aca410fe4da160a387415fe4cb1953150cc62c6b7993954df74f42abff3692539210890b629c4fccbe5c49b201363a770f5f07d9eae009fca39ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ddb1978091850d2616d45b9ed76b2201

SHA1
c2afdf33adb2405c949de1a58ab91e84694e7970

SHA256
8618f621f639f3a6713f04234644f1d57ee58891455e1b26d54042813c2cdf5c

SHA512
49c73b09713fa8ef8c5f8f6cfa4e0c410de45ac2eef85f592600675a06c0b2f79b115a5e328745d0cf6207ebfed404236b388bdfce088d5182c06051af46f0ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b0c9db00a53a4682b20faf5c07394899

SHA1
41292985bf22d0c303da4db2263f31c5a39daf63

SHA256
46eee6076ec6aa62af17417697508f4a67289ccff02b739a4efd256091252233

SHA512
a70cf7c71773483651994f5ede898d6874cc33cd87e36e0584576d893244566afc985e470cbd299304ed9347910eeb93b7aa019885a31acdff39492550838e8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7276106aad745f41558e44d0fa5749fe

SHA1
4577799f32a24deb716f5ec77527502c7d0acd66

SHA256
fe0806856d3cfe48c4b69d81ba476c094c77ae16bb0f58a5b02b2a037b00f325

SHA512
23bbcc047512a62a73b374bd42133e640ef24d5659043da9268e0fbb1be525c78498268021f5af2cbf7aa9026b213462b9291f3c0772301f16e7655a85d916a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a1a350a5d3ddec711f89bf47f90f2f52

SHA1
71fa4509084e57a82964fde441c890378685b5fa

SHA256
45377cdf8eb6a81d95f9985d22be49e572efcf3981f39eda8d22b91297d80f11

SHA512
c7178a27fab73fe408a22ede3cad8cda79f4171aeb047b906e49a032f2eb11724634e2e2157c76edb68f2936b317a969a9908fe362299c5aeac396c3b1de9164

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b46be0ed8d564382b0e6601d54962307

SHA1
cbd9471ebd3d8ee90b6ff84f7a21b2e7f9955ce7

SHA256
87392280ecdc890ce15d9fa5d5aff9571b9eda25b1603181aec03d8ef04e4549

SHA512
b3376047dd33c6a47b1b7c4b3724d5b251499606e6d69b92328b4e6b711b5212c23d1d933946eec02686d8d81e9fb4acbeb87b7ef8f05df07b49b83533e40212

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f6c9a8932ba3a4c33323177309988cb1

SHA1
0dabf4837749fa147541818e0fc5ed0da0d67b76

SHA256
ab25effc026e797d2f8e611279123ca4a99978650cb3eae9a492dc3a5e99ba6d

SHA512
ebb95f3dc38dd515a3b5e41e7ca19b24cb23e10ce4c68a1b2e84d94b33da3ccf1ceecfe0085886722bc0715593c0c143b935c237b144d51b709085381712d018

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
69ae3bd5e9f8e5518dc12f98a999056e

SHA1
dfacf07c01e5f155895eee4a513117de78142bbb

SHA256
801389c67d5fc5f4857465fe61f72f57ca086d66ed921414e31f16d63da95dcc

SHA512
ef2e4edb8071d578b634aab32fd5d5041b6be2d76e64dba6dfbb414f6696a7738823cc57e6cf15349398dc85f3cb5b3d962bad9c2a218a29e148363d6c206999

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0a325852d018527061d901ac7775763f

SHA1
dd395fc282ab3ac0f608465bf6810e88edb147b6

SHA256
c937f9f085b5db68534d8828023439a53d4baa1e38dcfa54fe38df8d8edd8634

SHA512
c88a81f230067ce8d28c91da1867545637b179f05e73b249332a7a8bb79c436c021428e629b80bb9870dce0281fc34d78ce491e3905bf7971c9eb9aa2fe73812

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
229KB

MD5
35bfad8beb24021798e8410c299fb64a

SHA1
064970ecd6e29be2cb5da7cb73f718e326e1b785

SHA256
73ce24ee931d0a3fd27a395bad1b3b45a8c7a2f1841432868ee0e9a16ea56c4e

SHA512
d95d9ffbd89cbea4958eec3e4a4544d87112bff4a35acbc43a4705b4f5c1d2709831a75e6a7838be7359c8033bb3a08e89ad33b743b548c0b95b631666ad1584

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kh1qeeww.rta.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\loaderexp.exe

Filesize
407KB

MD5
1beb7aa96b112bf1cdea3f8ae277002a

SHA1
0a846c4794c62694c8765f0b8e58ea9e807e2a97

SHA256
a62b25c555f2e0943d0494fd88ee92b7fe64b17ee3f9ee294cd6f9f1362a63ed

SHA512
9667870c6994936d3e8fdd46b87feb701320552a707b9728ef53cdef995bd765729856f8f6af08800e4ea5db8905c9bf1bf5c9ed7fcf657500283f55fecaa056

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
577f27e6d74bd8c5b7b0371f2b1e991c

SHA1
b334ccfe13792f82b698960cceaee2e690b85528

SHA256
0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9

SHA512
944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c

Download Submit
memory/2404-16-0x00007FF9FC430000-0x00007FF9FCE1C000-memory.dmp

Filesize
9.9MB

Download
memory/2404-30-0x00007FF9FC430000-0x00007FF9FCE1C000-memory.dmp

Filesize
9.9MB

Download
memory/3732-15-0x00000000003E0000-0x000000000044A000-memory.dmp

Filesize
424KB

Download
memory/3732-20-0x00007FF9FC430000-0x00007FF9FCE1C000-memory.dmp

Filesize
9.9MB

Download
memory/3732-18-0x00007FF9FC430000-0x00007FF9FCE1C000-memory.dmp

Filesize
9.9MB

Download
memory/3740-194-0x0000021DAA370000-0x0000021DAA382000-memory.dmp

Filesize
72KB

Download
memory/3740-122-0x0000021DAA330000-0x0000021DAA34E000-memory.dmp

Filesize
120KB

Download
memory/3740-119-0x0000021DABDD0000-0x0000021DABE20000-memory.dmp

Filesize
320KB

Download
memory/3740-192-0x0000021DAA310000-0x0000021DAA31A000-memory.dmp

Filesize
40KB

Download
memory/3740-14-0x0000021DA9E80000-0x0000021DA9EC0000-memory.dmp

Filesize
256KB

Download
memory/4536-38-0x000001CADED20000-0x000001CADED96000-memory.dmp

Filesize
472KB

Download
memory/4536-35-0x000001CAC66A0000-0x000001CAC66C2000-memory.dmp

Filesize
136KB

Download
memory/5112-0-0x00007FF9FC433000-0x00007FF9FC434000-memory.dmp

Filesize
4KB

Download
memory/5112-17-0x00007FF9FC430000-0x00007FF9FCE1C000-memory.dmp

Filesize
9.9MB

Download
memory/5112-2-0x00007FF9FC430000-0x00007FF9FCE1C000-memory.dmp

Filesize
9.9MB

Download
memory/5112-1-0x00000000001A0000-0x000000000111C000-memory.dmp

Filesize
15.5MB

Download