umbral | 1eac7f1debb3f6c96260977b111028ae3dcf2d7907e1a2c916044c3942e9e05d

Analysis

max time kernel
28s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-08-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LOADER.exe
Size

15.5MB
MD5

5f62b2a17cda80f8ef9bf521fde17e42
SHA1

5086572ec9aa37b50590a36300b374160d8ffacb
SHA256

1eac7f1debb3f6c96260977b111028ae3dcf2d7907e1a2c916044c3942e9e05d
SHA512

24e72654fd5fbe2a646d0e9b9ca239852d630de426002f3b7ac56c5a16c12037c1559a6e8420e535fd4fd7865b4f8ec2c5330f83b0781287251a4076d3a0a139
SSDEEP

393216:HV0WnD+wO04M1o4FJO22+j79cC/QWXtsVy5J58mu+F2f3nDNzxg:1dniwO04L4+l+j79H/QW3zFIPpa

Score

10^/10

umbral credential_access discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral4/files/0x0002000000022b23-19.dat	family_umbral
behavioral4/memory/4556-29-0x000001B9BCE20000-0x000001B9BCE60000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1176	powershell.exe
4584	powershell.exe
4408	powershell.exe
3096	powershell.exe
3564	powershell.exe
1936	powershell.exe
5088	powershell.exe
2568	powershell.exe
1920	powershell.exe
2212	powershell.exe
1636	powershell.exe
2944	powershell.exe
2732	powershell.exe
2548	powershell.exe
1956	powershell.exe
4204	powershell.exe

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Checks computer location settings 2 TTPs 11 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	LOADER.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	loader.exe

Executes dropped EXE 22 IoCs

pid	Process
5076	loaderexp.exe
4556	Umbral.exe
1764	loaderexp.exe
2360	Umbral.exe
2604	loaderexp.exe
4588	Umbral.exe
4876	loaderexp.exe
2396	Umbral.exe
888	loaderexp.exe
316	Umbral.exe
2604	loaderexp.exe
3008	Umbral.exe
5072	loaderexp.exe
4356	Umbral.exe
2892	loaderexp.exe
4592	Umbral.exe
3412	loaderexp.exe
3408	Umbral.exe
1912	loaderexp.exe
868	Umbral.exe
2524	loaderexp.exe
2892	Umbral.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
33	discord.com
49	discord.com
50	discord.com
57	discord.com
58	discord.com
65	discord.com
66	discord.com
32	discord.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ip-api.com
37	ip-api.com
54	ip-api.com
62	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4296	cmd.exe
3976	PING.EXE
1364	cmd.exe
940	PING.EXE
2012	cmd.exe
2308	PING.EXE

Detects videocard installed 1 TTPs 4 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1332	wmic.exe
1248	wmic.exe
2568	wmic.exe
3096	wmic.exe

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
940	PING.EXE
2308	PING.EXE
3976	PING.EXE

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
4556	Umbral.exe
2732	powershell.exe
2732	powershell.exe
1636	powershell.exe
1636	powershell.exe
1636	powershell.exe
2944	powershell.exe
2944	powershell.exe
2944	powershell.exe
208	powershell.exe
208	powershell.exe
208	powershell.exe
1936	powershell.exe
1936	powershell.exe
1936	powershell.exe
2396	Umbral.exe
2548	powershell.exe
2548	powershell.exe
2548	powershell.exe
5088	powershell.exe
5088	powershell.exe
5088	powershell.exe
1176	powershell.exe
1176	powershell.exe
1176	powershell.exe
2836	powershell.exe
2836	powershell.exe
2836	powershell.exe
4584	powershell.exe
4584	powershell.exe
4584	powershell.exe
4356	Umbral.exe
4356	Umbral.exe
1956	powershell.exe
1956	powershell.exe
1956	powershell.exe
2568	powershell.exe
2568	powershell.exe
2568	powershell.exe
1920	powershell.exe
1920	powershell.exe
1920	powershell.exe
3060	powershell.exe
3060	powershell.exe
3060	powershell.exe
4408	powershell.exe
4408	powershell.exe
4408	powershell.exe
868	Umbral.exe
868	Umbral.exe
4204	powershell.exe
4204	powershell.exe
4204	powershell.exe
3096	powershell.exe
3096	powershell.exe
3096	powershell.exe
2212	powershell.exe
2212	powershell.exe
2212	powershell.exe
1816	powershell.exe
1816	powershell.exe
1816	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4556	Umbral.exe
Token: SeIncreaseQuotaPrivilege	4928	wmic.exe
Token: SeSecurityPrivilege	4928	wmic.exe
Token: SeTakeOwnershipPrivilege	4928	wmic.exe
Token: SeLoadDriverPrivilege	4928	wmic.exe
Token: SeSystemProfilePrivilege	4928	wmic.exe
Token: SeSystemtimePrivilege	4928	wmic.exe
Token: SeProfSingleProcessPrivilege	4928	wmic.exe
Token: SeIncBasePriorityPrivilege	4928	wmic.exe
Token: SeCreatePagefilePrivilege	4928	wmic.exe
Token: SeBackupPrivilege	4928	wmic.exe
Token: SeRestorePrivilege	4928	wmic.exe
Token: SeShutdownPrivilege	4928	wmic.exe
Token: SeDebugPrivilege	4928	wmic.exe
Token: SeSystemEnvironmentPrivilege	4928	wmic.exe
Token: SeRemoteShutdownPrivilege	4928	wmic.exe
Token: SeUndockPrivilege	4928	wmic.exe
Token: SeManageVolumePrivilege	4928	wmic.exe
Token: 33	4928	wmic.exe
Token: 34	4928	wmic.exe
Token: 35	4928	wmic.exe
Token: 36	4928	wmic.exe
Token: SeIncreaseQuotaPrivilege	4928	wmic.exe
Token: SeSecurityPrivilege	4928	wmic.exe
Token: SeTakeOwnershipPrivilege	4928	wmic.exe
Token: SeLoadDriverPrivilege	4928	wmic.exe
Token: SeSystemProfilePrivilege	4928	wmic.exe
Token: SeSystemtimePrivilege	4928	wmic.exe
Token: SeProfSingleProcessPrivilege	4928	wmic.exe
Token: SeIncBasePriorityPrivilege	4928	wmic.exe
Token: SeCreatePagefilePrivilege	4928	wmic.exe
Token: SeBackupPrivilege	4928	wmic.exe
Token: SeRestorePrivilege	4928	wmic.exe
Token: SeShutdownPrivilege	4928	wmic.exe
Token: SeDebugPrivilege	4928	wmic.exe
Token: SeSystemEnvironmentPrivilege	4928	wmic.exe
Token: SeRemoteShutdownPrivilege	4928	wmic.exe
Token: SeUndockPrivilege	4928	wmic.exe
Token: SeManageVolumePrivilege	4928	wmic.exe
Token: 33	4928	wmic.exe
Token: 34	4928	wmic.exe
Token: 35	4928	wmic.exe
Token: 36	4928	wmic.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	208	powershell.exe
Token: SeIncreaseQuotaPrivilege	2212	wmic.exe
Token: SeSecurityPrivilege	2212	wmic.exe
Token: SeTakeOwnershipPrivilege	2212	wmic.exe
Token: SeLoadDriverPrivilege	2212	wmic.exe
Token: SeSystemProfilePrivilege	2212	wmic.exe
Token: SeSystemtimePrivilege	2212	wmic.exe
Token: SeProfSingleProcessPrivilege	2212	wmic.exe
Token: SeIncBasePriorityPrivilege	2212	wmic.exe
Token: SeCreatePagefilePrivilege	2212	wmic.exe
Token: SeBackupPrivilege	2212	wmic.exe
Token: SeRestorePrivilege	2212	wmic.exe
Token: SeShutdownPrivilege	2212	wmic.exe
Token: SeDebugPrivilege	2212	wmic.exe
Token: SeSystemEnvironmentPrivilege	2212	wmic.exe
Token: SeRemoteShutdownPrivilege	2212	wmic.exe
Token: SeUndockPrivilege	2212	wmic.exe
Token: SeManageVolumePrivilege	2212	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 4876	2680	LOADER.exe	88
PID 2680 wrote to memory of 4876	2680	LOADER.exe	88
PID 2680 wrote to memory of 5076	2680	LOADER.exe	89
PID 2680 wrote to memory of 5076	2680	LOADER.exe	89
PID 2680 wrote to memory of 4556	2680	LOADER.exe	90
PID 2680 wrote to memory of 4556	2680	LOADER.exe	90
PID 4556 wrote to memory of 4928	4556	Umbral.exe	92
PID 4556 wrote to memory of 4928	4556	Umbral.exe	92
PID 4556 wrote to memory of 2232	4556	Umbral.exe	94
PID 4556 wrote to memory of 2232	4556	Umbral.exe	94
PID 4556 wrote to memory of 2732	4556	Umbral.exe	96
PID 4556 wrote to memory of 2732	4556	Umbral.exe	96
PID 4556 wrote to memory of 1636	4556	Umbral.exe	100
PID 4556 wrote to memory of 1636	4556	Umbral.exe	100
PID 4556 wrote to memory of 2944	4556	Umbral.exe	102
PID 4556 wrote to memory of 2944	4556	Umbral.exe	102
PID 4876 wrote to memory of 1064	4876	loader.exe	104
PID 4876 wrote to memory of 1064	4876	loader.exe	104
PID 4876 wrote to memory of 1764	4876	loader.exe	105
PID 4876 wrote to memory of 1764	4876	loader.exe	105
PID 4556 wrote to memory of 208	4556	Umbral.exe	106
PID 4556 wrote to memory of 208	4556	Umbral.exe	106
PID 4876 wrote to memory of 2360	4876	loader.exe	109
PID 4876 wrote to memory of 2360	4876	loader.exe	109
PID 4556 wrote to memory of 2212	4556	Umbral.exe	110
PID 4556 wrote to memory of 2212	4556	Umbral.exe	110
PID 4556 wrote to memory of 1000	4556	Umbral.exe	112
PID 4556 wrote to memory of 1000	4556	Umbral.exe	112
PID 4556 wrote to memory of 4984	4556	Umbral.exe	114
PID 4556 wrote to memory of 4984	4556	Umbral.exe	114
PID 4556 wrote to memory of 1936	4556	Umbral.exe	116
PID 4556 wrote to memory of 1936	4556	Umbral.exe	116
PID 4556 wrote to memory of 1332	4556	Umbral.exe	118
PID 4556 wrote to memory of 1332	4556	Umbral.exe	118
PID 1064 wrote to memory of 2524	1064	loader.exe	120
PID 1064 wrote to memory of 2524	1064	loader.exe	120
PID 1064 wrote to memory of 2604	1064	loader.exe	121
PID 1064 wrote to memory of 2604	1064	loader.exe	121
PID 1064 wrote to memory of 4588	1064	loader.exe	122
PID 1064 wrote to memory of 4588	1064	loader.exe	122
PID 4556 wrote to memory of 1364	4556	Umbral.exe	124
PID 4556 wrote to memory of 1364	4556	Umbral.exe	124
PID 1364 wrote to memory of 940	1364	cmd.exe	126
PID 1364 wrote to memory of 940	1364	cmd.exe	126
PID 2524 wrote to memory of 212	2524	loader.exe	127
PID 2524 wrote to memory of 212	2524	loader.exe	127
PID 2524 wrote to memory of 4876	2524	loader.exe	128
PID 2524 wrote to memory of 4876	2524	loader.exe	128
PID 2524 wrote to memory of 2396	2524	loader.exe	129
PID 2524 wrote to memory of 2396	2524	loader.exe	129
PID 2396 wrote to memory of 4564	2396	Umbral.exe	130
PID 2396 wrote to memory of 4564	2396	Umbral.exe	130
PID 2396 wrote to memory of 4348	2396	Umbral.exe	132
PID 2396 wrote to memory of 4348	2396	Umbral.exe	132
PID 2396 wrote to memory of 2548	2396	Umbral.exe	134
PID 2396 wrote to memory of 2548	2396	Umbral.exe	134
PID 2396 wrote to memory of 5088	2396	Umbral.exe	138
PID 2396 wrote to memory of 5088	2396	Umbral.exe	138
PID 2396 wrote to memory of 1176	2396	Umbral.exe	140
PID 2396 wrote to memory of 1176	2396	Umbral.exe	140
PID 212 wrote to memory of 4340	212	loader.exe	142
PID 212 wrote to memory of 4340	212	loader.exe	142
PID 212 wrote to memory of 888	212	loader.exe	143
PID 212 wrote to memory of 888	212	loader.exe	143

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2232	attrib.exe
4348	attrib.exe
3048	attrib.exe
644	attrib.exe

C:\Users\Admin\AppData\Local\Temp\LOADER.exe
"C:\Users\Admin\AppData\Local\Temp\LOADER.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\loader.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:212
      - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        6⤵
        Checks computer location settings
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        7⤵
        Checks computer location settings
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        8⤵
        Checks computer location settings
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        9⤵
        Checks computer location settings
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        10⤵
        Checks computer location settings
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        11⤵
        Checks computer location settings
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        12⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        13⤵
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        13⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        12⤵
        Executes dropped EXE
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        12⤵
        Executes dropped EXE
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        11⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        11⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:868
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        12⤵
        
        PID:4248
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        12⤵
        Views/modifies file attributes
        
        PID:644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        12⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1816
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        12⤵
        
        PID:2836
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        12⤵
        
        PID:2196
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        12⤵
        
        PID:4972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3564
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        12⤵
        Detects videocard installed
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        10⤵
        Executes dropped EXE
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        10⤵
        Executes dropped EXE
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        9⤵
        Executes dropped EXE
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        9⤵
        Executes dropped EXE
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        8⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4356
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        9⤵
        
        PID:3896
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        9⤵
        Views/modifies file attributes
        
        PID:3048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3060
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        9⤵
        
        PID:424
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        9⤵
        
        PID:3748
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        9⤵
        
        PID:4352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4408
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        9⤵
        Detects videocard installed
        
        PID:2568
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4296
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        7⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        7⤵
        Executes dropped EXE
        
        PID:3008
      - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        6⤵
        Executes dropped EXE
        
        PID:888
      - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        6⤵
        Executes dropped EXE
        
        PID:316
    - - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        5⤵
        Executes dropped EXE
        
        PID:4876
    - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2396
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:4564
      - C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        6⤵
        Views/modifies file attributes
        
        PID:4348
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2548
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5088
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1176
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2836
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        6⤵
        
        PID:1856
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        6⤵
        
        PID:3884
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:4200
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4584
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:1248
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2012
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2308
  - - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
      "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
      4⤵
      Executes dropped EXE
      PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
      "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      4⤵
      Executes dropped EXE
      PID:4588
- - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
    "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
    3⤵
    - Executes dropped EXE
    PID:1764
- - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Executes dropped EXE
    PID:2360
- C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
  "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
  2⤵
  - Executes dropped EXE
  PID:5076
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4928
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:2232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:208
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2212
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:1000
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:4984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1936
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1332
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\loader.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\loaderexp.exe.log

Filesize
871B

MD5
386677f585908a33791517dfc2317f88

SHA1
2e6853b4560a9ac8a74cdd5c3124a777bc0d874e

SHA256
7caf8779608c167ab6fa570df00c973aff6dee850bb63439770889a68c7cdae0

SHA512
876d2269e25a4b2754bdf2c7e3c410050f885d7e6bd8abce41c5fc74ae1f8c549b2266dd1588c750f614063f36c8a8e5008cea610505897d04e4ef5c3adc52d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
77fad1dec6867fb7dd395c25c46d8ae5

SHA1
abfecfd6c63bb35ec88d98ef210adefc139d793e

SHA256
02b0ab469998ac630b421de245ee243599422e7f2c2f9714085fc5b837891784

SHA512
ac8d9d660992d076e46ffdb7422d4916789a7ca2f5737c711449f518745dee197ed1c08e50f81f92cb7d2d1ea94fe024e77a8295e1be05c5a49a0fd7495776d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
520ff216c3f7d7c3d67393bea543fe23

SHA1
588939b12f373f3dcef0b9e5bbf4e8f578ef06ba

SHA256
88fce6a6dfcc22c2ea8eca77e2b43a15bc072bd79b7850c974a9930ca7ea74bf

SHA512
3374573132e1ac3bbcc99b9f2738296103cf8c39256018d18abccbe72921472825a2db4b660bf76d340242919e8cf433cb98d8031111a565c3a55db4143d6162

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
5824a6037c081fda5d46de274b6e2799

SHA1
526367a09300cbde430e8fb44e41cbe7a0937aac

SHA256
4d610d9cd32a20279c7133a726ff61820d6930e5aa18253ee1422f3a6f54953f

SHA512
a109b150f730cda78d5bee106bd232f9dca7500dfb7899c6919de2bd542e345ca271aa11809a24ea0a27dca158067ab3a2d5688ac0a2325185143245f1665582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cb5c30d213a938d76ea627a4d05a0111

SHA1
9618958b449d646cb833edefb01dd372f8f0f4b0

SHA256
387991a291e69339f9a6099b4e9c55e55e5c6409e2c8ec50aa7ddbe3025a39dc

SHA512
54ff985ae7f14cc1a3c02d502be4c57ffbc231394e6358c37a0b00513d660ac52198bd946b1972491df54870e8414f905f7d398f0787ee1fe6652e194c801f07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
109d2cbb065c8cd93710c6e0d64fb7e7

SHA1
7b7ba896d2b80b2aa192716b7d43640d59927c37

SHA256
09d583feaa43d646e4039dc3e3171888c07153331b80cef0d5e5b068844d1096

SHA512
dd2a985ac13114cbfe364dd021d8949d4383edbbd86087d9547b7ad68030a5d392e89790573ee0a563af0f950ec323422fb1e7e6ba20f4dddcfea65ec6bad08a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
9ee28cf9c0ab2a3d85c0ebf057cba125

SHA1
574a382f491614cf44cb341539735381c76126a1

SHA256
386ebf1ca77beaff68a7cd0b39f1e1752c1f1f129caa39ef5ac45ae469d74cd8

SHA512
a7be3009466bfea715543f085065fa84280a56743d2fc52611f3ca1febe6a4e8ab36544a4c1793018dce7caaf1471fd244eae91c8ca037cac30138499e002591

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1836304bde9853f7e7a927ab8ebb65bd

SHA1
e06f403dff59dfc6f8d35e0e56f549f13da8a079

SHA256
235b7741bdbada437353cf3e19f012a63ca3a9b13ff05dfa0695b1cd0f5f0e5e

SHA512
890296bf3b807f4ad7ef2e05c3e9ec3e384fb844b2cf1af1e1923f103c56c244b1b8f044610e38db1692b4f3351a2e0220883b2327ab042066debdf187b6f157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
8916e154c5f09e8e26780ab9a279d25f

SHA1
25b1b7a637cb3f57329efbfccdc9ed9b67da30b2

SHA256
3881bf61c694a3f517c78904a36efff7812c2664d4965de471b36737f7c90075

SHA512
38baf68637754aee48205a854eb7f74619390e6bc1fcb0cdcc397a696ce7441d9f9e90ed7a66c22c6fc073eacc17cd7e45afeab833b2909f92259a2bc1b8a26f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
47aec0ae6e0dfab5f91c35cd65d2c56a

SHA1
0bbe13618bdc0c402539cdfca81471aa501f5cad

SHA256
8f31385012b247db2cc50ecb164208fbbf5f8cdf7bfc951e8c2c8ad5fb04cf0b

SHA512
c4b7184a85c1d594012ba86390e651439d6cae63c76b94432faaaea410e4ef9bc62d88e68adf8f3abbe36e18ef9e4dc46c3e31a0d72089f98a22f04c8b4a8f12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
79f6952813009f51247491052ca9ebbb

SHA1
78210dbe806bcde87a5f00201c9068bc1737a9ca

SHA256
bee2da5d5a697d09df4aa2b1c374a083a49b4f319c11da53c43ce9520b72a5dd

SHA512
cd019d3dc84665413a23cb2f4ed8fbe6bd6673928144d7af31e70d46dc24ce876bd5ffb11cb65fd5532f8f00bd793dd883200069b06dc93becf5d1db0399c22b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
966914e2e771de7a4a57a95b6ecfa8a9

SHA1
7a32282fd51dd032967ed4d9a40cc57e265aeff2

SHA256
98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba

SHA512
dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4UKxAbaGdvCQEWG

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBWNOakIcpzvEqS

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
229KB

MD5
35bfad8beb24021798e8410c299fb64a

SHA1
064970ecd6e29be2cb5da7cb73f718e326e1b785

SHA256
73ce24ee931d0a3fd27a395bad1b3b45a8c7a2f1841432868ee0e9a16ea56c4e

SHA512
d95d9ffbd89cbea4958eec3e4a4544d87112bff4a35acbc43a4705b4f5c1d2709831a75e6a7838be7359c8033bb3a08e89ad33b743b548c0b95b631666ad1584

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0oaaq3sb.ltc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dHBzOgdqSFp7XyA

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\loaderexp.exe

Filesize
407KB

MD5
1beb7aa96b112bf1cdea3f8ae277002a

SHA1
0a846c4794c62694c8765f0b8e58ea9e807e2a97

SHA256
a62b25c555f2e0943d0494fd88ee92b7fe64b17ee3f9ee294cd6f9f1362a63ed

SHA512
9667870c6994936d3e8fdd46b87feb701320552a707b9728ef53cdef995bd765729856f8f6af08800e4ea5db8905c9bf1bf5c9ed7fcf657500283f55fecaa056

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshmcZvJbimPEAf

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\ppl0W7jrhdokMmT\Display\Display.png

Filesize
429KB

MD5
6cc3b050f216ffb336827263c36f654f

SHA1
bbef8384f05fa8625b897aeb41133338ef5698d0

SHA256
ffd16692582439a2cbfc9cdf73f1d279dadf8eb8c2420ced634d116a3df62ce0

SHA512
81ce6923e67f5f4b095793ed866b7469dfe2e7cf77c3d07194a89823a0a3ead82583ace0e1cf5bbd50eaa1fab2767022a419cac75db3fcbb04fb30205b67f6fb

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/2680-1-0x0000000000C10000-0x0000000001B8C000-memory.dmp

Filesize
15.5MB

Download
memory/2680-2-0x00007FFE70740000-0x00007FFE71201000-memory.dmp

Filesize
10.8MB

Download
memory/2680-30-0x00007FFE70740000-0x00007FFE71201000-memory.dmp

Filesize
10.8MB

Download
memory/2680-0-0x00007FFE70743000-0x00007FFE70745000-memory.dmp

Filesize
8KB

Download
memory/2732-33-0x000001BB48980000-0x000001BB489A2000-memory.dmp

Filesize
136KB

Download
memory/4556-59-0x000001B9BEC60000-0x000001B9BECD6000-memory.dmp

Filesize
472KB

Download
memory/4556-29-0x000001B9BCE20000-0x000001B9BCE60000-memory.dmp

Filesize
256KB

Download
memory/4556-60-0x000001B9BEAD0000-0x000001B9BEB20000-memory.dmp

Filesize
320KB

Download
memory/4556-61-0x000001B9BEAA0000-0x000001B9BEABE000-memory.dmp

Filesize
120KB

Download
memory/4556-113-0x000001B9BEB30000-0x000001B9BEB3A000-memory.dmp

Filesize
40KB

Download
memory/4556-114-0x000001B9D7610000-0x000001B9D7622000-memory.dmp

Filesize
72KB

Download
memory/4876-108-0x00007FFE70740000-0x00007FFE71201000-memory.dmp

Filesize
10.8MB

Download
memory/4876-11-0x00007FFE70740000-0x00007FFE71201000-memory.dmp

Filesize
10.8MB

Download
memory/5076-32-0x00007FFE70740000-0x00007FFE71201000-memory.dmp

Filesize
10.8MB

Download
memory/5076-25-0x00007FFE70740000-0x00007FFE71201000-memory.dmp

Filesize
10.8MB

Download
memory/5076-23-0x00000000007F0000-0x000000000085A000-memory.dmp

Filesize
424KB

Download