umbral | 1eac7f1debb3f6c96260977b111028ae3dcf2d7907e1a2c916044c3942e9e05d

Analysis

max time kernel
23s
max time network
31s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
16-08-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LOADER.exe
Size

15.5MB
MD5

5f62b2a17cda80f8ef9bf521fde17e42
SHA1

5086572ec9aa37b50590a36300b374160d8ffacb
SHA256

1eac7f1debb3f6c96260977b111028ae3dcf2d7907e1a2c916044c3942e9e05d
SHA512

24e72654fd5fbe2a646d0e9b9ca239852d630de426002f3b7ac56c5a16c12037c1559a6e8420e535fd4fd7865b4f8ec2c5330f83b0781287251a4076d3a0a139
SSDEEP

393216:HV0WnD+wO04M1o4FJO22+j79cC/QWXtsVy5J58mu+F2f3nDNzxg:1dniwO04L4+l+j79H/QW3zFIPpa

Score

10^/10

umbral credential_access discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1270702077819097171/aH_welMr5BV0d8bcgAcZ1YefXQZm7768r2-61SpHYIVQE_jXaf2nibmp1wX6DuE5bOcQ

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral5/files/0x000300000002aac2-26.dat	family_umbral
behavioral5/memory/844-28-0x000001D0EA190000-0x000001D0EA1D0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1004	powershell.exe
2336	powershell.exe
2876	powershell.exe
2104	powershell.exe
2924	powershell.exe
1156	powershell.exe
2112	powershell.exe
1704	powershell.exe
4144	powershell.exe
784	powershell.exe
2516	powershell.exe
488	powershell.exe
760	powershell.exe
5028	powershell.exe
2512	powershell.exe
2788	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Executes dropped EXE 18 IoCs

pid	Process
3900	loaderexp.exe
844	Umbral.exe
4076	loaderexp.exe
2852	Umbral.exe
3472	loaderexp.exe
3476	Umbral.exe
4868	loaderexp.exe
2652	Umbral.exe
3464	loaderexp.exe
4740	Umbral.exe
4240	loaderexp.exe
4792	Umbral.exe
4344	loaderexp.exe
1596	Umbral.exe
1412	loaderexp.exe
2228	Umbral.exe
4660	loaderexp.exe
1464	Umbral.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
11	discord.com
15	discord.com
19	discord.com
3	discord.com
4	discord.com
7	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com
3	ip-api.com
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4640	PING.EXE
3844	cmd.exe
1156	PING.EXE
4988	cmd.exe
2428	PING.EXE
4220	PING.EXE
816	cmd.exe
2492	cmd.exe

Detects videocard installed 1 TTPs 4 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3828	wmic.exe
2536	wmic.exe
968	wmic.exe
5028	wmic.exe

Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery

T1018

pid	Process
4220	PING.EXE
4640	PING.EXE
1156	PING.EXE
2428	PING.EXE

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
844	Umbral.exe
760	powershell.exe
760	powershell.exe
2104	powershell.exe
2104	powershell.exe
1004	powershell.exe
1004	powershell.exe
2212	powershell.exe
2212	powershell.exe
2924	powershell.exe
2924	powershell.exe
2652	Umbral.exe
5028	powershell.exe
5028	powershell.exe
1156	powershell.exe
1156	powershell.exe
2112	powershell.exe
2112	powershell.exe
4756	powershell.exe
4756	powershell.exe
2336	powershell.exe
2336	powershell.exe
4792	Umbral.exe
2512	powershell.exe
2512	powershell.exe
1704	powershell.exe
1704	powershell.exe
4144	powershell.exe
4144	powershell.exe
1748	powershell.exe
1748	powershell.exe
784	powershell.exe
784	powershell.exe
1464	Umbral.exe
2788	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	844	Umbral.exe
Token: SeIncreaseQuotaPrivilege	2900	wmic.exe
Token: SeSecurityPrivilege	2900	wmic.exe
Token: SeTakeOwnershipPrivilege	2900	wmic.exe
Token: SeLoadDriverPrivilege	2900	wmic.exe
Token: SeSystemProfilePrivilege	2900	wmic.exe
Token: SeSystemtimePrivilege	2900	wmic.exe
Token: SeProfSingleProcessPrivilege	2900	wmic.exe
Token: SeIncBasePriorityPrivilege	2900	wmic.exe
Token: SeCreatePagefilePrivilege	2900	wmic.exe
Token: SeBackupPrivilege	2900	wmic.exe
Token: SeRestorePrivilege	2900	wmic.exe
Token: SeShutdownPrivilege	2900	wmic.exe
Token: SeDebugPrivilege	2900	wmic.exe
Token: SeSystemEnvironmentPrivilege	2900	wmic.exe
Token: SeRemoteShutdownPrivilege	2900	wmic.exe
Token: SeUndockPrivilege	2900	wmic.exe
Token: SeManageVolumePrivilege	2900	wmic.exe
Token: 33	2900	wmic.exe
Token: 34	2900	wmic.exe
Token: 35	2900	wmic.exe
Token: 36	2900	wmic.exe
Token: SeIncreaseQuotaPrivilege	2900	wmic.exe
Token: SeSecurityPrivilege	2900	wmic.exe
Token: SeTakeOwnershipPrivilege	2900	wmic.exe
Token: SeLoadDriverPrivilege	2900	wmic.exe
Token: SeSystemProfilePrivilege	2900	wmic.exe
Token: SeSystemtimePrivilege	2900	wmic.exe
Token: SeProfSingleProcessPrivilege	2900	wmic.exe
Token: SeIncBasePriorityPrivilege	2900	wmic.exe
Token: SeCreatePagefilePrivilege	2900	wmic.exe
Token: SeBackupPrivilege	2900	wmic.exe
Token: SeRestorePrivilege	2900	wmic.exe
Token: SeShutdownPrivilege	2900	wmic.exe
Token: SeDebugPrivilege	2900	wmic.exe
Token: SeSystemEnvironmentPrivilege	2900	wmic.exe
Token: SeRemoteShutdownPrivilege	2900	wmic.exe
Token: SeUndockPrivilege	2900	wmic.exe
Token: SeManageVolumePrivilege	2900	wmic.exe
Token: 33	2900	wmic.exe
Token: 34	2900	wmic.exe
Token: 35	2900	wmic.exe
Token: 36	2900	wmic.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeIncreaseQuotaPrivilege	2584	wmic.exe
Token: SeSecurityPrivilege	2584	wmic.exe
Token: SeTakeOwnershipPrivilege	2584	wmic.exe
Token: SeLoadDriverPrivilege	2584	wmic.exe
Token: SeSystemProfilePrivilege	2584	wmic.exe
Token: SeSystemtimePrivilege	2584	wmic.exe
Token: SeProfSingleProcessPrivilege	2584	wmic.exe
Token: SeIncBasePriorityPrivilege	2584	wmic.exe
Token: SeCreatePagefilePrivilege	2584	wmic.exe
Token: SeBackupPrivilege	2584	wmic.exe
Token: SeRestorePrivilege	2584	wmic.exe
Token: SeShutdownPrivilege	2584	wmic.exe
Token: SeDebugPrivilege	2584	wmic.exe
Token: SeSystemEnvironmentPrivilege	2584	wmic.exe
Token: SeRemoteShutdownPrivilege	2584	wmic.exe
Token: SeUndockPrivilege	2584	wmic.exe
Token: SeManageVolumePrivilege	2584	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3892 wrote to memory of 4240	3892	LOADER.exe	82
PID 3892 wrote to memory of 4240	3892	LOADER.exe	82
PID 3892 wrote to memory of 3900	3892	LOADER.exe	83
PID 3892 wrote to memory of 3900	3892	LOADER.exe	83
PID 3892 wrote to memory of 844	3892	LOADER.exe	84
PID 3892 wrote to memory of 844	3892	LOADER.exe	84
PID 844 wrote to memory of 2900	844	Umbral.exe	86
PID 844 wrote to memory of 2900	844	Umbral.exe	86
PID 844 wrote to memory of 1340	844	Umbral.exe	88
PID 844 wrote to memory of 1340	844	Umbral.exe	88
PID 844 wrote to memory of 760	844	Umbral.exe	90
PID 844 wrote to memory of 760	844	Umbral.exe	90
PID 844 wrote to memory of 2104	844	Umbral.exe	92
PID 844 wrote to memory of 2104	844	Umbral.exe	92
PID 4240 wrote to memory of 3296	4240	loader.exe	94
PID 4240 wrote to memory of 3296	4240	loader.exe	94
PID 4240 wrote to memory of 4076	4240	loader.exe	95
PID 4240 wrote to memory of 4076	4240	loader.exe	95
PID 4240 wrote to memory of 2852	4240	loader.exe	96
PID 4240 wrote to memory of 2852	4240	loader.exe	96
PID 844 wrote to memory of 1004	844	Umbral.exe	97
PID 844 wrote to memory of 1004	844	Umbral.exe	97
PID 844 wrote to memory of 2212	844	Umbral.exe	99
PID 844 wrote to memory of 2212	844	Umbral.exe	99
PID 844 wrote to memory of 2584	844	Umbral.exe	101
PID 844 wrote to memory of 2584	844	Umbral.exe	101
PID 844 wrote to memory of 820	844	Umbral.exe	103
PID 844 wrote to memory of 820	844	Umbral.exe	103
PID 844 wrote to memory of 4088	844	Umbral.exe	105
PID 844 wrote to memory of 4088	844	Umbral.exe	105
PID 844 wrote to memory of 2924	844	Umbral.exe	107
PID 844 wrote to memory of 2924	844	Umbral.exe	107
PID 844 wrote to memory of 3828	844	Umbral.exe	109
PID 844 wrote to memory of 3828	844	Umbral.exe	109
PID 3296 wrote to memory of 2780	3296	loader.exe	111
PID 3296 wrote to memory of 2780	3296	loader.exe	111
PID 3296 wrote to memory of 3472	3296	loader.exe	112
PID 3296 wrote to memory of 3472	3296	loader.exe	112
PID 3296 wrote to memory of 3476	3296	loader.exe	113
PID 3296 wrote to memory of 3476	3296	loader.exe	113
PID 844 wrote to memory of 816	844	Umbral.exe	114
PID 844 wrote to memory of 816	844	Umbral.exe	114
PID 816 wrote to memory of 4220	816	cmd.exe	116
PID 816 wrote to memory of 4220	816	cmd.exe	116
PID 2780 wrote to memory of 3752	2780	loader.exe	117
PID 2780 wrote to memory of 3752	2780	loader.exe	117
PID 2780 wrote to memory of 4868	2780	loader.exe	118
PID 2780 wrote to memory of 4868	2780	loader.exe	118
PID 2780 wrote to memory of 2652	2780	loader.exe	119
PID 2780 wrote to memory of 2652	2780	loader.exe	119
PID 2652 wrote to memory of 920	2652	Umbral.exe	120
PID 2652 wrote to memory of 920	2652	Umbral.exe	120
PID 2652 wrote to memory of 876	2652	Umbral.exe	122
PID 2652 wrote to memory of 876	2652	Umbral.exe	122
PID 2652 wrote to memory of 5028	2652	Umbral.exe	124
PID 2652 wrote to memory of 5028	2652	Umbral.exe	124
PID 2652 wrote to memory of 1156	2652	Umbral.exe	126
PID 2652 wrote to memory of 1156	2652	Umbral.exe	126
PID 2652 wrote to memory of 2112	2652	Umbral.exe	128
PID 2652 wrote to memory of 2112	2652	Umbral.exe	128
PID 2652 wrote to memory of 4756	2652	Umbral.exe	130
PID 2652 wrote to memory of 4756	2652	Umbral.exe	130
PID 3752 wrote to memory of 112	3752	loader.exe	176
PID 3752 wrote to memory of 112	3752	loader.exe	176

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1340	attrib.exe
876	attrib.exe
3524	attrib.exe
3636	attrib.exe

C:\Users\Admin\AppData\Local\Temp\LOADER.exe
"C:\Users\Admin\AppData\Local\Temp\LOADER.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3892
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3296
  - - C:\Users\Admin\AppData\Local\Temp\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\loader.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3752
      - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        6⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        7⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        8⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        9⤵
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        10⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        11⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        12⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        13⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        13⤵
        
        PID:420
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        13⤵
        
        PID:2284
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        14⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        12⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        12⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        11⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        11⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        10⤵
        Executes dropped EXE
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1464
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        11⤵
        
        PID:3892
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        11⤵
        Views/modifies file attributes
        
        PID:3636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        11⤵
        
        PID:4540
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        11⤵
        
        PID:4832
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        11⤵
        
        PID:2412
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        11⤵
        
        PID:1748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:488
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        11⤵
        Detects videocard installed
        
        PID:5028
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4988
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        9⤵
        Executes dropped EXE
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        9⤵
        Executes dropped EXE
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        8⤵
        Executes dropped EXE
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        8⤵
        Executes dropped EXE
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        7⤵
        Executes dropped EXE
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        7⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4792
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        8⤵
        
        PID:5084
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        8⤵
        Views/modifies file attributes
        
        PID:3524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1748
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        8⤵
        
        PID:1200
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        8⤵
        
        PID:1004
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        8⤵
        
        PID:3204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:784
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        8⤵
        Detects videocard installed
        
        PID:968
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3844
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1156
      - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        6⤵
        Executes dropped EXE
        
        PID:3464
      - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        6⤵
        Executes dropped EXE
        
        PID:4740
    - - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        5⤵
        Executes dropped EXE
        
        PID:4868
    - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:920
      - C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        6⤵
        Views/modifies file attributes
        
        PID:876
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5028
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1156
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2112
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4756
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        6⤵
        
        PID:3324
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        6⤵
        
        PID:784
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:3040
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2336
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:2536
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2492
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4640
  - - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
      "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
      4⤵
      Executes dropped EXE
      PID:3472
  - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
      "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      4⤵
      Executes dropped EXE
      PID:3476
- - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
    "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
    3⤵
    - Executes dropped EXE
    PID:4076
- - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Executes dropped EXE
    PID:2852
- C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
  "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
  2⤵
  - Executes dropped EXE
  PID:3900
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2900
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:1340
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2212
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:820
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:4088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2924
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3828
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:816
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

Filesize
1KB

MD5
b51beb4423c86427f672916554030c47

SHA1
9b97736d8434b62ef627a4ee8484e26c719924a8

SHA256
df796564c34fb36085aa25452d44ead56fba39aa18e80cb4ba1c30becca0dfea

SHA512
262fc9e9cddee9ae3c733bb961f44f27628783961db101aabc868765ba0e2aafdcb8f9b689f1abd4613836ed9cf3064e92cbd10495c83fe04dd2a496db3485d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\loader.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\loaderexp.exe.log

Filesize
871B

MD5
bc4e798e428bf600621ffa361da29e88

SHA1
60c6bbe3f8dd34346f4b917d540bf23d7e388d0c

SHA256
e581886635b44fab5f83b1267283d3718cfd5b1663c888bd43723d3735d13d61

SHA512
f311add74aea7f96f9face313710328846f49131c97568ee556bd31447036c29c08e6953394fe8dcb0fc072bb19dcb6e72dcf26c0519cec26056da0e869127c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0985ae117be8f70f56eb1635dda6971b

SHA1
a2030a3a416bae7ee3bb3be008655d0888572bfb

SHA256
bf51791875c3197972053173cad6bb2f836e1e786f338149836c5b58f413f934

SHA512
83afc1f898c90d4277c7115fa10b5316d4998180e723d2c8e8308edd79ee0e1b9b3142a4570f603b176d8392711d248da83baeffd583d7ada6f67f8c082a192b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
f899142a40c5a9ba96ec8bc9a320992b

SHA1
3830f9182ef6f361d7c7671483de62bf85e49b47

SHA256
50c1250061f3e50994f28981de9a4e07710a8e4aa3be3ff0e5c187aac6b3c45d

SHA512
abc4e9a813a8d98bc706ed0d8e6d3d785d5bae67c6bdf2eda9026a562e4074a48a11e1ef8277347629b0483e8ce329cdd707c161b9c422f8e674085288f6e939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
b698e32d0304217b19b5d9bdb54dc695

SHA1
d839a6bae60d3e4ce89bba63577cfac0f01525eb

SHA256
7ba7436fa154eb729d321d2b5e4ee44cebb6a8ecb864798a444909bd80b4cf12

SHA512
de05eb79e082a59a442efd0181205619468a27f1ed24c4027b01bfeba2e3f1cd426441f3371a3393d645b2fcf8b6255c1f4d9ed343b6c106ffdf19466c3007e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
6aa2fca4712a213a6961a9b42cedaadb

SHA1
81da2cba9f21527a1ee07596d0a5a8c11c27ec84

SHA256
818ba8689d5e1508fbd0f1183ec4cd7b920236975243b5c8a7c69ae1ce06a6b8

SHA512
69f5a0fe0a020f027bcf16e30735e2e7983b4ba89360304ff05a2bb6c375b186730f575e0ba2fde6c5f3d95d256ec70a42cca62bcfa0e9c7a263b207c9c183e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ac871344dc49ae49f13f0f88acb4868

SHA1
5a073862375c7e79255bb0eab32c635b57a77f98

SHA256
688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37

SHA512
ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
38ecc5b95c11e5a77558753102979c51

SHA1
c0759b08ef377df9979d8835d8a7e464cd8eaf6b

SHA256
2eb69abe0af5a2fb5bb313533cef641e25016876b874353f7d737c7ad672c79e

SHA512
9bf4ce3bc097bdd0242bd105c936a9c9403d5ac83ec99e6a310591a7b8d26309485f3e0cdc4cba67c322f834c325a2b63a008adb078f3a3307094c4b68a48686

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
7fce898bbf7d2713eeb746f44fe7a289

SHA1
bbb88596ebc97ddb3c83a1e0238c23110ae53586

SHA256
0404d189236865e4d43a47c354d44c5ede1c10f4c3357d428f4af47cf9655839

SHA512
84cd1e360e266b1ef6400c756c2035f011f9927f205fc250b758257fab9c710e7f19a288c2812eece27fa1d650d27f45617f6d8cb9cb53778c8fedca608ec4d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fcbfea2bed3d0d2533fe957f0f83e35c

SHA1
70ca46e89e31d8918c482848cd566090aaffd910

SHA256
e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38

SHA512
d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
83bc7bafe464042aba6a1d1d98a1489f

SHA1
8268233d7442b842b858a1ef0831b5998bd3df40

SHA256
9c4ea380965b6239151beaa1d605ff20255b3691968352fc8a3b8b7634a41b1d

SHA512
a38d64bbe657adaf9991240d46fda9268a3e1a322366847899bb6347de1d3cd66dabead78792f65dad68253147415f2ad44904eab1589368cf8d2140bdd1dfd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cd5b2555a0e703bc746e242654a09c2f

SHA1
4021bfba22c0fce16709bfa6140d11272b7bd8b4

SHA256
73679042b477828c6c8400590ca1434f5f6b7379aede1442f80bb9ede3bc7811

SHA512
404a94bbc1cbcf98dba90160ab65a8acc5a1660d801bf7425ab1fe641599bda1b6494d4d6b65c6584e4ca6c1dea4b1acfde88e4a6d216194dca3b6ae6ca605f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b33cb3301d5bc433c8b62bd15345ea34

SHA1
77925b560e9620bd400911eeeda09fe50b026d2c

SHA256
7a7cf26bfe52bbb2719344ddd4d35812847b1c025e3251719e00e57f63635d07

SHA512
91f3c68281d01b3b37ad572e0bc21d1ffd16f45a24aabea7c59447bc55f7cea087a9283ac828f2938c2954a1cc12d272465142abb7e6495f1f581534f1e26b20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
cb4b95fd54d9070f73b1ebfd4b1507f1

SHA1
c2eb07f95fa31492724ede14f3c65fbecbe9b482

SHA256
a06fd9ffc05d11ae694341aa3cc92ca0ece0f45a1ec39e849cc81fe693dafc01

SHA512
184d6bed5bdb3e46321d3d567a648879c088ff1eab57174dd1a584e7bcb6320257c3443566d7ee0a46fefc0959d149130e5e36e93bd88a95e41d9cf6a6b2708c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
4f5f260adddac5f80eb2d1c0784a2e24

SHA1
8719894ff1664202f9e228c55f94d62dcaf12cce

SHA256
7b41d9c769cb20c7ad73e7afa44f964fd7fe66be45d2b0a2ef438dc985433202

SHA512
aa4a23298fda2e7bd6168bcb25b4a215616bccf73705e3566b6b576bf33bb9336682ace3354643332c940c5ee02eef59682a77447ba2f94e97ae0b4722ef0ba7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
57083a8e45ebe4fd84c7c0f137ec3e21

SHA1
857b5ea57f7bcf03cadee122106c6e58792a9b84

SHA256
f20102c4dc409cad3cdaf7a330c3a18a730a9d7d902b9fbee2a84186cba93d40

SHA512
4bbc21c07c05ee1f783242f0fb59324d5ff9ae18bdf892f02980d582fed83380888eeba58e1a6a321507cfd5d4fe82a328a0d3482b29633be4e3ebbeac636f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f6f33ae41ff18891871a3e906d915eb4

SHA1
cf6ac704047ea22e450c3fa972d98111e43885bc

SHA256
0225284153c04eb74129e1fbd81e498496e4ac83a70e9f40944c72a9012e2c45

SHA512
799bf60838820fd51d2247317ea2e7c2dfe08dadcd9659e7d4d0ac0b944c6ef17916aedf99be1e09bf4c608610cd4c58ddedb455af4a5117dfda95ea66540840

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
441a842138038e6385e430a90d7ea608

SHA1
7b3712d2cdd37e10ee9b3994131ee5175e920f01

SHA256
47592f3324179912d3bdba336b9e75568c2c5f1a9fb37c1ba9f0db9df822164c

SHA512
9dbddc3216f2a132ae3961b3aeac2c5b8828dcc9292f6c5bf1171c47453aa8687f92658818d771413492c0ea565e9ede17b9c03e427af9dc2ac21a78369a6666

Download Submit
C:\Users\Admin\AppData\Local\Temp\1LplGf7O7aD0dZZ

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\ERUOFk0xx13CwgG

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\GOYbAIpV2v5X5I4\Display\Display.png

Filesize
415KB

MD5
9f06c91849850b1345a48122849bed65

SHA1
5d700f4eb2a22127e956577e72878f71fa4241e6

SHA256
658eea588f4d70e1773bee163c3a0da7818a63e5b96d2578dd8e6d0a1ed88305

SHA512
ff855908a4015e94da8c0233e2a7a5e6b62b3060844a5cf910ecc8cc28145f7554ddd998055f9c8381d942a346afe01c30e05b93c1e00ca30f14efb932c4a818

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
229KB

MD5
35bfad8beb24021798e8410c299fb64a

SHA1
064970ecd6e29be2cb5da7cb73f718e326e1b785

SHA256
73ce24ee931d0a3fd27a395bad1b3b45a8c7a2f1841432868ee0e9a16ea56c4e

SHA512
d95d9ffbd89cbea4958eec3e4a4544d87112bff4a35acbc43a4705b4f5c1d2709831a75e6a7838be7359c8033bb3a08e89ad33b743b548c0b95b631666ad1584

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cydhilzc.iz3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a8fnTjByvvqhw1T

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\fedM2gxN8gQVdEM

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\loaderexp.exe

Filesize
407KB

MD5
1beb7aa96b112bf1cdea3f8ae277002a

SHA1
0a846c4794c62694c8765f0b8e58ea9e807e2a97

SHA256
a62b25c555f2e0943d0494fd88ee92b7fe64b17ee3f9ee294cd6f9f1362a63ed

SHA512
9667870c6994936d3e8fdd46b87feb701320552a707b9728ef53cdef995bd765729856f8f6af08800e4ea5db8905c9bf1bf5c9ed7fcf657500283f55fecaa056

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/760-41-0x0000018AFB7A0000-0x0000018AFB7C2000-memory.dmp

Filesize
136KB

Download
memory/844-74-0x000001D0ECAE0000-0x000001D0ECB30000-memory.dmp

Filesize
320KB

Download
memory/844-28-0x000001D0EA190000-0x000001D0EA1D0000-memory.dmp

Filesize
256KB

Download
memory/844-109-0x000001D0ECA20000-0x000001D0ECA2A000-memory.dmp

Filesize
40KB

Download
memory/844-139-0x000001D0EC5E0000-0x000001D0EC6EA000-memory.dmp

Filesize
1.0MB

Download
memory/844-110-0x000001D0ECB50000-0x000001D0ECB62000-memory.dmp

Filesize
72KB

Download
memory/844-75-0x000001D0EC9E0000-0x000001D0EC9FE000-memory.dmp

Filesize
120KB

Download
memory/844-73-0x000001D0ECA60000-0x000001D0ECAD6000-memory.dmp

Filesize
472KB

Download
memory/1464-451-0x0000023EDB990000-0x0000023EDBB43000-memory.dmp

Filesize
1.7MB

Download
memory/2652-246-0x000001917E880000-0x000001917EA33000-memory.dmp

Filesize
1.7MB

Download
memory/3892-0-0x00007FFF85E33000-0x00007FFF85E35000-memory.dmp

Filesize
8KB

Download
memory/3892-30-0x00007FFF85E30000-0x00007FFF868F2000-memory.dmp

Filesize
10.8MB

Download
memory/3892-2-0x00007FFF85E30000-0x00007FFF868F2000-memory.dmp

Filesize
10.8MB

Download
memory/3892-1-0x00000000007C0000-0x000000000173C000-memory.dmp

Filesize
15.5MB

Download
memory/3900-32-0x00007FFF85E30000-0x00007FFF868F2000-memory.dmp

Filesize
10.8MB

Download
memory/3900-29-0x00007FFF85E30000-0x00007FFF868F2000-memory.dmp

Filesize
10.8MB

Download
memory/3900-22-0x0000000000780000-0x00000000007EA000-memory.dmp

Filesize
424KB

Download
memory/4240-69-0x00007FFF85E30000-0x00007FFF868F2000-memory.dmp

Filesize
10.8MB

Download
memory/4240-23-0x00007FFF85E30000-0x00007FFF868F2000-memory.dmp

Filesize
10.8MB

Download
memory/4792-343-0x0000017AD5C50000-0x0000017AD5E03000-memory.dmp

Filesize
1.7MB

Download