Analysis
-
max time kernel
600s -
max time network
601s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
02-09-2024 11:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
spoofer.exe
Resource
win11-20240802-en
windows11-21h2-x64
19 signatures
600 seconds
General
-
Target
spoofer.exe
-
Size
3.5MB
-
MD5
3c56b4fcf99ce74580b0bcdd2c978578
-
SHA1
880625e1750ee2bf2b100e3e13c7c4202a538fc1
-
SHA256
ddb51226b6d3d1533056c37154572fdf496da7c13e60749cf56b0a18c9b91345
-
SHA512
7f1dc7ec2b7f9e29307fb8f756ff4820996f19b7116288f13205777472fcaffc7ca4ee92ab99e4341f4b5cc33e177c3fa5f967d1a1dfa80b7553083c865be75d
-
SSDEEP
98304:Mr1TElHYDD3FrZpZqIuWPVe9J3FspZzbxXDPIUW2X9F:MB2H4VrtqKVispZ/xXDAWF
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x000800000002aade-22.dat family_umbral behavioral1/memory/1056-31-0x0000021440FE0000-0x000002144101E000-memory.dmp family_umbral -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Renames multiple (87) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 6180 Process not Found 1156 powershell.exe 4808 powershell.exe 3148 powershell.exe 1140 Process not Found 2336 Process not Found 6136 Process not Found 2928 powershell.exe 3556 powershell.exe 4580 powershell.exe 1908 Process not Found 3096 Process not Found 2224 Process not Found 4560 powershell.exe 3812 powershell.exe 2568 Process not Found 5280 Process not Found 5904 Process not Found 5516 Process not Found 5580 Process not Found 2748 powershell.exe 2764 powershell.exe 4432 Process not Found 5708 Process not Found 5504 Process not Found 5184 Process not Found 4632 powershell.exe 1532 powershell.exe 4308 powershell.exe 5108 powershell.exe 1996 powershell.exe 4672 Process not Found 6108 Process not Found 5516 Process not Found 6940 Process not Found 2928 powershell.exe 1876 powershell.exe 2880 powershell.exe 484 Process not Found 4432 Process not Found 3992 Process not Found 1920 powershell.exe 4992 powershell.exe 2316 powershell.exe 3788 powershell.exe 5564 Process not Found 6048 Process not Found 1016 powershell.exe 2464 powershell.exe 1524 powershell.exe 1764 powershell.exe 5280 Process not Found 4784 Process not Found 2356 powershell.exe 2192 powershell.exe 844 Process not Found 3700 Process not Found 7060 Process not Found 1192 powershell.exe 1520 powershell.exe 3504 powershell.exe 4352 Process not Found 3584 powershell.exe 2600 powershell.exe -
Drops file in Drivers directory 64 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\System32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\System32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\System32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\System32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\System32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\System32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\System32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\System32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\System32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\System32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\System32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Umbra1l.exe File opened for modification C:\Windows\System32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\System32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\System32\drivers\etc\hosts Process not Found File opened for modification C:\Windows\System32\drivers\etc\hosts Process not Found -
Executes dropped EXE 64 IoCs
pid Process 1056 Umbra1l.exe 3600 Umbra1l.exe 2240 Umbra1l.exe 1216 Umbra1l.exe 3284 Umbra1l.exe 1808 Umbra1l.exe 688 Umbra1l.exe 3936 Umbra1l.exe 2512 Umbra1l.exe 4900 Umbra1l.exe 2364 Umbra1l.exe 2476 Umbra1l.exe 868 Umbra1l.exe 4444 Umbra1l.exe 2080 Umbra1l.exe 4632 Umbra1l.exe 4540 Umbra1l.exe 1048 Umbra1l.exe 3184 Umbra1l.exe 564 Umbra1l.exe 568 Umbra1l.exe 3280 Umbra1l.exe 4308 Umbra1l.exe 1404 Umbra1l.exe 4248 Umbra1l.exe 3904 Umbra1l.exe 2568 Umbra1l.exe 1504 Umbra1l.exe 1428 Umbra1l.exe 1532 Umbra1l.exe 2280 Umbra1l.exe 5012 Umbra1l.exe 5004 Umbra1l.exe 2468 Umbra1l.exe 1444 Umbra1l.exe 1480 Umbra1l.exe 1208 Umbra1l.exe 2988 Umbra1l.exe 2620 Umbra1l.exe 488 Umbra1l.exe 1912 Umbra1l.exe 2040 Umbra1l.exe 1612 Umbra1l.exe 2140 Umbra1l.exe 4980 Umbra1l.exe 1180 Umbra1l.exe 1540 Umbra1l.exe 1200 Umbra1l.exe 1876 Umbra1l.exe 5004 Umbra1l.exe 124 Umbra1l.exe 3716 Umbra1l.exe 2444 Umbra1l.exe 3576 Umbra1l.exe 4624 Umbra1l.exe 2112 Umbra1l.exe 1524 Umbra1l.exe 648 Umbra1l.exe 2288 Umbra1l.exe 4408 Umbra1l.exe 2240 Umbra1l.exe 3912 Umbra1l.exe 3480 Umbra1l.exe 4320 Umbra1l.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Windows\CurrentVersion\Run\Umbra1l = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbra1l.exe" spoofer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs
flow ioc 191 discord.com 220 discord.com 34 discord.com 95 discord.com 164 discord.com 214 discord.com 170 discord.com 226 discord.com 232 discord.com 1 discord.com 55 discord.com 67 discord.com 83 discord.com 163 discord.com 247 discord.com 279 discord.com 44 discord.com 115 discord.com 133 discord.com 154 discord.com 157 discord.com 197 discord.com 151 discord.com 160 discord.com 185 discord.com 19 discord.com 41 discord.com 64 discord.com 74 discord.com 127 discord.com 238 discord.com 249 discord.com 254 discord.com 270 discord.com 276 discord.com 99 discord.com 106 discord.com 179 discord.com 208 discord.com 235 discord.com 86 discord.com 96 discord.com 118 discord.com 148 discord.com 217 discord.com 241 discord.com 244 discord.com 259 discord.com 24 discord.com 80 discord.com 92 discord.com 102 discord.com 112 discord.com 267 discord.com 167 discord.com 182 discord.com 201 discord.com 4 discord.com 7 discord.com 31 discord.com 37 discord.com 124 discord.com 273 discord.com 10 discord.com -
Looks up external IP address via web service 9 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 249 ip-api.com 259 ip-api.com 1 ip-api.com 25 ip-api.com 55 ip-api.com 164 ip-api.com 20 ip-api.com 96 ip-api.com 199 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4592 cmd.exe 1952 PING.EXE 5548 Process not Found 5684 Process not Found 4024 cmd.exe 4052 Process not Found 5200 Process not Found 6844 Process not Found 1072 PING.EXE 4408 PING.EXE 1960 cmd.exe 2464 cmd.exe 6992 Process not Found 5520 Process not Found 544 PING.EXE 4936 cmd.exe 4196 cmd.exe 3368 cmd.exe 2600 PING.EXE 996 PING.EXE 6568 Process not Found 5028 cmd.exe 124 PING.EXE 4444 PING.EXE 2928 cmd.exe 5892 Process not Found 4004 PING.EXE 3504 PING.EXE 1480 Process not Found 4928 Process not Found 5144 Process not Found 3740 PING.EXE 3304 cmd.exe 844 PING.EXE 5128 Process not Found 1968 Process not Found 5380 Process not Found 2548 cmd.exe 1912 PING.EXE 652 PING.EXE 5808 Process not Found 1112 Process not Found 5988 Process not Found 1700 cmd.exe 224 cmd.exe 5496 Process not Found 5196 Process not Found 2636 PING.EXE 3584 Process not Found 1716 Process not Found 6536 Process not Found 812 cmd.exe 4632 cmd.exe 2956 cmd.exe 3456 cmd.exe 1876 cmd.exe 5764 Process not Found 1760 Process not Found 5628 Process not Found 6536 Process not Found 2256 PING.EXE 4624 PING.EXE 6008 Process not Found 6052 Process not Found -
Detects videocard installed 1 TTPs 64 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 4724 wmic.exe 4044 wmic.exe 708 Process not Found 5712 Process not Found 2624 wmic.exe 4840 wmic.exe 2736 wmic.exe 4988 wmic.exe 3356 Process not Found 392 wmic.exe 1156 Process not Found 1480 Process not Found 6000 Process not Found 5580 Process not Found 5952 Process not Found 6472 Process not Found 4588 wmic.exe 5420 Process not Found 3992 Process not Found 4648 wmic.exe 2600 wmic.exe 2748 wmic.exe 2764 wmic.exe 2736 Process not Found 2388 Process not Found 1500 Process not Found 4344 wmic.exe 3804 wmic.exe 1592 wmic.exe 3428 wmic.exe 3100 wmic.exe 3060 wmic.exe 4404 wmic.exe 3804 wmic.exe 5020 Process not Found 5380 Process not Found 1456 wmic.exe 1948 wmic.exe 5900 Process not Found 5352 Process not Found 5808 Process not Found 908 wmic.exe 4360 wmic.exe 3420 wmic.exe 432 wmic.exe 2192 wmic.exe 6420 Process not Found 3608 wmic.exe 4436 wmic.exe 1760 wmic.exe 5900 Process not Found 4728 Process not Found 1076 wmic.exe 3692 wmic.exe 3108 wmic.exe 2276 wmic.exe 660 wmic.exe 5760 Process not Found 2880 Process not Found 1572 wmic.exe 1956 wmic.exe 5012 wmic.exe 564 Process not Found 5252 Process not Found -
Runs ping.exe 1 TTPs 64 IoCs
pid Process 2364 PING.EXE 872 PING.EXE 996 PING.EXE 456 Process not Found 4532 Process not Found 3376 PING.EXE 3764 PING.EXE 2264 PING.EXE 6992 Process not Found 124 PING.EXE 1636 PING.EXE 1248 Process not Found 1340 PING.EXE 2552 PING.EXE 2624 PING.EXE 5200 Process not Found 5704 Process not Found 4444 PING.EXE 2600 PING.EXE 2636 PING.EXE 5128 Process not Found 1560 PING.EXE 4176 Process not Found 5548 Process not Found 4508 PING.EXE 4928 Process not Found 5628 Process not Found 1660 Process not Found 5988 Process not Found 6568 Process not Found 4624 PING.EXE 4516 PING.EXE 4728 Process not Found 1480 Process not Found 5808 Process not Found 4624 PING.EXE 3536 PING.EXE 4412 PING.EXE 2140 Process not Found 5376 Process not Found 4004 PING.EXE 1952 PING.EXE 3036 PING.EXE 5684 Process not Found 872 PING.EXE 1428 Process not Found 5396 Process not Found 4308 PING.EXE 6052 Process not Found 3740 PING.EXE 2540 PING.EXE 4408 PING.EXE 544 PING.EXE 6536 Process not Found 3504 PING.EXE 2764 Process not Found 4596 Process not Found 1072 PING.EXE 104 PING.EXE 1536 PING.EXE 6064 Process not Found 5420 Process not Found 2544 Process not Found 7060 Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4492 powershell.exe 4492 powershell.exe 1920 powershell.exe 1920 powershell.exe 3568 powershell.exe 3568 powershell.exe 4540 powershell.exe 4540 powershell.exe 2468 powershell.exe 2468 powershell.exe 3332 powershell.exe 3332 powershell.exe 1164 powershell.exe 1164 powershell.exe 1428 powershell.exe 1428 powershell.exe 4324 powershell.exe 4324 powershell.exe 1540 powershell.exe 1540 powershell.exe 3896 powershell.exe 3896 powershell.exe 3780 powershell.exe 3780 powershell.exe 4928 powershell.exe 4928 powershell.exe 4932 powershell.exe 4932 powershell.exe 4436 powershell.exe 4436 powershell.exe 3768 powershell.exe 3768 powershell.exe 964 powershell.exe 964 powershell.exe 244 powershell.exe 244 powershell.exe 4572 powershell.exe 4572 powershell.exe 5112 powershell.exe 5112 powershell.exe 3584 powershell.exe 3584 powershell.exe 4992 powershell.exe 4992 powershell.exe 4268 powershell.exe 4268 powershell.exe 1596 powershell.exe 1596 powershell.exe 344 powershell.exe 344 powershell.exe 1364 powershell.exe 1364 powershell.exe 3460 powershell.exe 3460 powershell.exe 4016 powershell.exe 4016 powershell.exe 3420 powershell.exe 3420 powershell.exe 1604 powershell.exe 1604 powershell.exe 2284 powershell.exe 2284 powershell.exe 1688 powershell.exe 1688 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4492 powershell.exe Token: SeDebugPrivilege 1056 Umbra1l.exe Token: SeDebugPrivilege 1920 powershell.exe Token: SeDebugPrivilege 3568 powershell.exe Token: SeDebugPrivilege 4540 powershell.exe Token: SeDebugPrivilege 2468 powershell.exe Token: SeDebugPrivilege 3332 powershell.exe Token: SeDebugPrivilege 1164 powershell.exe Token: SeIncreaseQuotaPrivilege 5012 wmic.exe Token: SeSecurityPrivilege 5012 wmic.exe Token: SeTakeOwnershipPrivilege 5012 wmic.exe Token: SeLoadDriverPrivilege 5012 wmic.exe Token: SeSystemProfilePrivilege 5012 wmic.exe Token: SeSystemtimePrivilege 5012 wmic.exe Token: SeProfSingleProcessPrivilege 5012 wmic.exe Token: SeIncBasePriorityPrivilege 5012 wmic.exe Token: SeCreatePagefilePrivilege 5012 wmic.exe Token: SeBackupPrivilege 5012 wmic.exe Token: SeRestorePrivilege 5012 wmic.exe Token: SeShutdownPrivilege 5012 wmic.exe Token: SeDebugPrivilege 5012 wmic.exe Token: SeSystemEnvironmentPrivilege 5012 wmic.exe Token: SeRemoteShutdownPrivilege 5012 wmic.exe Token: SeUndockPrivilege 5012 wmic.exe Token: SeManageVolumePrivilege 5012 wmic.exe Token: 33 5012 wmic.exe Token: 34 5012 wmic.exe Token: 35 5012 wmic.exe Token: 36 5012 wmic.exe Token: SeIncreaseQuotaPrivilege 5012 wmic.exe Token: SeSecurityPrivilege 5012 wmic.exe Token: SeTakeOwnershipPrivilege 5012 wmic.exe Token: SeLoadDriverPrivilege 5012 wmic.exe Token: SeSystemProfilePrivilege 5012 wmic.exe Token: SeSystemtimePrivilege 5012 wmic.exe Token: SeProfSingleProcessPrivilege 5012 wmic.exe Token: SeIncBasePriorityPrivilege 5012 wmic.exe Token: SeCreatePagefilePrivilege 5012 wmic.exe Token: SeBackupPrivilege 5012 wmic.exe Token: SeRestorePrivilege 5012 wmic.exe Token: SeShutdownPrivilege 5012 wmic.exe Token: SeDebugPrivilege 5012 wmic.exe Token: SeSystemEnvironmentPrivilege 5012 wmic.exe Token: SeRemoteShutdownPrivilege 5012 wmic.exe Token: SeUndockPrivilege 5012 wmic.exe Token: SeManageVolumePrivilege 5012 wmic.exe Token: 33 5012 wmic.exe Token: 34 5012 wmic.exe Token: 35 5012 wmic.exe Token: 36 5012 wmic.exe Token: SeIncreaseQuotaPrivilege 4580 wmic.exe Token: SeSecurityPrivilege 4580 wmic.exe Token: SeTakeOwnershipPrivilege 4580 wmic.exe Token: SeLoadDriverPrivilege 4580 wmic.exe Token: SeSystemProfilePrivilege 4580 wmic.exe Token: SeSystemtimePrivilege 4580 wmic.exe Token: SeProfSingleProcessPrivilege 4580 wmic.exe Token: SeIncBasePriorityPrivilege 4580 wmic.exe Token: SeCreatePagefilePrivilege 4580 wmic.exe Token: SeBackupPrivilege 4580 wmic.exe Token: SeRestorePrivilege 4580 wmic.exe Token: SeShutdownPrivilege 4580 wmic.exe Token: SeDebugPrivilege 4580 wmic.exe Token: SeSystemEnvironmentPrivilege 4580 wmic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2876 wrote to memory of 996 2876 spoofer.exe 78 PID 2876 wrote to memory of 996 2876 spoofer.exe 78 PID 2876 wrote to memory of 4492 2876 spoofer.exe 79 PID 2876 wrote to memory of 4492 2876 spoofer.exe 79 PID 2876 wrote to memory of 1056 2876 spoofer.exe 81 PID 2876 wrote to memory of 1056 2876 spoofer.exe 81 PID 996 wrote to memory of 2968 996 spoofer.exe 82 PID 996 wrote to memory of 2968 996 spoofer.exe 82 PID 996 wrote to memory of 1920 996 spoofer.exe 83 PID 996 wrote to memory of 1920 996 spoofer.exe 83 PID 1056 wrote to memory of 2352 1056 Umbra1l.exe 85 PID 1056 wrote to memory of 2352 1056 Umbra1l.exe 85 PID 1056 wrote to memory of 3568 1056 Umbra1l.exe 87 PID 1056 wrote to memory of 3568 1056 Umbra1l.exe 87 PID 1056 wrote to memory of 4540 1056 Umbra1l.exe 89 PID 1056 wrote to memory of 4540 1056 Umbra1l.exe 89 PID 996 wrote to memory of 3600 996 spoofer.exe 91 PID 996 wrote to memory of 3600 996 spoofer.exe 91 PID 1056 wrote to memory of 2468 1056 Umbra1l.exe 92 PID 1056 wrote to memory of 2468 1056 Umbra1l.exe 92 PID 1056 wrote to memory of 3332 1056 Umbra1l.exe 94 PID 1056 wrote to memory of 3332 1056 Umbra1l.exe 94 PID 2968 wrote to memory of 3468 2968 spoofer.exe 96 PID 2968 wrote to memory of 3468 2968 spoofer.exe 96 PID 2968 wrote to memory of 1164 2968 spoofer.exe 97 PID 2968 wrote to memory of 1164 2968 spoofer.exe 97 PID 1056 wrote to memory of 5012 1056 Umbra1l.exe 99 PID 1056 wrote to memory of 5012 1056 Umbra1l.exe 99 PID 2968 wrote to memory of 2240 2968 spoofer.exe 101 PID 2968 wrote to memory of 2240 2968 spoofer.exe 101 PID 1056 wrote to memory of 4580 1056 Umbra1l.exe 103 PID 1056 wrote to memory of 4580 1056 Umbra1l.exe 103 PID 1056 wrote to memory of 1884 1056 Umbra1l.exe 105 PID 1056 wrote to memory of 1884 1056 Umbra1l.exe 105 PID 1056 wrote to memory of 1428 1056 Umbra1l.exe 107 PID 1056 wrote to memory of 1428 1056 Umbra1l.exe 107 PID 1056 wrote to memory of 3428 1056 Umbra1l.exe 109 PID 1056 wrote to memory of 3428 1056 Umbra1l.exe 109 PID 3468 wrote to memory of 4532 3468 spoofer.exe 111 PID 3468 wrote to memory of 4532 3468 spoofer.exe 111 PID 3468 wrote to memory of 4324 3468 spoofer.exe 112 PID 3468 wrote to memory of 4324 3468 spoofer.exe 112 PID 1056 wrote to memory of 1256 1056 Umbra1l.exe 114 PID 1056 wrote to memory of 1256 1056 Umbra1l.exe 114 PID 3468 wrote to memory of 1216 3468 spoofer.exe 116 PID 3468 wrote to memory of 1216 3468 spoofer.exe 116 PID 1256 wrote to memory of 1188 1256 cmd.exe 117 PID 1256 wrote to memory of 1188 1256 cmd.exe 117 PID 1216 wrote to memory of 3396 1216 Umbra1l.exe 118 PID 1216 wrote to memory of 3396 1216 Umbra1l.exe 118 PID 1216 wrote to memory of 1540 1216 Umbra1l.exe 120 PID 1216 wrote to memory of 1540 1216 Umbra1l.exe 120 PID 1216 wrote to memory of 3896 1216 Umbra1l.exe 122 PID 1216 wrote to memory of 3896 1216 Umbra1l.exe 122 PID 1216 wrote to memory of 3780 1216 Umbra1l.exe 124 PID 1216 wrote to memory of 3780 1216 Umbra1l.exe 124 PID 4532 wrote to memory of 1200 4532 spoofer.exe 126 PID 4532 wrote to memory of 1200 4532 spoofer.exe 126 PID 4532 wrote to memory of 4928 4532 spoofer.exe 127 PID 4532 wrote to memory of 4928 4532 spoofer.exe 127 PID 1216 wrote to memory of 4932 1216 Umbra1l.exe 129 PID 1216 wrote to memory of 4932 1216 Umbra1l.exe 129 PID 4532 wrote to memory of 3284 4532 spoofer.exe 131 PID 4532 wrote to memory of 3284 4532 spoofer.exe 131 -
Views/modifies file attributes 1 TTPs 64 IoCs
pid Process 2872 Process not Found 2240 attrib.exe 4324 attrib.exe 4796 Process not Found 456 Process not Found 2324 attrib.exe 3640 attrib.exe 4068 attrib.exe 3308 Process not Found 3396 attrib.exe 5996 Process not Found 5668 Process not Found 564 Process not Found 4524 attrib.exe 784 attrib.exe 2064 attrib.exe 3928 attrib.exe 5156 Process not Found 5680 Process not Found 5588 Process not Found 5668 Process not Found 5904 Process not Found 5980 Process not Found 5776 Process not Found 5012 attrib.exe 4580 attrib.exe 872 attrib.exe 1112 Process not Found 3108 attrib.exe 2388 Process not Found 4948 Process not Found 6396 Process not Found 2352 attrib.exe 1952 attrib.exe 4956 attrib.exe 2788 attrib.exe 6596 Process not Found 5776 Process not Found 6916 Process not Found 2260 attrib.exe 3852 attrib.exe 4164 attrib.exe 2336 Process not Found 5396 Process not Found 4088 attrib.exe 3036 attrib.exe 1572 attrib.exe 5144 Process not Found 4600 attrib.exe 2836 attrib.exe 1420 attrib.exe 6920 Process not Found 5956 Process not Found 3716 attrib.exe 4532 attrib.exe 428 attrib.exe 5904 Process not Found 4436 attrib.exe 1632 attrib.exe 4432 Process not Found 1140 Process not Found 4948 attrib.exe 800 attrib.exe 1156 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"3⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"5⤵
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"6⤵
- Adds Run key to start application
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"7⤵PID:1628
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"8⤵
- Adds Run key to start application
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"9⤵PID:2140
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"10⤵
- Adds Run key to start application
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"11⤵PID:1852
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"12⤵PID:3688
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"13⤵PID:2512
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"14⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"15⤵PID:3368
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"16⤵PID:3572
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"17⤵PID:1888
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"18⤵PID:244
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"19⤵PID:2720
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"20⤵PID:4352
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"21⤵PID:2304
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"22⤵PID:1156
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"23⤵
- Adds Run key to start application
PID:768 -
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"24⤵
- Adds Run key to start application
PID:5068 -
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"25⤵PID:1900
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"26⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"27⤵
- Adds Run key to start application
PID:768 -
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"28⤵PID:1596
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"29⤵
- Adds Run key to start application
PID:4980 -
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"30⤵PID:1660
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"31⤵PID:3900
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"32⤵PID:3184
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"33⤵PID:1756
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"34⤵
- Adds Run key to start application
PID:1856 -
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"35⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"36⤵PID:3148
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"37⤵PID:4612
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"38⤵PID:648
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"39⤵
- Adds Run key to start application
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"40⤵PID:4604
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"41⤵PID:2588
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"42⤵PID:1008
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"43⤵PID:2356
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"44⤵PID:2388
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"45⤵PID:2376
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"46⤵PID:4052
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"47⤵PID:1908
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"48⤵PID:2208
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"49⤵PID:3176
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"50⤵PID:1960
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"51⤵PID:1344
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"52⤵PID:1420
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"53⤵PID:1172
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"54⤵PID:1996
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"55⤵PID:2696
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"56⤵PID:4300
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"57⤵PID:4876
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"58⤵PID:1728
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"59⤵PID:3108
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"60⤵PID:4324
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"61⤵PID:2992
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"62⤵PID:1524
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"63⤵PID:1600
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"64⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"65⤵PID:2464
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"66⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"67⤵PID:660
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"68⤵
- Adds Run key to start application
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"69⤵PID:3712
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"70⤵
- Adds Run key to start application
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"71⤵
- Adds Run key to start application
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"72⤵PID:1016
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"73⤵PID:5020
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"74⤵PID:4288
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"75⤵PID:1888
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"76⤵PID:1632
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"77⤵PID:4288
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"78⤵PID:1072
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"79⤵
- Adds Run key to start application
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"80⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"81⤵PID:4424
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"82⤵
- Adds Run key to start application
PID:236 -
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"83⤵
- Adds Run key to start application
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"84⤵PID:3584
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"85⤵PID:4000
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"86⤵PID:652
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"87⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"88⤵PID:1456
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"89⤵PID:4032
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"90⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"91⤵PID:4344
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"92⤵
- Adds Run key to start application
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"93⤵PID:800
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"94⤵PID:224
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"95⤵
- Adds Run key to start application
PID:3160 -
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"96⤵PID:4992
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"97⤵PID:3768
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"98⤵PID:5108
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"99⤵PID:396
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"100⤵
- Adds Run key to start application
PID:4412 -
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"101⤵PID:2264
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"102⤵PID:4748
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"103⤵PID:4108
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"104⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"105⤵PID:1164
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"106⤵PID:4044
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"107⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"108⤵PID:4624
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"109⤵PID:484
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"110⤵PID:3788
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"111⤵PID:4552
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"112⤵
- Adds Run key to start application
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"113⤵
- Adds Run key to start application
PID:4624 -
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"114⤵
- Adds Run key to start application
PID:3156 -
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"115⤵PID:1864
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"116⤵PID:3096
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"117⤵PID:3556
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"118⤵PID:5000
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"119⤵PID:1840
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"120⤵PID:4080
-
C:\Users\Admin\AppData\Local\Temp\spoofer.exe"C:\Users\Admin\AppData\Local\Temp\spoofer.exe"121⤵PID:3960
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-