umbral | 7b12f8e98a56c0cab6238c8a60857085bd5c33769384a0b1d6e20a0322fc0626

Analysis

max time kernel
50s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Plague (by Cami)(1).zip
Size

146KB
MD5

190f8bf21b950681ea855be5a74b50f2
SHA1

0204b292bc7b4f77538d228275944c687b49d655
SHA256

7b12f8e98a56c0cab6238c8a60857085bd5c33769384a0b1d6e20a0322fc0626
SHA512

1db6b066dad5c0a0e45479d4798472f043cf782c57f0fe643f57f777c5ee92fe5438dfd8beddd547657105eda949592308c6908c9308ba0f13f5f101f4fffc63
SSDEEP

3072:ucRQIF79qsYSglcVj0NkZfFHXA534KIrY73S7SdM+TJDV6yNRO:NR3FpxVj0KTHJYusJDVpRO

Score

10^/10

umbral execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b94-4.dat	family_umbral
behavioral1/memory/1172-13-0x0000022D71CE0000-0x0000022D71D30000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
400	powershell.exe
3124	powershell.exe
952	powershell.exe
2620	powershell.exe
1460	powershell.exe
4896	powershell.exe
3408	powershell.exe
2620	powershell.exe
2108	powershell.exe
980	powershell.exe
2832	powershell.exe
4504	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
1172	MVPLoader.exe
4684	MVPLoader.exe
2204	MVPLoader.exe
716	MVPLoader.exe
2848	MVPLoader.exe
5036	MVPLoader.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
27	discord.com
28	discord.com
37	discord.com
40	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	ip-api.com

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4348	wmic.exe
1684	wmic.exe
772	wmic.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
952	powershell.exe
952	powershell.exe
1460	powershell.exe
1460	powershell.exe
2108	powershell.exe
2108	powershell.exe
2872	powershell.exe
2872	powershell.exe
2884	7zFM.exe
2884	7zFM.exe
2884	7zFM.exe
2884	7zFM.exe
2884	7zFM.exe
2884	7zFM.exe
2884	7zFM.exe
2884	7zFM.exe
2884	7zFM.exe
2884	7zFM.exe
980	powershell.exe
980	powershell.exe
2884	7zFM.exe
2884	7zFM.exe
2884	7zFM.exe
2884	7zFM.exe
2884	7zFM.exe
2884	7zFM.exe
2884	7zFM.exe
2884	7zFM.exe
2884	7zFM.exe
2884	7zFM.exe
2884	7zFM.exe
2884	7zFM.exe
2884	7zFM.exe
2884	7zFM.exe
2884	7zFM.exe
2884	7zFM.exe
400	powershell.exe
400	powershell.exe
4896	powershell.exe
4896	powershell.exe
3408	powershell.exe
3408	powershell.exe
3136	powershell.exe
3136	powershell.exe
2620	powershell.exe
2620	powershell.exe
2884	7zFM.exe
2884	7zFM.exe
3124	powershell.exe
3124	powershell.exe
2832	powershell.exe
2832	powershell.exe
4504	powershell.exe
4504	powershell.exe
1748	powershell.exe
1748	powershell.exe
2620	powershell.exe
2620	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2884	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2884	7zFM.exe
Token: 35	2884	7zFM.exe
Token: SeSecurityPrivilege	2884	7zFM.exe
Token: SeDebugPrivilege	1172	MVPLoader.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeIncreaseQuotaPrivilege	2928	wmic.exe
Token: SeSecurityPrivilege	2928	wmic.exe
Token: SeTakeOwnershipPrivilege	2928	wmic.exe
Token: SeLoadDriverPrivilege	2928	wmic.exe
Token: SeSystemProfilePrivilege	2928	wmic.exe
Token: SeSystemtimePrivilege	2928	wmic.exe
Token: SeProfSingleProcessPrivilege	2928	wmic.exe
Token: SeIncBasePriorityPrivilege	2928	wmic.exe
Token: SeCreatePagefilePrivilege	2928	wmic.exe
Token: SeBackupPrivilege	2928	wmic.exe
Token: SeRestorePrivilege	2928	wmic.exe
Token: SeShutdownPrivilege	2928	wmic.exe
Token: SeDebugPrivilege	2928	wmic.exe
Token: SeSystemEnvironmentPrivilege	2928	wmic.exe
Token: SeRemoteShutdownPrivilege	2928	wmic.exe
Token: SeUndockPrivilege	2928	wmic.exe
Token: SeManageVolumePrivilege	2928	wmic.exe
Token: 33	2928	wmic.exe
Token: 34	2928	wmic.exe
Token: 35	2928	wmic.exe
Token: 36	2928	wmic.exe
Token: SeSecurityPrivilege	2884	7zFM.exe
Token: SeIncreaseQuotaPrivilege	2928	wmic.exe
Token: SeSecurityPrivilege	2928	wmic.exe
Token: SeTakeOwnershipPrivilege	2928	wmic.exe
Token: SeLoadDriverPrivilege	2928	wmic.exe
Token: SeSystemProfilePrivilege	2928	wmic.exe
Token: SeSystemtimePrivilege	2928	wmic.exe
Token: SeProfSingleProcessPrivilege	2928	wmic.exe
Token: SeIncBasePriorityPrivilege	2928	wmic.exe
Token: SeCreatePagefilePrivilege	2928	wmic.exe
Token: SeBackupPrivilege	2928	wmic.exe
Token: SeRestorePrivilege	2928	wmic.exe
Token: SeShutdownPrivilege	2928	wmic.exe
Token: SeDebugPrivilege	2928	wmic.exe
Token: SeSystemEnvironmentPrivilege	2928	wmic.exe
Token: SeRemoteShutdownPrivilege	2928	wmic.exe
Token: SeUndockPrivilege	2928	wmic.exe
Token: SeManageVolumePrivilege	2928	wmic.exe
Token: 33	2928	wmic.exe
Token: 34	2928	wmic.exe
Token: 35	2928	wmic.exe
Token: 36	2928	wmic.exe
Token: SeIncreaseQuotaPrivilege	4540	wmic.exe
Token: SeSecurityPrivilege	4540	wmic.exe
Token: SeTakeOwnershipPrivilege	4540	wmic.exe
Token: SeLoadDriverPrivilege	4540	wmic.exe
Token: SeSystemProfilePrivilege	4540	wmic.exe
Token: SeSystemtimePrivilege	4540	wmic.exe
Token: SeProfSingleProcessPrivilege	4540	wmic.exe
Token: SeIncBasePriorityPrivilege	4540	wmic.exe
Token: SeCreatePagefilePrivilege	4540	wmic.exe
Token: SeBackupPrivilege	4540	wmic.exe
Token: SeRestorePrivilege	4540	wmic.exe
Token: SeShutdownPrivilege	4540	wmic.exe
Token: SeDebugPrivilege	4540	wmic.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2884	7zFM.exe
2884	7zFM.exe
2884	7zFM.exe
2884	7zFM.exe
2884	7zFM.exe
2884	7zFM.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 1172	2884	7zFM.exe	83
PID 2884 wrote to memory of 1172	2884	7zFM.exe	83
PID 1172 wrote to memory of 952	1172	MVPLoader.exe	87
PID 1172 wrote to memory of 952	1172	MVPLoader.exe	87
PID 1172 wrote to memory of 1460	1172	MVPLoader.exe	89
PID 1172 wrote to memory of 1460	1172	MVPLoader.exe	89
PID 1172 wrote to memory of 2108	1172	MVPLoader.exe	91
PID 1172 wrote to memory of 2108	1172	MVPLoader.exe	91
PID 1172 wrote to memory of 2872	1172	MVPLoader.exe	94
PID 1172 wrote to memory of 2872	1172	MVPLoader.exe	94
PID 1172 wrote to memory of 2928	1172	MVPLoader.exe	97
PID 1172 wrote to memory of 2928	1172	MVPLoader.exe	97
PID 2884 wrote to memory of 4684	2884	7zFM.exe	99
PID 2884 wrote to memory of 4684	2884	7zFM.exe	99
PID 1172 wrote to memory of 4540	1172	MVPLoader.exe	100
PID 1172 wrote to memory of 4540	1172	MVPLoader.exe	100
PID 1172 wrote to memory of 764	1172	MVPLoader.exe	102
PID 1172 wrote to memory of 764	1172	MVPLoader.exe	102
PID 1172 wrote to memory of 980	1172	MVPLoader.exe	104
PID 1172 wrote to memory of 980	1172	MVPLoader.exe	104
PID 1172 wrote to memory of 4348	1172	MVPLoader.exe	106
PID 1172 wrote to memory of 4348	1172	MVPLoader.exe	106
PID 2884 wrote to memory of 2204	2884	7zFM.exe	109
PID 2884 wrote to memory of 2204	2884	7zFM.exe	109
PID 2884 wrote to memory of 716	2884	7zFM.exe	110
PID 2884 wrote to memory of 716	2884	7zFM.exe	110
PID 716 wrote to memory of 400	716	MVPLoader.exe	111
PID 716 wrote to memory of 400	716	MVPLoader.exe	111
PID 716 wrote to memory of 4896	716	MVPLoader.exe	113
PID 716 wrote to memory of 4896	716	MVPLoader.exe	113
PID 716 wrote to memory of 3408	716	MVPLoader.exe	116
PID 716 wrote to memory of 3408	716	MVPLoader.exe	116
PID 716 wrote to memory of 3136	716	MVPLoader.exe	119
PID 716 wrote to memory of 3136	716	MVPLoader.exe	119
PID 716 wrote to memory of 2104	716	MVPLoader.exe	121
PID 716 wrote to memory of 2104	716	MVPLoader.exe	121
PID 716 wrote to memory of 3876	716	MVPLoader.exe	123
PID 716 wrote to memory of 3876	716	MVPLoader.exe	123
PID 716 wrote to memory of 2936	716	MVPLoader.exe	125
PID 716 wrote to memory of 2936	716	MVPLoader.exe	125
PID 716 wrote to memory of 2620	716	MVPLoader.exe	127
PID 716 wrote to memory of 2620	716	MVPLoader.exe	127
PID 716 wrote to memory of 1684	716	MVPLoader.exe	129
PID 716 wrote to memory of 1684	716	MVPLoader.exe	129
PID 2848 wrote to memory of 3124	2848	MVPLoader.exe	133
PID 2848 wrote to memory of 3124	2848	MVPLoader.exe	133
PID 2848 wrote to memory of 2832	2848	MVPLoader.exe	135
PID 2848 wrote to memory of 2832	2848	MVPLoader.exe	135
PID 2848 wrote to memory of 4504	2848	MVPLoader.exe	137
PID 2848 wrote to memory of 4504	2848	MVPLoader.exe	137
PID 2848 wrote to memory of 1748	2848	MVPLoader.exe	139
PID 2848 wrote to memory of 1748	2848	MVPLoader.exe	139
PID 2848 wrote to memory of 2740	2848	MVPLoader.exe	142
PID 2848 wrote to memory of 2740	2848	MVPLoader.exe	142
PID 2848 wrote to memory of 220	2848	MVPLoader.exe	144
PID 2848 wrote to memory of 220	2848	MVPLoader.exe	144
PID 2848 wrote to memory of 3604	2848	MVPLoader.exe	146
PID 2848 wrote to memory of 3604	2848	MVPLoader.exe	146
PID 2848 wrote to memory of 2620	2848	MVPLoader.exe	148
PID 2848 wrote to memory of 2620	2848	MVPLoader.exe	148
PID 2848 wrote to memory of 772	2848	MVPLoader.exe	150
PID 2848 wrote to memory of 772	2848	MVPLoader.exe	150

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Plague (by Cami)(1).zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\7zO44BA2197\MVPLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO44BA2197\MVPLoader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zO44BA2197\MVPLoader.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2872
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4540
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:980
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4348
- C:\Users\Admin\AppData\Local\Temp\7zO44BD4D87\MVPLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO44BD4D87\MVPLoader.exe"
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\Users\Admin\AppData\Local\Temp\7zO44B0E487\MVPLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO44B0E487\MVPLoader.exe"
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Users\Admin\AppData\Local\Temp\7zO44B27CB7\MVPLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO44B27CB7\MVPLoader.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\7zO44B27CB7\MVPLoader.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4896
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3136
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:2104
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:3876
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2620
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1684

C:\Users\Admin\Desktop\MVPLoader.exe
"C:\Users\Admin\Desktop\MVPLoader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\MVPLoader.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1748
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:2740
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:220
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:3604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2620
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:772

C:\Users\Admin\Desktop\MVPLoader.exe
"C:\Users\Admin\Desktop\MVPLoader.exe"
1⤵
- Executes dropped EXE
PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MVPLoader.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1d330667b7adb8225707b1382dfcd80a

SHA1
c67303843349e23e410aea2686be916e99a7a056

SHA256
5f2d067b0bf52197f5129946e82a2e6cd2b126501062602fc5ab4955a0c4f7b5

SHA512
4299eefb712450630106a850ce2b1b9c3db53e62365b3cc0a49de7d90617a88b36e9b192867e5b6f1e08c56bbdadf88bf2dd9383dcc0c6a6df57f3734b3fe5d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
7ac560af386b635541815194e95d9f2b

SHA1
586036ead11f18906d0845350641965beebf3d9f

SHA256
382230d8cdd6d7a20d0d609ea4341abd2481cb7bfc27df3e18937e19aa5f381c

SHA512
637388ee50a08f561055485236881924115f8b30fa74e68709f6adeb1531222fd4a57b2f2331691e3f9302789a85f9f9d385e07529cf1407eedd706b972ec243

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
74a6b79d36b4aae8b027a218bc6e1af7

SHA1
0350e46c1df6934903c4820a00b0bc4721779e5f

SHA256
60c64f6803d7ad1408d0a8628100470859b16ef332d5f1bd8bb2debe51251d04

SHA512
60e71435a9a23f4c144d641844f4182ddc9aa4ccd3e99232149a187112dce96458aab9587e9fea46f5dc5a52f5ca758969a04657a2b5b10241d3e4554f7c85e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cb5c30d213a938d76ea627a4d05a0111

SHA1
9618958b449d646cb833edefb01dd372f8f0f4b0

SHA256
387991a291e69339f9a6099b4e9c55e55e5c6409e2c8ec50aa7ddbe3025a39dc

SHA512
54ff985ae7f14cc1a3c02d502be4c57ffbc231394e6358c37a0b00513d660ac52198bd946b1972491df54870e8414f905f7d398f0787ee1fe6652e194c801f07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
894afb4ff3cd7ee1f69400e936f8fc9d

SHA1
aa0eb6ac58f8997940c1aa2e6f6c42d7c3837e51

SHA256
20948b37924c58362ffc5d1472667b53c6d7fc865ad541c901cebf41d04a03c9

SHA512
449494468d267f9689a277ce858dac7dfda04ceb568f60170645582fd631901a9ef780da8e420cba8a297edc11cd63a874e3429b95cf90e7261d2b9ab8850e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
08e2b6dc039d66a6bfa02fbaa9b86e1f

SHA1
1a45a88b900fc97183e50e3dd95deb5c086e2ca7

SHA256
13f0b2febb094f7d558d4325d06807162326f65290c90fa52fa1d3e4e4b35b14

SHA512
2e818787d6067890ec8586f9e4c2d459632e09c167749ff1b58fcaa273850b0ca61f0a468eda65a71358daa36a69ec7961b07cffe6ebcd7b8f79b2b796402891

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
17d8127be94d3c1b6fcc9a4ed585003e

SHA1
789874fcc7c778c723f3e89822d8cc8750c6c4c8

SHA256
ea357ad1f95863b3618d31e5b0f90495331f64de2b784d9e185b48668c937a7b

SHA512
bb18b6d07d82227f5cfbe3eb460df79ec892c560ad2964dcd4782aa26336ae15059843bf46a739bdd4a4daa58057f99102531a756a1cf434ce6449b3cd35a98e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO44BA2197\MVPLoader.exe

Filesize
296KB

MD5
a003b413af774f804d4636f1c548432d

SHA1
1278d0575f8f693f525b0c9382b9eb6c5a01f1f7

SHA256
701bcfb85c1c91cba00d1ab6642071739621b886e79255d874dd0def2adbe6b6

SHA512
9abbc1dae91f85e8565905cb78e7266e7dfa1a6c98e3c80dd2ad9e6d6fd955bd28b7b908c802c74a8e6960b98e85c4d040aa7e01adc0babb841634c339db79d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdCwhY388lpfLBJ

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBmypz99N9oIAzc\Browsers\Cookies\Chrome Cookies.txt

Filesize
259B

MD5
689eb8eee8f1e7d01c7b9bcde116be78

SHA1
47c3b8e3cfefd5b893d7c84149fdf9e394b2b321

SHA256
a42da4554769e7b4f7e9815f0cd8fd0f25186550328a280fd1d5419c7fe768dc

SHA512
523d0772cc33cb3c7680694ae6dd2cc3e0d2a71c7cf32a97d65b47648d9a620db171937b9eb1412ff4f32cceb76096a7ce84e5962daf8d405410878d82a86683

Download Submit
C:\Users\Admin\AppData\Local\Temp\MjsZhdwgyCfsfJ0

Filesize
20KB

MD5
a1971f9173e91be2dc5b31e84be54190

SHA1
1a9666ddd8afc9cbcec8bac4933a687f5a630dbb

SHA256
a8833c5cdece6d28ecf7f284d37d397d735081d3d44d432490e8f112bf776b97

SHA512
2a8d999c82e04e0cfd14a604090cbce628818ea53bac42553bc21a7df517ad16519aa02c883d976e16451513845b022964025794759a9f6355e859043f13f992

Download Submit
C:\Users\Admin\AppData\Local\Temp\WKOMvXD97fcALVW

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fhprig3e.5wo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\iQ3yvc6iw6SMedD

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
memory/952-20-0x00000193F7E30000-0x00000193F7E52000-memory.dmp

Filesize
136KB

Download
memory/1172-14-0x00007FF8E3E90000-0x00007FF8E4951000-memory.dmp

Filesize
10.8MB

Download
memory/1172-13-0x0000022D71CE0000-0x0000022D71D30000-memory.dmp

Filesize
320KB

Download
memory/1172-12-0x00007FF8E3E93000-0x00007FF8E3E95000-memory.dmp

Filesize
8KB

Download
memory/1172-39-0x0000022D74490000-0x0000022D74506000-memory.dmp

Filesize
472KB

Download
memory/1172-126-0x00007FF8E3E90000-0x00007FF8E4951000-memory.dmp

Filesize
10.8MB

Download
memory/1172-125-0x0000022D74650000-0x0000022D747F9000-memory.dmp

Filesize
1.7MB

Download
memory/1172-80-0x0000022D74410000-0x0000022D74422000-memory.dmp

Filesize
72KB

Download
memory/1172-79-0x0000022D73D10000-0x0000022D73D1A000-memory.dmp

Filesize
40KB

Download
memory/1172-41-0x0000022D73CD0000-0x0000022D73CEE000-memory.dmp

Filesize
120KB

Download
memory/1172-40-0x0000022D74510000-0x0000022D74560000-memory.dmp

Filesize
320KB

Download
memory/2872-76-0x000002A945B10000-0x000002A945D2C000-memory.dmp

Filesize
2.1MB

Download