umbral | ecd0fc8c6587cbc51329cff18fe5f5630c309fabd0f96add2b80f6e8c9a25e1f

Analysis

max time kernel
128s
max time network
141s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
12/04/2025, 00:58

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

ml3;m.exe
Size

1.5MB
MD5

e8342758981a8b91af5c25e1f2d82799
SHA1

3f13ac0400f03a09d14c1aea4673edc912fb8163
SHA256

ecd0fc8c6587cbc51329cff18fe5f5630c309fabd0f96add2b80f6e8c9a25e1f
SHA512

bb2e35817c02b99bbf674e86b8f87344cfc87d74beb33612cd66c9e35fd6fe088fbf386536a8f13f6007527552efdb095911a7446fcdef97fe5e461224a9a973
SSDEEP

24576:dANYQ/HXt8Vij8QBjZL5voRdNEAqJ+p50U4iAQk5fz2E4u+LCDXalDQiHYhcVLk9:0YQ/98VJQRZLdwduar4Tdku+wYDaILkg

Score

10^/10

umbral bootkit defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral4/files/0x001c00000002ae93-14.dat	family_umbral
behavioral4/memory/1068-25-0x0000022BFD690000-0x0000022BFD6D0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3236	powershell.exe
5004	powershell.exe
1128	powershell.exe
3188	powershell.exe

Disables Task Manager via registry modification
defense_evasion

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1584	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\58ef1cb24ef99d0cdb9aa4d818c79b63.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\58ef1cb24ef99d0cdb9aa4d818c79b63.exe	Server.exe

Executes dropped EXE 40 IoCs

pid	Process
3128	drover.exe
1068	Umbral.exe
3736	Server.exe
2192	Server.exe
5020	Server.exe
2484	Server.exe
3240	Server.exe
1152	Server.exe
3160	Server.exe
3828	Server.exe
2944	Server.exe
132	Server.exe
1496	Server.exe
3064	Server.exe
3556	Server.exe
4080	Server.exe
3668	Server.exe
2348	Server.exe
3052	Server.exe
1284	Server.exe
2312	Server.exe
3440	Server.exe
3164	Server.exe
2396	Server.exe
1196	Server.exe
3828	Server.exe
3704	Server.exe
5084	Server.exe
4456	Server.exe
2392	tmp2C36.tmp.COM
2700	Server.exe
5052	Server.exe
4148	MBR2.exe
4700	TROLL5.exe
2388	TROLL2.exe
4604	Server.exe
1072	Server.exe
4536	MatrixMBR.exe
1144	GDI.exe
2372	MBR.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\58ef1cb24ef99d0cdb9aa4d818c79b63 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\58ef1cb24ef99d0cdb9aa4d818c79b63 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."	Server.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
4	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MBR.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\MatrixMBR.exe	MBR2.exe
File opened for modification	C:\Windows\System32\MatrixMBR.exe	MBR2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 36 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TROLL2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TROLL5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GDI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MBR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
556	wmic.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
3188	powershell.exe
3188	powershell.exe
3236	powershell.exe
3236	powershell.exe
5004	powershell.exe
5004	powershell.exe
3260	powershell.exe
3260	powershell.exe
1128	powershell.exe
1128	powershell.exe
3128	drover.exe
3128	drover.exe
3128	drover.exe
3128	drover.exe
3128	drover.exe
3128	drover.exe
3128	drover.exe
3128	drover.exe
3128	drover.exe
3128	drover.exe
3128	drover.exe
3128	drover.exe
3128	drover.exe
3128	drover.exe
3128	drover.exe
3128	drover.exe
3128	drover.exe
3128	drover.exe
3128	drover.exe
3128	drover.exe
3128	drover.exe
3128	drover.exe
3128	drover.exe
3128	drover.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1068	Umbral.exe
Token: SeDebugPrivilege	3188	powershell.exe
Token: SeDebugPrivilege	3236	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	3260	powershell.exe
Token: SeIncreaseQuotaPrivilege	4220	wmic.exe
Token: SeSecurityPrivilege	4220	wmic.exe
Token: SeTakeOwnershipPrivilege	4220	wmic.exe
Token: SeLoadDriverPrivilege	4220	wmic.exe
Token: SeSystemProfilePrivilege	4220	wmic.exe
Token: SeSystemtimePrivilege	4220	wmic.exe
Token: SeProfSingleProcessPrivilege	4220	wmic.exe
Token: SeIncBasePriorityPrivilege	4220	wmic.exe
Token: SeCreatePagefilePrivilege	4220	wmic.exe
Token: SeBackupPrivilege	4220	wmic.exe
Token: SeRestorePrivilege	4220	wmic.exe
Token: SeShutdownPrivilege	4220	wmic.exe
Token: SeDebugPrivilege	4220	wmic.exe
Token: SeSystemEnvironmentPrivilege	4220	wmic.exe
Token: SeRemoteShutdownPrivilege	4220	wmic.exe
Token: SeUndockPrivilege	4220	wmic.exe
Token: SeManageVolumePrivilege	4220	wmic.exe
Token: 33	4220	wmic.exe
Token: 34	4220	wmic.exe
Token: 35	4220	wmic.exe
Token: 36	4220	wmic.exe
Token: SeIncreaseQuotaPrivilege	4220	wmic.exe
Token: SeSecurityPrivilege	4220	wmic.exe
Token: SeTakeOwnershipPrivilege	4220	wmic.exe
Token: SeLoadDriverPrivilege	4220	wmic.exe
Token: SeSystemProfilePrivilege	4220	wmic.exe
Token: SeSystemtimePrivilege	4220	wmic.exe
Token: SeProfSingleProcessPrivilege	4220	wmic.exe
Token: SeIncBasePriorityPrivilege	4220	wmic.exe
Token: SeCreatePagefilePrivilege	4220	wmic.exe
Token: SeBackupPrivilege	4220	wmic.exe
Token: SeRestorePrivilege	4220	wmic.exe
Token: SeShutdownPrivilege	4220	wmic.exe
Token: SeDebugPrivilege	4220	wmic.exe
Token: SeSystemEnvironmentPrivilege	4220	wmic.exe
Token: SeRemoteShutdownPrivilege	4220	wmic.exe
Token: SeUndockPrivilege	4220	wmic.exe
Token: SeManageVolumePrivilege	4220	wmic.exe
Token: 33	4220	wmic.exe
Token: 34	4220	wmic.exe
Token: 35	4220	wmic.exe
Token: 36	4220	wmic.exe
Token: SeIncreaseQuotaPrivilege	4560	wmic.exe
Token: SeSecurityPrivilege	4560	wmic.exe
Token: SeTakeOwnershipPrivilege	4560	wmic.exe
Token: SeLoadDriverPrivilege	4560	wmic.exe
Token: SeSystemProfilePrivilege	4560	wmic.exe
Token: SeSystemtimePrivilege	4560	wmic.exe
Token: SeProfSingleProcessPrivilege	4560	wmic.exe
Token: SeIncBasePriorityPrivilege	4560	wmic.exe
Token: SeCreatePagefilePrivilege	4560	wmic.exe
Token: SeBackupPrivilege	4560	wmic.exe
Token: SeRestorePrivilege	4560	wmic.exe
Token: SeShutdownPrivilege	4560	wmic.exe
Token: SeDebugPrivilege	4560	wmic.exe
Token: SeSystemEnvironmentPrivilege	4560	wmic.exe
Token: SeRemoteShutdownPrivilege	4560	wmic.exe
Token: SeUndockPrivilege	4560	wmic.exe
Token: SeManageVolumePrivilege	4560	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 3128	3228	ml3;m.exe	78
PID 3228 wrote to memory of 3128	3228	ml3;m.exe	78
PID 3228 wrote to memory of 1068	3228	ml3;m.exe	79
PID 3228 wrote to memory of 1068	3228	ml3;m.exe	79
PID 3228 wrote to memory of 3736	3228	ml3;m.exe	80
PID 3228 wrote to memory of 3736	3228	ml3;m.exe	80
PID 3228 wrote to memory of 3736	3228	ml3;m.exe	80
PID 1068 wrote to memory of 3188	1068	Umbral.exe	81
PID 1068 wrote to memory of 3188	1068	Umbral.exe	81
PID 1068 wrote to memory of 3236	1068	Umbral.exe	83
PID 1068 wrote to memory of 3236	1068	Umbral.exe	83
PID 1068 wrote to memory of 5004	1068	Umbral.exe	85
PID 1068 wrote to memory of 5004	1068	Umbral.exe	85
PID 1068 wrote to memory of 3260	1068	Umbral.exe	87
PID 1068 wrote to memory of 3260	1068	Umbral.exe	87
PID 1068 wrote to memory of 4220	1068	Umbral.exe	89
PID 1068 wrote to memory of 4220	1068	Umbral.exe	89
PID 1068 wrote to memory of 4560	1068	Umbral.exe	92
PID 1068 wrote to memory of 4560	1068	Umbral.exe	92
PID 1068 wrote to memory of 4804	1068	Umbral.exe	94
PID 1068 wrote to memory of 4804	1068	Umbral.exe	94
PID 1068 wrote to memory of 1128	1068	Umbral.exe	96
PID 1068 wrote to memory of 1128	1068	Umbral.exe	96
PID 1068 wrote to memory of 556	1068	Umbral.exe	98
PID 1068 wrote to memory of 556	1068	Umbral.exe	98
PID 3736 wrote to memory of 1584	3736	Server.exe	100
PID 3736 wrote to memory of 1584	3736	Server.exe	100
PID 3736 wrote to memory of 1584	3736	Server.exe	100
PID 540 wrote to memory of 2192	540	cmd.exe	106
PID 540 wrote to memory of 2192	540	cmd.exe	106
PID 540 wrote to memory of 2192	540	cmd.exe	106
PID 1872 wrote to memory of 5020	1872	cmd.exe	107
PID 1872 wrote to memory of 5020	1872	cmd.exe	107
PID 1872 wrote to memory of 5020	1872	cmd.exe	107
PID 4464 wrote to memory of 2484	4464	cmd.exe	112
PID 4464 wrote to memory of 2484	4464	cmd.exe	112
PID 4464 wrote to memory of 2484	4464	cmd.exe	112
PID 4208 wrote to memory of 3240	4208	cmd.exe	113
PID 4208 wrote to memory of 3240	4208	cmd.exe	113
PID 4208 wrote to memory of 3240	4208	cmd.exe	113
PID 3188 wrote to memory of 1152	3188	cmd.exe	118
PID 3188 wrote to memory of 1152	3188	cmd.exe	118
PID 3188 wrote to memory of 1152	3188	cmd.exe	118
PID 736 wrote to memory of 3160	736	cmd.exe	119
PID 736 wrote to memory of 3160	736	cmd.exe	119
PID 736 wrote to memory of 3160	736	cmd.exe	119
PID 2692 wrote to memory of 3828	2692	cmd.exe	124
PID 2692 wrote to memory of 3828	2692	cmd.exe	124
PID 2692 wrote to memory of 3828	2692	cmd.exe	124
PID 1248 wrote to memory of 2944	1248	cmd.exe	125
PID 1248 wrote to memory of 2944	1248	cmd.exe	125
PID 1248 wrote to memory of 2944	1248	cmd.exe	125
PID 3840 wrote to memory of 132	3840	cmd.exe	130
PID 3840 wrote to memory of 132	3840	cmd.exe	130
PID 3840 wrote to memory of 132	3840	cmd.exe	130
PID 3624 wrote to memory of 1496	3624	cmd.exe	131
PID 3624 wrote to memory of 1496	3624	cmd.exe	131
PID 3624 wrote to memory of 1496	3624	cmd.exe	131
PID 1332 wrote to memory of 3064	1332	cmd.exe	136
PID 1332 wrote to memory of 3064	1332	cmd.exe	136
PID 1332 wrote to memory of 3064	1332	cmd.exe	136
PID 2024 wrote to memory of 3556	2024	cmd.exe	137
PID 2024 wrote to memory of 3556	2024	cmd.exe	137
PID 2024 wrote to memory of 3556	2024	cmd.exe	137

C:\Users\Admin\AppData\Local\Temp\ml3;m.exe
"C:\Users\Admin\AppData\Local\Temp\ml3;m.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Users\Admin\AppData\Local\Temp\drover.exe
  "C:\Users\Admin\AppData\Local\Temp\drover.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3128
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3260
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4220
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4560
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:4804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1128
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:556
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1584
- - C:\Users\Admin\AppData\Local\Temp\tmp2C36.tmp.COM
    "C:\Users\Admin\AppData\Local\Temp\tmp2C36.tmp.COM"
    3⤵
    - Executes dropped EXE
    PID:2392
  - - C:\Users\Admin\AppData\Local\Temp\MBR2.exe
      "C:\Users\Admin\AppData\Local\Temp\MBR2.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:4148
    - - C:\Windows\System32\MatrixMBR.exe
        
        "C:\Windows\System32\MatrixMBR.exe"
        5⤵
        Executes dropped EXE
        
        PID:4536
      - C:\Users\Admin\AppData\Local\Temp\GDI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GDI.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1144
      - C:\Users\Admin\AppData\Local\Temp\MBR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MBR.exe"
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\TROLL5.exe
      "C:\Users\Admin\AppData\Local\Temp\TROLL5.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4700
  - - C:\Users\Admin\AppData\Local\Temp\TROLL2.exe
      "C:\Users\Admin\AppData\Local\Temp\TROLL2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:540
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:736
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:3840
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4032
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4852
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:868
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:820
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3180
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4696
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:920
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:784
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2072
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2220
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2132
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:1668
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3112
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4012
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2092
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3532
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5052

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004C8
1⤵
PID:1004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3368
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:848
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1072

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Server.exe.log

Filesize
319B

MD5
71093f2f2d8fd9daf6bc4bb6a72a5b23

SHA1
7f614257050d90b24ca0f7862724f3d7a9df93fd

SHA256
5da30152f390d2e7e0a801e08502781427e0b499f1d40ae2a1ecf181ef35de8a

SHA512
39e729c10af152d3fa3e382e3976be09074370369805a76b9c0f3dc063c2ce5184e93c1043a81ab82573f768ec0fb6c480ca6848190752b9d2b002c3e319ffa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2ead2e66a065b4375efe84580830a5fa

SHA1
6204fc65b31fe58937cb782000e3d3f48b294137

SHA256
1d636badfaa15833c62f1ebc641516e4451b6b008c10c31ed9bb8cf7f7c37314

SHA512
bb60514c9ab7de3768de463f20fcfcec6f9e2be7cdfa24240989374d91ce847c95e8887a7009fba7c3a86ebf42fe66d7fe9fa52f1460580fd9c4597fe4b40325

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
6bddc96a32b9ed8fc70b141ccf4a39b2

SHA1
0f33c0699da40a5eadcec646791cf21cdb0dd7c6

SHA256
cb3853abe77eb0da8a1caccb49e97a573b6f35570722eb759116a645d724c132

SHA512
e41f1597b4129b759e4199db195df1c24e47cc47dc9850fab2d48e44bc3d37dc3658fbfbb62332a0b93c552587d7fab09de1634f605faa2209b8470c2a6eaca6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f29ff8b1e0f396a194a6782749830b8e

SHA1
2f8999b0eb2a20e591cf9a638c9fa84ddf4a1f69

SHA256
5bfd4968395fefaac3941c08fa11e86dfde1072137d9290aee3888f2a5d92d3f

SHA512
0689d665f2a7c9007c5dc4c14a53d5566d315d05d476bee82d64d02d40e3ffddca2b36419c76a8f7b7979958a62a7a93c939d1ed72fa7a844841ed06741b9e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\GDI.exe

Filesize
11KB

MD5
c08ae6d9c6ecd7e13f827bf68767785f

SHA1
e71c2ec8d00c1e82b8b07baee0688b0a28604454

SHA256
e153def894c867923dd56a7025b7b0b7bd3ee37c801a5957201d39f999bb28bf

SHA512
c28bbe8abc66ad2433e5a3b93a4601b28225e86cb4bff077fd3224adfa63164bebfa3002a42b1cb4cb3c7ccad0208f8b143b8a17099bea04fcb964e667c7a1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBR.exe

Filesize
93KB

MD5
d2fc66cf781a2497fceb4041a93cc676

SHA1
480b1aa31b0b31fc0e0833afbba06533ab9a90ee

SHA256
acddde9514e3b9d5c40b3d1750af5f4187c99f8987b027d6da44fb6bcf79b3ca

SHA512
6c4cb42f786301be7614d4cb0b32601fea151351b0877e2371632435eb2c54bd4cd04d6b23bf4f49017ccaf679331162aac7329a1ed2409e3c2e02d0326e3487

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBR2.exe

Filesize
205KB

MD5
3dc0e225f886bae3b655cd9d738ed32f

SHA1
abda127fd477bd9d051cd57b16ac13f44030a9ae

SHA256
c22e2419f04fe03a92255a139ca8814697962e86d191a1d4171788fd0c903f68

SHA512
c8a6c0bfa96defde6f83d847583ff2ec065a43f80f9886259a2d1fe7df306ef6ed7aeed61b7dcf0bdc111fc67419eb66cf1ca44e831711dd4ea7d25ed9aed09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
32KB

MD5
c30d7d561c7cd145687cfec82a8dc436

SHA1
6cd3cc34b5074a8b25a1d1b605d56ed9b0bc4203

SHA256
d467702296dbb5c5f84db6ffa8373684b429997c0ea3f1e2c88365250239bf01

SHA512
f8f1c5aaca62a20dd9342491a9d82571c8c280807dd61c9bd91d035436651115fce371bed4cab19af325b4b956b36fcd4ec93cccb433229438047947078260c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TROLL2.exe

Filesize
105KB

MD5
52a2a5517deb1a06896891a35299ce20

SHA1
badcbdfef312bd71de997a7416ee20cee5d66af6

SHA256
dcdf5140bc51db27f3aec80ae9a66a57aad446a2522904d288770e8d8cde8cee

SHA512
7cb0de412c0508f5af522aeaf3731dda418f72f7cae8dd3f21b34d5cdbc08f9dea8699d59878610496c68d687227a0269739221490d70d03b8e4b84dfd29d5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TROLL5.exe

Filesize
712KB

MD5
542a4e400ff233b21a1a3c27751ac783

SHA1
000a67f00b0003531d65a6ed6f16488ae5dcd0fe

SHA256
79f00c7dab0891824136539fabd542c74e26cbed94b9add3f1aa7f793d653de6

SHA512
8335118ca0c268635d9495b331fb65800a32a0631f132cd34ce84ca3b523d0a9e23eee6d76539d0c81d86fda534da56c936914012d8bad35040b15cc8caaf645

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
229KB

MD5
dcd9253fa3b14afa8d8e636315517897

SHA1
37fcf6a0b4b67e99ad6b4e2c51f0fab9f0874052

SHA256
83fa6a1e67c9ecd7ec68e905c4474274340b96b718da2dbab29cc7fcc4c3e414

SHA512
6cdc1cb0795a2ce33c377141b643b969da1ac7b9708a348115cfe89522f605c99b2f8c3f5cbe08059af0fae1e1a44e9cf05728de7fc50aeb8a78d813e7d80758

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t2j552tw.ava.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\drover.exe

Filesize
4.2MB

MD5
2f3d65b00dd63342431dd8c2e90be491

SHA1
9d13fad8dab279f134c5bad639517ee07cf95827

SHA256
71601927d39c6711a94595e6ef756e801f531d8ccf808b60d20fca53761c73a1

SHA512
6e977509ffb9ca61ba5401b87719b2ec080ee65989c7cb0a2fd501d18441f03bd707fb2a95af713bbfd02caae0e38c3c609b1b67efb7373cbcd24e65890af6ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2C36.tmp.COM

Filesize
921KB

MD5
d0ae6aea701de9f127f91e7efdb50252

SHA1
cb9ef64cbcb999372fb4046e99fe89a03df9bc81

SHA256
c1aeab35f61f12db28274d82713bff400b808625854a18e49504022f92805e31

SHA512
505d11808e9923ff0ec1a51acd51509711f8c5c42da81b47a97249954b06f6f45ddda4655446daeb7f231785cd484ebc6e9ada92b857ad3a8d7ce04276536f13

Download Submit
C:\Windows\System32\MatrixMBR.exe

Filesize
250KB

MD5
24c441662c09b94e14a4096a8e59c316

SHA1
11576cad137bd8ed76efecd711c0390fe5c85292

SHA256
339fe94164952a8454e6ec5fc75e2c38baade2c14b231e47bf41989ffbb55ee4

SHA512
7f6ca1366733c5fb4925001c0846510732031a9e5f1b16291ff596187c20a88f41193389cedcb73e3928c318fc972be4f03e3cb71f1487c34642897ff9a2b590

Download Submit
memory/1068-60-0x0000022BFFEE0000-0x0000022BFFF30000-memory.dmp

Filesize
320KB

Download
memory/1068-61-0x0000022BFFDE0000-0x0000022BFFDFE000-memory.dmp

Filesize
120KB

Download
memory/1068-95-0x0000022BFF450000-0x0000022BFF45A000-memory.dmp

Filesize
40KB

Download
memory/1068-96-0x0000022BFFE20000-0x0000022BFFE32000-memory.dmp

Filesize
72KB

Download
memory/1068-59-0x0000022BFFE60000-0x0000022BFFED6000-memory.dmp

Filesize
472KB

Download
memory/1068-31-0x00007FF883CD3000-0x00007FF883CD5000-memory.dmp

Filesize
8KB

Download
memory/1068-25-0x0000022BFD690000-0x0000022BFD6D0000-memory.dmp

Filesize
256KB

Download
memory/1144-235-0x0000000000D70000-0x0000000000D78000-memory.dmp

Filesize
32KB

Download
memory/2388-206-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2392-158-0x00000000004C0000-0x00000000005AC000-memory.dmp

Filesize
944KB

Download
memory/2392-159-0x000000001B0F0000-0x000000001B1D4000-memory.dmp

Filesize
912KB

Download
memory/3128-152-0x0000000000410000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download
memory/3128-118-0x0000000000410000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download
memory/3128-21-0x000001832A2E0000-0x000001832A2E1000-memory.dmp

Filesize
4KB

Download
memory/3128-113-0x0000000000410000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download
memory/3188-45-0x00000189785C0000-0x00000189785E2000-memory.dmp

Filesize
136KB

Download
memory/3228-36-0x00007FF883CD0000-0x00007FF884792000-memory.dmp

Filesize
10.8MB

Download
memory/3228-3-0x00007FF883CD0000-0x00007FF884792000-memory.dmp

Filesize
10.8MB

Download
memory/3228-1-0x0000000000DE0000-0x0000000000F60000-memory.dmp

Filesize
1.5MB

Download
memory/3228-0-0x00007FF883CD3000-0x00007FF883CD5000-memory.dmp

Filesize
8KB

Download
memory/4148-183-0x0000000000CE0000-0x0000000000D1A000-memory.dmp

Filesize
232KB

Download
memory/4536-218-0x0000000000BB0000-0x0000000000BF6000-memory.dmp

Filesize
280KB

Download
memory/4700-198-0x0000000005560000-0x0000000005B06000-memory.dmp

Filesize
5.6MB

Download
memory/4700-199-0x0000000004FB0000-0x0000000005042000-memory.dmp

Filesize
584KB

Download
memory/4700-200-0x0000000005080000-0x000000000508A000-memory.dmp

Filesize
40KB

Download
memory/4700-197-0x00000000004C0000-0x0000000000578000-memory.dmp

Filesize
736KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads