Malware Analysis Report

2024-10-10 10:08

Sample ID 240422-q6n2bacd2z
Target stealer v2.exe
SHA256 fe9b415107f164c76a286b93f647b0501fb83e4dd7f839ab7fec9639c55084ae
Tags
umbral persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fe9b415107f164c76a286b93f647b0501fb83e4dd7f839ab7fec9639c55084ae

Threat Level: Known bad

The file stealer v2.exe was found to be: Known bad.

Malicious Activity Summary

umbral persistence stealer

Umbral

Detect Umbral payload

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-22 13:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-22 13:52

Reported

2024-04-22 13:53

Platform

win10v2004-20240412-en

Max time kernel

7s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stealer v2.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\stealer v2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\stealer v2.exe

"C:\Users\Admin\AppData\Local\Temp\stealer v2.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c "stealer.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe

stealer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\task.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'task.exe'

C:\Windows\task.exe

C:\Windows\task.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6793.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /run /TN Update

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe

MD5 bdb421db1041dff30935a0c368f0316e
SHA1 15786e4eb3057abaeab7c2ebbb0e758d9d4c2216
SHA256 ac14f5357b9e35f8e9fccd2727ae133f34acafbd442cdb6f438a6f7a70861ca2
SHA512 0280a8eeb333437c2122b8e47414565bd8492fee285071e612fc09bb82591a56abd5bf4ed1b194f581656ad1f75727b5c51a6ae50f08d7ea7588c36daa9e6b59

memory/2320-5-0x0000000000140000-0x00000000001EE000-memory.dmp

memory/2320-6-0x00007FFA40940000-0x00007FFA41401000-memory.dmp

memory/2320-7-0x000000001AE20000-0x000000001AE30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n5yd3hmg.ocq.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4908-13-0x0000026D5C560000-0x0000026D5C582000-memory.dmp

memory/4908-18-0x00007FFA40940000-0x00007FFA41401000-memory.dmp

memory/4908-19-0x0000026D5C5A0000-0x0000026D5C5B0000-memory.dmp

memory/4908-20-0x0000026D5C5A0000-0x0000026D5C5B0000-memory.dmp

memory/4908-23-0x00007FFA40940000-0x00007FFA41401000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 62623d22bd9e037191765d5083ce16a3
SHA1 4a07da6872672f715a4780513d95ed8ddeefd259
SHA256 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA512 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

memory/3432-35-0x00007FFA40940000-0x00007FFA41401000-memory.dmp

memory/3432-36-0x000001CCF25A0000-0x000001CCF25B0000-memory.dmp

memory/3432-38-0x00007FFA40940000-0x00007FFA41401000-memory.dmp

memory/2320-41-0x00007FFA40940000-0x00007FFA41401000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6793.tmp.bat

MD5 2052f8eb3d55d5a3db3e3ff93149506e
SHA1 7b5b80e4b565e7dfb2b63fe9769d1895030834a0
SHA256 fda5b368fe922464fae79b3a1bb0b7183540d3a204b5ac44a6c4061dd739f222
SHA512 629bf082709a75d05357ab2c9b204c915bb2dd38e1ecaf76565c2a4b96427448d8133b9f6210f24c2b271c28216ec52278cf951ce9db54080f6a0525370a8a38

memory/2320-48-0x00007FFA40940000-0x00007FFA41401000-memory.dmp

memory/3988-49-0x00007FFA40940000-0x00007FFA41401000-memory.dmp

memory/3988-51-0x000000001B2D0000-0x000000001B310000-memory.dmp

memory/3988-50-0x000000001B490000-0x000000001B4A0000-memory.dmp

memory/3988-52-0x000000001B310000-0x000000001B354000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-22 13:52

Reported

2024-04-22 14:03

Platform

win7-20240221-en

Max time kernel

10s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stealer v2.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\stealer v2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\task.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe N/A
File opened for modification C:\Windows\task.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\stealer v2.exe C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\stealer v2.exe C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\stealer v2.exe C:\Windows\system32\cmd.exe
PID 1680 wrote to memory of 1328 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe
PID 1680 wrote to memory of 1328 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe
PID 1680 wrote to memory of 1328 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe
PID 1328 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1328 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1328 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1328 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1328 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1328 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\stealer v2.exe

"C:\Users\Admin\AppData\Local\Temp\stealer v2.exe"

C:\Windows\system32\cmd.exe

cmd /c "stealer.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe

stealer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\task.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'task.exe'

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8AD2.tmp.bat""

C:\Windows\system32\taskeng.exe

taskeng.exe {3DABA6DE-CCA5-409B-A169-248EF5BCFB21} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\task.exe

C:\Windows\task.exe

C:\Windows\system32\schtasks.exe

schtasks /run /TN Update

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/1328-7-0x000000001B2C0000-0x000000001B340000-memory.dmp

memory/1328-6-0x000007FEF64E0000-0x000007FEF6ECC000-memory.dmp

memory/1328-5-0x0000000000DA0000-0x0000000000E4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe

MD5 bdb421db1041dff30935a0c368f0316e
SHA1 15786e4eb3057abaeab7c2ebbb0e758d9d4c2216
SHA256 ac14f5357b9e35f8e9fccd2727ae133f34acafbd442cdb6f438a6f7a70861ca2
SHA512 0280a8eeb333437c2122b8e47414565bd8492fee285071e612fc09bb82591a56abd5bf4ed1b194f581656ad1f75727b5c51a6ae50f08d7ea7588c36daa9e6b59

memory/1532-12-0x000000001B150000-0x000000001B432000-memory.dmp

memory/1532-13-0x0000000001F50000-0x0000000001F58000-memory.dmp

memory/1532-14-0x000007FEEE000000-0x000007FEEE99D000-memory.dmp

memory/1532-15-0x0000000002720000-0x00000000027A0000-memory.dmp

memory/1532-16-0x000007FEEE000000-0x000007FEEE99D000-memory.dmp

memory/1532-17-0x0000000002720000-0x00000000027A0000-memory.dmp

memory/1532-18-0x0000000002720000-0x00000000027A0000-memory.dmp

memory/1532-19-0x0000000002720000-0x00000000027A0000-memory.dmp

memory/1532-20-0x000007FEEE000000-0x000007FEEE99D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 6223fefd955979117628648d2f0d0a2b
SHA1 53264fecf8f70be00690458ec9873a3c005b5585
SHA256 1aeb1b2e4151ce7febd0957877ce6c8f2c266291dd7d5da73797450afe64a42b
SHA512 22a2e89cbd2e2ded4575163deca0d7caf42eaf9d2a630e5190ba733ef5d1f231bb24bb1ed8b4e802cbcc0f8acc2d5fc1d34c46ce4d65ce2bb9a71862b2755aff

memory/2352-26-0x000000001B240000-0x000000001B522000-memory.dmp

memory/2352-28-0x0000000001FA0000-0x0000000001FA8000-memory.dmp

memory/2352-27-0x000007FEED660000-0x000007FEEDFFD000-memory.dmp

memory/2352-29-0x0000000002790000-0x0000000002810000-memory.dmp

memory/2352-30-0x000007FEED660000-0x000007FEEDFFD000-memory.dmp

memory/2352-31-0x0000000002790000-0x0000000002810000-memory.dmp

memory/2352-32-0x0000000002790000-0x0000000002810000-memory.dmp

memory/2352-33-0x0000000002790000-0x0000000002810000-memory.dmp

memory/2352-34-0x000007FEED660000-0x000007FEEDFFD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8AD2.tmp.bat

MD5 8896799bd3ef5c639b9ef11c05c38066
SHA1 8915d6ff3dc86f4fe90430672fef753a5cd7e8bb
SHA256 88628c0a389f61bb3f2f443a438abb7b87a054cac29502c5bf804047217632a9
SHA512 a1c8879ec7b7cd5250a031697922f3f06045e1fabc4a031b5a4ad2b33cf3280899f78442943366a7c851cd20ccb103aaf01840a9c2fbcc8d13110506eb8485a7

memory/1328-45-0x000007FEF64E0000-0x000007FEF6ECC000-memory.dmp

memory/2660-49-0x000007FEF5AF0000-0x000007FEF64DC000-memory.dmp

memory/2660-50-0x0000000000CA0000-0x0000000000D4E000-memory.dmp

memory/2660-51-0x0000000000A90000-0x0000000000B10000-memory.dmp

memory/2660-53-0x0000000000A50000-0x0000000000A90000-memory.dmp

memory/2660-52-0x000000001A790000-0x000000001A7D4000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-22 13:52

Reported

2024-04-22 14:03

Platform

win10-20240404-en

Max time kernel

9s

Max time network

10s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stealer v2.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\stealer v2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\stealer v2.exe

"C:\Users\Admin\AppData\Local\Temp\stealer v2.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c "stealer.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe

stealer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\task.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'task.exe'

C:\Windows\task.exe

C:\Windows\task.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp98F4.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /run /TN Update

C:\Windows\System32\svchost‌.exe

C:\Windows\System32\svchost‌.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe

MD5 bdb421db1041dff30935a0c368f0316e
SHA1 15786e4eb3057abaeab7c2ebbb0e758d9d4c2216
SHA256 ac14f5357b9e35f8e9fccd2727ae133f34acafbd442cdb6f438a6f7a70861ca2
SHA512 0280a8eeb333437c2122b8e47414565bd8492fee285071e612fc09bb82591a56abd5bf4ed1b194f581656ad1f75727b5c51a6ae50f08d7ea7588c36daa9e6b59

memory/4624-5-0x0000000000010000-0x00000000000BE000-memory.dmp

memory/4624-6-0x00007FFF50290000-0x00007FFF50C7C000-memory.dmp

memory/4624-7-0x0000000002220000-0x0000000002230000-memory.dmp

memory/4632-10-0x00007FFF50290000-0x00007FFF50C7C000-memory.dmp

memory/4632-13-0x00000215F15C0000-0x00000215F15D0000-memory.dmp

memory/4632-14-0x00000215F15C0000-0x00000215F15D0000-memory.dmp

memory/4632-15-0x00000215F15D0000-0x00000215F15F2000-memory.dmp

memory/4632-18-0x00000215F1780000-0x00000215F17F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_scvzjv01.bib.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4632-31-0x00000215F15C0000-0x00000215F15D0000-memory.dmp

memory/4632-53-0x00000215F15C0000-0x00000215F15D0000-memory.dmp

memory/4632-58-0x00007FFF50290000-0x00007FFF50C7C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 8592ba100a78835a6b94d5949e13dfc1
SHA1 63e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256 fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA512 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3fdef356c45358700d996a282315e2c1
SHA1 e81500c4b19bed838dba325d2aff3e3c6971b78b
SHA256 32b66eab142777d5b59e3ed68da31c75d6dc0b1419f067e3bceadd2b92e5c175
SHA512 78d314cf590f9cad826ddab5c8a2a1531988a54e123f4100fbc6e1ddc0df127755524792c7fa9884dd4327e5193877d79e9de5f13ce09c73fe007e1afc2830d9

memory/3588-65-0x00007FFF50290000-0x00007FFF50C7C000-memory.dmp

memory/3588-68-0x00000183DFA00000-0x00000183DFA10000-memory.dmp

memory/3588-67-0x00000183DFA00000-0x00000183DFA10000-memory.dmp

memory/3588-82-0x00000183DFA00000-0x00000183DFA10000-memory.dmp

memory/3588-104-0x00000183DFA00000-0x00000183DFA10000-memory.dmp

memory/3588-108-0x00007FFF50290000-0x00007FFF50C7C000-memory.dmp

memory/4624-111-0x00007FFF50290000-0x00007FFF50C7C000-memory.dmp

memory/4100-117-0x00007FFF50290000-0x00007FFF50C7C000-memory.dmp

memory/4624-118-0x00007FFF50290000-0x00007FFF50C7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp98F4.tmp.bat

MD5 1834d0a44346b455ed6e333a4220e60c
SHA1 6e01ab6464c31050a36ea84e781516cd33bd5330
SHA256 a677c8baeebea187f7168f9f0f4b3071af4cfd0260e9fe3a79195d59727584c2
SHA512 2249e505c48233997f7611f0471120abb0f6fc1b2935624a2fcf1805062b2ddeec2d5841c2bc21acf6fc3f05e714cc8683ae2004eef250d4d7e191af5f65f9ca

memory/4100-122-0x000000001B3F0000-0x000000001B434000-memory.dmp

memory/4100-121-0x00000000028A0000-0x00000000028E0000-memory.dmp

memory/4100-120-0x000000001B3E0000-0x000000001B3F0000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-22 13:52

Reported

2024-04-22 13:53

Platform

win10v2004-20240412-en

Max time kernel

6s

Max time network

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stealer v2.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe N/A
N/A N/A C:\Windows\task.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\stealer v2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\task.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe N/A
File opened for modification C:\Windows\task.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\task.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3112 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\stealer v2.exe C:\Windows\SYSTEM32\cmd.exe
PID 3112 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\stealer v2.exe C:\Windows\SYSTEM32\cmd.exe
PID 2692 wrote to memory of 3760 N/A C:\Windows\SYSTEM32\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe
PID 2692 wrote to memory of 3760 N/A C:\Windows\SYSTEM32\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe
PID 3760 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3760 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe C:\Windows\system32\cmd.exe
PID 3760 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe C:\Windows\system32\cmd.exe
PID 1036 wrote to memory of 3164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 1036 wrote to memory of 3164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\stealer v2.exe

"C:\Users\Admin\AppData\Local\Temp\stealer v2.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c "stealer.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe

stealer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\task.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'task.exe'

C:\Windows\task.exe

C:\Windows\task.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp44AA.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\schtasks.exe

schtasks /run /TN Update

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 156.33.209.4.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe

MD5 bdb421db1041dff30935a0c368f0316e
SHA1 15786e4eb3057abaeab7c2ebbb0e758d9d4c2216
SHA256 ac14f5357b9e35f8e9fccd2727ae133f34acafbd442cdb6f438a6f7a70861ca2
SHA512 0280a8eeb333437c2122b8e47414565bd8492fee285071e612fc09bb82591a56abd5bf4ed1b194f581656ad1f75727b5c51a6ae50f08d7ea7588c36daa9e6b59

memory/3760-5-0x0000000000C90000-0x0000000000D3E000-memory.dmp

memory/3760-6-0x00007FFA6E4A0000-0x00007FFA6EF61000-memory.dmp

memory/3760-7-0x000000001BA00000-0x000000001BA10000-memory.dmp

memory/2100-8-0x00007FFA6E4A0000-0x00007FFA6EF61000-memory.dmp

memory/2100-9-0x000001DE4BEA0000-0x000001DE4BEB0000-memory.dmp

memory/2100-10-0x000001DE4BEA0000-0x000001DE4BEB0000-memory.dmp

memory/2100-16-0x000001DE4BE50000-0x000001DE4BE72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gsytjlzl.aqa.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2100-23-0x00007FFA6E4A0000-0x00007FFA6EF61000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/1180-26-0x000001EDC29A0000-0x000001EDC29B0000-memory.dmp

memory/1180-25-0x00007FFA6E4A0000-0x00007FFA6EF61000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 59d97011e091004eaffb9816aa0b9abd
SHA1 1602a56b01dd4b7c577ca27d3117e4bcc1aa657b
SHA256 18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d
SHA512 d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

memory/1180-38-0x00007FFA6E4A0000-0x00007FFA6EF61000-memory.dmp

memory/3760-46-0x000000001BA80000-0x000000001BB82000-memory.dmp

memory/3760-48-0x00007FFA6E4A0000-0x00007FFA6EF61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp44AA.tmp.bat

MD5 0956de8e46817a9da34dfd011f1fc60e
SHA1 2913117332fcfa4a0984a62dbd639ed3f02d0653
SHA256 5a07325842c73924433cbf4e7bb413a367f4c4e71e02fab410d2c32402a67b33
SHA512 62c78ae9b39e2a1f3f5355eea0d3b7eeeb459159411f4e6644f85c0033b75be7a400342f1b754871c052a30affcebe8ff49e9b348d2742bc4d4c5ba8b4657d5e

memory/432-49-0x00007FFA6E4A0000-0x00007FFA6EF61000-memory.dmp

memory/432-50-0x000000001B1E0000-0x000000001B220000-memory.dmp

memory/432-51-0x000000001B230000-0x000000001B274000-memory.dmp

memory/432-54-0x000000001B2A0000-0x000000001B2B0000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-22 13:52

Reported

2024-04-22 13:54

Platform

win11-20240412-en

Max time kernel

6s

Max time network

9s

Command Line

"C:\Users\Admin\AppData\Local\Temp\stealer v2.exe"

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral

stealer umbral

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe N/A
N/A N/A C:\Windows\task.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\stealer v2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\task.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe N/A
File created C:\Windows\task.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\task.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\stealer v2.exe

"C:\Users\Admin\AppData\Local\Temp\stealer v2.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /c "stealer.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe

stealer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\task.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'task.exe'

C:\Windows\task.exe

C:\Windows\task.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp496D.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\stealer.exe

MD5 bdb421db1041dff30935a0c368f0316e
SHA1 15786e4eb3057abaeab7c2ebbb0e758d9d4c2216
SHA256 ac14f5357b9e35f8e9fccd2727ae133f34acafbd442cdb6f438a6f7a70861ca2
SHA512 0280a8eeb333437c2122b8e47414565bd8492fee285071e612fc09bb82591a56abd5bf4ed1b194f581656ad1f75727b5c51a6ae50f08d7ea7588c36daa9e6b59

memory/4932-5-0x0000000000C30000-0x0000000000CDE000-memory.dmp

memory/4932-6-0x00007FFD50BB0000-0x00007FFD51672000-memory.dmp

memory/4932-7-0x000000001BAC0000-0x000000001BAD0000-memory.dmp

memory/5032-8-0x00007FFD50BB0000-0x00007FFD51672000-memory.dmp

memory/5032-9-0x000001E10B860000-0x000001E10B870000-memory.dmp

memory/5032-15-0x000001E124790000-0x000001E1247B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z1oubbp1.2kb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5032-19-0x000001E10B860000-0x000001E10B870000-memory.dmp

memory/5032-22-0x00007FFD50BB0000-0x00007FFD51672000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

memory/4484-32-0x00007FFD50BB0000-0x00007FFD51672000-memory.dmp

memory/4484-33-0x0000023DFF190000-0x0000023DFF1A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e8eb51096d6f6781456fef7df731d97
SHA1 ec2aaf851a618fb43c3d040a13a71997c25bda43
SHA256 96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864
SHA512 0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

memory/4484-35-0x0000023DFF190000-0x0000023DFF1A0000-memory.dmp

memory/4484-36-0x0000023DFF190000-0x0000023DFF1A0000-memory.dmp

memory/4484-38-0x00007FFD50BB0000-0x00007FFD51672000-memory.dmp

memory/4932-41-0x00007FFD50BB0000-0x00007FFD51672000-memory.dmp

memory/2604-44-0x000000001B630000-0x000000001B670000-memory.dmp

memory/2604-45-0x000000001B770000-0x000000001B7B4000-memory.dmp

memory/2604-49-0x00007FFD50BB0000-0x00007FFD51672000-memory.dmp

memory/2604-50-0x00000000011C0000-0x00000000011D0000-memory.dmp

memory/4932-52-0x00007FFD50BB0000-0x00007FFD51672000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp496D.tmp.bat

MD5 490408960280e2bb462e23aa5fa7124b
SHA1 8876a6bd76031a249a69deca4855482ae3c922bb
SHA256 53b82bb9788c0c6aa14f08d9fa0ab90624b61f070d62b57d0ec00d33383490d6
SHA512 27120414f90006f5df8d766bd9623b7ee369c60578c98f657c66984662c1131da695695d2bfaf9401ab6819e95268e51a73bedee1514d263e2ecb3f8ed153897