Malware Analysis Report

2024-10-10 10:05

Sample ID 240519-bhbzhsad72
Target 3969991942bb5b6130977411ae258ab8.bin
SHA256 a61ecbd90edbc5cc26ed5bc4ab6064ed7ae966cbf517674458d1823746df2bfd
Tags
dcrat umbral xworm execution infostealer rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a61ecbd90edbc5cc26ed5bc4ab6064ed7ae966cbf517674458d1823746df2bfd

Threat Level: Known bad

The file 3969991942bb5b6130977411ae258ab8.bin was found to be: Known bad.

Malicious Activity Summary

dcrat umbral xworm execution infostealer rat spyware stealer trojan

Umbral

Detect Umbral payload

DcRat

Process spawned unexpected child process

Detect Xworm Payload

Xworm

DCRat payload

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Drops startup file

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Runs ping.exe

Modifies registry class

Detects videocard installed

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Views/modifies file attributes

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-19 01:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-19 01:08

Reported

2024-05-19 01:10

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe"

Signatures

DcRat

rat infostealer dcrat

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Umbral

stealer umbral

Xworm

trojan rat xworm

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Roaming\Umbral.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Nursultan (17).exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\LoaderMas.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\perfdhcpSvc\Chainprovider.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\t.bat N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Roaming\LoaderMas.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Roaming\LoaderMas.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\wininit.exe C:\perfdhcpSvc\Chainprovider.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows NT\TableTextService\WaaSMedicAgent.exe C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Program Files\Windows NT\TableTextService\c82b8037eab33d C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Program Files (x86)\Google\CrashReports\conhost.exe C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Program Files (x86)\Google\CrashReports\088424020bedd6 C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Program Files\7-Zip\Lang\dllhost.exe C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Program Files\7-Zip\Lang\5940a34987c991 C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Program Files (x86)\Windows Mail\csrss.exe C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Program Files (x86)\Windows Mail\886983d96e3d3e C:\perfdhcpSvc\Chainprovider.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\perfdhcpSvc\Chainprovider.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\t.bat N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Umbral.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\perfdhcpSvc\Chainprovider.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\perfdhcpSvc\Chainprovider.exe N/A
N/A N/A C:\perfdhcpSvc\Chainprovider.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nursultan.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Nursultan.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\perfdhcpSvc\Chainprovider.exe N/A
N/A N/A C:\perfdhcpSvc\Chainprovider.exe N/A
N/A N/A C:\perfdhcpSvc\Chainprovider.exe N/A
N/A N/A C:\perfdhcpSvc\Chainprovider.exe N/A
N/A N/A C:\perfdhcpSvc\Chainprovider.exe N/A
N/A N/A C:\perfdhcpSvc\Chainprovider.exe N/A
N/A N/A C:\perfdhcpSvc\Chainprovider.exe N/A
N/A N/A C:\perfdhcpSvc\Chainprovider.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\perfdhcpSvc\Chainprovider.exe N/A
N/A N/A C:\perfdhcpSvc\Chainprovider.exe N/A
N/A N/A C:\perfdhcpSvc\Chainprovider.exe N/A
N/A N/A C:\perfdhcpSvc\Chainprovider.exe N/A
N/A N/A C:\perfdhcpSvc\Chainprovider.exe N/A
N/A N/A C:\perfdhcpSvc\Chainprovider.exe N/A
N/A N/A C:\perfdhcpSvc\Chainprovider.exe N/A
N/A N/A C:\perfdhcpSvc\Chainprovider.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\LoaderMas.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\LoaderMas.exe N/A
N/A N/A C:\Nurik\wininit.exe N/A
N/A N/A C:\Nurik\wininit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Umbral.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\LoaderMas.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\perfdhcpSvc\Chainprovider.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\LoaderMas.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1152 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe C:\Users\Admin\AppData\Roaming\Nursultan (17).exe
PID 1152 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe C:\Users\Admin\AppData\Roaming\Nursultan (17).exe
PID 1152 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe C:\Users\Admin\AppData\Roaming\t.bat
PID 1152 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe C:\Users\Admin\AppData\Roaming\t.bat
PID 1152 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe C:\Users\Admin\AppData\Roaming\t.bat
PID 1152 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe C:\Users\Admin\AppData\Roaming\Umbral.exe
PID 1152 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe C:\Users\Admin\AppData\Roaming\Umbral.exe
PID 4920 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Roaming\Umbral.exe C:\Windows\system32\schtasks.exe
PID 4920 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Roaming\Umbral.exe C:\Windows\system32\schtasks.exe
PID 4220 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Roaming\t.bat C:\Windows\SysWOW64\WScript.exe
PID 4220 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Roaming\t.bat C:\Windows\SysWOW64\WScript.exe
PID 4220 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Roaming\t.bat C:\Windows\SysWOW64\WScript.exe
PID 4920 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Roaming\Umbral.exe C:\Windows\SYSTEM32\attrib.exe
PID 4920 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Roaming\Umbral.exe C:\Windows\SYSTEM32\attrib.exe
PID 4920 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5088 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Roaming\Nursultan (17).exe C:\Users\Admin\AppData\Roaming\Nursultan.exe
PID 5088 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Roaming\Nursultan (17).exe C:\Users\Admin\AppData\Roaming\Nursultan.exe
PID 5088 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Roaming\Nursultan (17).exe C:\Users\Admin\AppData\Roaming\LoaderMas.exe
PID 5088 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Roaming\Nursultan (17).exe C:\Users\Admin\AppData\Roaming\LoaderMas.exe
PID 4920 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Roaming\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Roaming\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4532 wrote to memory of 3964 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4532 wrote to memory of 3964 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4532 wrote to memory of 3964 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3964 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\perfdhcpSvc\Chainprovider.exe
PID 3964 wrote to memory of 8 N/A C:\Windows\SysWOW64\cmd.exe C:\perfdhcpSvc\Chainprovider.exe
PID 4920 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Roaming\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Roaming\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Roaming\LoaderMas.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Roaming\LoaderMas.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\Umbral.exe C:\Windows\System32\mousocoreworker.exe
PID 4920 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Roaming\Umbral.exe C:\Windows\System32\mousocoreworker.exe
PID 1384 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Roaming\LoaderMas.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Roaming\LoaderMas.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Roaming\LoaderMas.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Roaming\LoaderMas.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 8 wrote to memory of 2192 N/A C:\perfdhcpSvc\Chainprovider.exe C:\Windows\System32\cmd.exe
PID 8 wrote to memory of 2192 N/A C:\perfdhcpSvc\Chainprovider.exe C:\Windows\System32\cmd.exe
PID 2192 wrote to memory of 3852 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2192 wrote to memory of 3852 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1384 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Roaming\LoaderMas.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Roaming\LoaderMas.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Roaming\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4920 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Roaming\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4920 wrote to memory of 368 N/A C:\Users\Admin\AppData\Roaming\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4920 wrote to memory of 368 N/A C:\Users\Admin\AppData\Roaming\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4920 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4920 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4920 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Roaming\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Roaming\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Roaming\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4920 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Roaming\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4920 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Roaming\Umbral.exe C:\Windows\SYSTEM32\cmd.exe
PID 4920 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Roaming\Umbral.exe C:\Windows\SYSTEM32\cmd.exe
PID 4220 wrote to memory of 4752 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 4220 wrote to memory of 4752 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 2192 wrote to memory of 3856 N/A C:\Windows\System32\cmd.exe C:\Nurik\wininit.exe
PID 2192 wrote to memory of 3856 N/A C:\Windows\System32\cmd.exe C:\Nurik\wininit.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe

"C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe"

C:\Users\Admin\AppData\Roaming\Nursultan (17).exe

"C:\Users\Admin\AppData\Roaming\Nursultan (17).exe"

C:\Users\Admin\AppData\Roaming\t.bat

"C:\Users\Admin\AppData\Roaming\t.bat"

C:\Users\Admin\AppData\Roaming\Umbral.exe

"C:\Users\Admin\AppData\Roaming\Umbral.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\perfdhcpSvc\LUps3wjkA6jhdk7xRy8J55z2u.vbe"

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Roaming\Umbral.exe"

C:\Users\Admin\AppData\Roaming\Nursultan.exe

"C:\Users\Admin\AppData\Roaming\Nursultan.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Umbral.exe'

C:\Users\Admin\AppData\Roaming\LoaderMas.exe

"C:\Users\Admin\AppData\Roaming\LoaderMas.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\perfdhcpSvc\mStUjP0ksX5N.bat" "

C:\perfdhcpSvc\Chainprovider.exe

"C:\perfdhcpSvc\Chainprovider.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\perfdhcpSvc\TextInputHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\perfdhcpSvc\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\perfdhcpSvc\TextInputHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\TableTextService\WaaSMedicAgent.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\perfdhcpSvc\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\perfdhcpSvc\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\perfdhcpSvc\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\perfdhcpSvc\WaaSMedicAgent.exe'" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\LoaderMas.exe'

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\perfdhcpSvc\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 7 /tr "'C:\perfdhcpSvc\WaaSMedicAgent.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\perfdhcpSvc\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\perfdhcpSvc\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\perfdhcpSvc\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Nurik\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Nurik\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Nurik\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Nurik\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Nurik\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Nurik\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\CrashReports\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\conhost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\CrashReports\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Nurik\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Nurik\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Nurik\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 12 /tr "'C:\Nurik\unsecapp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Nurik\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Nurik\unsecapp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LoaderMas.exe'

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Nurik\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Nurik\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Nurik\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "UmbralU" /sc MINUTE /mo 13 /tr "'C:\Nurik\Umbral.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Umbral" /sc ONLOGON /tr "'C:\Nurik\Umbral.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "UmbralU" /sc MINUTE /mo 8 /tr "'C:\Nurik\Umbral.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 9 /tr "'C:\Nurik\backgroundTaskHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\Nurik\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 6 /tr "'C:\Nurik\backgroundTaskHost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Hv9JfciylV.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Roaming\Umbral.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Nurik\wininit.exe

"C:\Nurik\wininit.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
N/A 127.0.0.1:30683 tcp
US 8.8.8.8:53 a0948305.xsph.ru udp
RU 141.8.192.103:80 a0948305.xsph.ru tcp
US 8.8.8.8:53 103.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
N/A 127.0.0.1:30683 tcp
N/A 127.0.0.1:30683 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
N/A 127.0.0.1:30683 tcp
N/A 127.0.0.1:30683 tcp
N/A 127.0.0.1:30683 tcp
N/A 127.0.0.1:30683 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
N/A 127.0.0.1:30683 tcp
N/A 127.0.0.1:30683 tcp

Files

memory/1152-0-0x00007FF9D6513000-0x00007FF9D6515000-memory.dmp

memory/1152-1-0x0000000000040000-0x0000000001410000-memory.dmp

C:\Users\Admin\AppData\Roaming\Nursultan (17).exe

MD5 ed965403e795c3b563d67c734472ad93
SHA1 6b8b929239d5ef8f1f546c591c67acaf560de4dc
SHA256 6b7473e7177ef0666f6afe36b257d0730dababefc209ee1c5f2da319dbe1633d
SHA512 bd860103c5ac1bcc02bfefc669616a1b0103dfb3c611b0e4499cf4b1fc67d49c9cd57c1839936b75e0f0008aec0f84cb0af712feb334957972661405a137f649

memory/4920-28-0x0000023749010000-0x0000023749050000-memory.dmp

C:\Users\Admin\AppData\Roaming\t.bat

MD5 d85bd59cf0808fb894f60773e1594a0a
SHA1 84b9d205f3ae6ca4f8f1bb938ee8b4d452444cde
SHA256 f3ef597673421e514d7fed82b40d65386c3811c4a8f5553afd59fc632bca8746
SHA512 225788e3e98449f53e6206c585315a37c9ff6ed0b5425b2a98e50c7ac45ab3c187ccf7626f126ba300bd8dbdf89c864e89f85d6264edc89281745b081ec58f97

C:\Users\Admin\AppData\Roaming\Umbral.exe

MD5 f48ef033300ec9fd3c77afff5c20e95f
SHA1 22d6125b980474b3f54937003a765cdd5352f9a8
SHA256 72ee11a905ca278130f02397422b4cc4944851065ce0072f9888b70c5ad40f1e
SHA512 847ee8cdb14879089c861168d6be90325304df490668a38447b37772423e6dab5e32a5df344ceb58410d3b24cf25cd7221e8768951e5aca14820996a1e8304bc

memory/5088-31-0x00007FF9D6510000-0x00007FF9D6FD1000-memory.dmp

memory/5088-38-0x0000000000210000-0x000000000144A000-memory.dmp

C:\perfdhcpSvc\LUps3wjkA6jhdk7xRy8J55z2u.vbe

MD5 00b53f3e200522631227cac1a07e0646
SHA1 a0c69d58c7ca10f5fd5e1320b1b2f92081d7fcfe
SHA256 486c050aadc42906113b0c5c8485dff36b0187f343a732542608a91b0565146c
SHA512 22241ae8a31c7e564c9fb652947e4fe17f80c6e94dfe1a3bb5890f6eb97797ee32ccfff5d647eef02bda31bd47c5d95521cd0c6349a01e501e6e064ea6306243

C:\Users\Admin\AppData\Roaming\Nursultan.exe

MD5 e504e3fc36fe4d6f182c98923979a779
SHA1 3ba9f1a9a15b79639a20cfcf79c9de31d15a17a6
SHA256 70b7b95bb952b3325476867307fc5bd4df5769b97bbcdd8b60e7b46e1b38e4a0
SHA512 63bbbc3ccf14b2846df64b8edae52b6431df52aa9e03569a28ca239ab02db94bf79ca8a0a30529e35a04ee5845768d752b99e6ce3830ab440c57850180ad1647

C:\Users\Admin\AppData\Roaming\LoaderMas.exe

MD5 a0dbdf3af38ead2237ccb781a098a431
SHA1 1434296af6c5530eb036718e860490e0adc3321a
SHA256 6f483da6b36646bf6f33db0c210bd3683ff29428a44d916a2f26a4240c1a9901
SHA512 dd7dc91a2e09b0c3906efbb486fb84d0289dc61338afd75d203f1ab2f49556c9523a8a9abc913363a45dde8194f5b2ee9d3d659807250047331944c39006edc3

memory/5088-60-0x00007FF9D6510000-0x00007FF9D6FD1000-memory.dmp

memory/1384-61-0x0000000000C00000-0x0000000000C16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eefs5oeg.nc5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1588-68-0x000002B0BE300000-0x000002B0BE322000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\perfdhcpSvc\mStUjP0ksX5N.bat

MD5 a9330c6da12d90d5d956ae2bbcf017d7
SHA1 7ebaa14eed80db6d9f0c0c0f1ecab1a9c3f61410
SHA256 b49853470383dce14680f656aca7ea449b1d6aabb3f18d4165ebd7e3e7545393
SHA512 557c91cc1cc0d7309f50e286644a2da543c0283d4a1659f7d31554282ddc48b5f972d98d5a01433078fdbe6cc813bb6f7c120e2307fae48c5d81be44ae823228

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\perfdhcpSvc\Chainprovider.exe

MD5 d2ec227ddac047e735393e58e742fd44
SHA1 7aae5c76378f7cfcff8bb983695fa4c2577a20e2
SHA256 0e679527f2df9f87d33c82023256fac276c36006579d2d71877ccab4be847cce
SHA512 5a11b292a574bd2ca6c225af1e4c9f95004a49ce816cc59a73d4ab6e2a0b007a58ab56e5e0c004901c3ebe4ec06054e6e801f8e659711856857add6d43f38979

memory/8-90-0x0000000000A70000-0x0000000000B46000-memory.dmp

memory/4920-95-0x0000023763810000-0x0000023763860000-memory.dmp

memory/4920-94-0x0000023763790000-0x0000023763806000-memory.dmp

memory/4920-98-0x0000023763720000-0x000002376373E000-memory.dmp

memory/4744-124-0x00007FF9F4910000-0x00007FF9F4912000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 966914e2e771de7a4a57a95b6ecfa8a9
SHA1 7a32282fd51dd032967ed4d9a40cc57e265aeff2
SHA256 98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba
SHA512 dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

memory/4744-128-0x0000000140000000-0x0000000142153000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7164c3d7c57ebbaec233482f2e1cc1f1
SHA1 a767f48a2a10c216470d0782100828f0bed91579
SHA256 65ca843513f0f6ee03ae9b357fd6fea801a17ffe23c8a04777f8f06a5f0206ae
SHA512 bc09ee737727408fa5a969a6eb2be0be83d521e4f3f6c0567e4caa28f09de2794d413fbef52a5a7243fb49005d69ab56052ce417440d07beadbc6684cb362951

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

memory/4920-176-0x000002374ACC0000-0x000002374ACCA000-memory.dmp

memory/4920-177-0x0000023763760000-0x0000023763772000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e60eb305a7b2d9907488068b7065abd3
SHA1 1643dd7f915ac50c75bc01c53d68c5dafb9ce28d
SHA256 ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135
SHA512 95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

C:\Users\Admin\AppData\Local\Temp\Hv9JfciylV.bat

MD5 daf8bb87457f594003f22badf83f25bd
SHA1 0de63a01d99ad8534ee026985c98487d66f44528
SHA256 b357d0d00b35c2675c494c9cb4eb5cb6c48b7f50eec3a0f63013295e8f4c0ea9
SHA512 b88f515097f4a14da6609b5a1ba89bb2059f637e9572e3088f19898c91c4bffedc9f09cffabf11f620e0d25052d18fb5c4764333b92aac8ab01128997bacf938

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22310ad6749d8cc38284aa616efcd100
SHA1 440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA256 55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA512 2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9c740b7699e2363ac4ecdf496520ca35
SHA1 aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9
SHA256 be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61
SHA512 8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-19 01:08

Reported

2024-05-19 01:11

Platform

win7-20240221-en

Max time kernel

147s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe"

Signatures

DcRat

rat infostealer dcrat

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Umbral

stealer umbral

Xworm

trojan rat xworm

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Roaming\LoaderMas.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk C:\Users\Admin\AppData\Roaming\LoaderMas.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Nursultan (17).exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\pt-BR\sppsvc.exe C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Windows\System32\pt-BR\0a1fd5f707cd16 C:\perfdhcpSvc\Chainprovider.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\en-US\088424020bedd6 C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Program Files\Common Files\winlogon.exe C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Program Files\Common Files\cc11b995f2a76d C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\cmd.exe C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\ebf1f9fa8afd6d C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Program Files\Windows Photo Viewer\en-US\Chainprovider.exe C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Program Files\Windows Photo Viewer\en-US\79ee6d3de8e076 C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Program Files\DVD Maker\en-US\conhost.exe C:\perfdhcpSvc\Chainprovider.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\en-US\8aadbff539e144 C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Windows\Help\Windows\it-IT\smss.exe C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Windows\Branding\ShellBrd\101b941d020240 C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Windows\Help\Corporate\9fb6bed11c7a6f C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Windows\Performance\56085415360792 C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Windows\Panther\actionqueue\taskhost.exe C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Windows\Globalization\Sorting\0a1fd5f707cd16 C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Windows\Help\Windows\it-IT\69ddcba757bf72 C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Windows\es-ES\6cb0b6c459d5d3 C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Windows\Performance\wininit.exe C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Windows\Panther\actionqueue\b75386f1303e64 C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Windows\en-US\Nursultan.exe C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Windows\Branding\ShellBrd\lsm.exe C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Windows\Help\Corporate\LoaderMas.exe C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Windows\es-ES\dwm.exe C:\perfdhcpSvc\Chainprovider.exe N/A
File created C:\Windows\Globalization\Sorting\sppsvc.exe C:\perfdhcpSvc\Chainprovider.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Umbral.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\LoaderMas.exe N/A
Token: SeDebugPrivilege N/A C:\perfdhcpSvc\Chainprovider.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Performance\wininit.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\LoaderMas.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\LoaderMas.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1300 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe C:\Windows\system32\schtasks.exe
PID 1300 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe C:\Windows\system32\schtasks.exe
PID 1300 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe C:\Windows\system32\schtasks.exe
PID 1300 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe C:\Users\Admin\AppData\Roaming\t.bat
PID 1300 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe C:\Users\Admin\AppData\Roaming\t.bat
PID 1300 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe C:\Users\Admin\AppData\Roaming\t.bat
PID 1300 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe C:\Users\Admin\AppData\Roaming\t.bat
PID 1300 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe C:\Users\Admin\AppData\Roaming\Umbral.exe
PID 1300 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe C:\Users\Admin\AppData\Roaming\Umbral.exe
PID 1300 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe C:\Users\Admin\AppData\Roaming\Umbral.exe
PID 2212 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\t.bat C:\Windows\SysWOW64\WScript.exe
PID 2212 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\t.bat C:\Windows\SysWOW64\WScript.exe
PID 2212 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\t.bat C:\Windows\SysWOW64\WScript.exe
PID 2212 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\t.bat C:\Windows\SysWOW64\WScript.exe
PID 2116 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\Nursultan (17).exe C:\Users\Admin\AppData\Roaming\Nursultan.exe
PID 2116 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\Nursultan (17).exe C:\Users\Admin\AppData\Roaming\Nursultan.exe
PID 2116 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Roaming\Nursultan (17).exe C:\Users\Admin\AppData\Roaming\Nursultan.exe
PID 2116 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\Nursultan (17).exe C:\Users\Admin\AppData\Roaming\LoaderMas.exe
PID 2116 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\Nursultan (17).exe C:\Users\Admin\AppData\Roaming\LoaderMas.exe
PID 2116 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\Nursultan (17).exe C:\Users\Admin\AppData\Roaming\LoaderMas.exe
PID 2496 wrote to memory of 520 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 520 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 520 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 520 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 520 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\perfdhcpSvc\Chainprovider.exe
PID 520 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\perfdhcpSvc\Chainprovider.exe
PID 520 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\perfdhcpSvc\Chainprovider.exe
PID 520 wrote to memory of 1512 N/A C:\Windows\SysWOW64\cmd.exe C:\perfdhcpSvc\Chainprovider.exe
PID 1512 wrote to memory of 1380 N/A C:\perfdhcpSvc\Chainprovider.exe C:\Windows\System32\cmd.exe
PID 1512 wrote to memory of 1380 N/A C:\perfdhcpSvc\Chainprovider.exe C:\Windows\System32\cmd.exe
PID 1512 wrote to memory of 1380 N/A C:\perfdhcpSvc\Chainprovider.exe C:\Windows\System32\cmd.exe
PID 1380 wrote to memory of 1472 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1380 wrote to memory of 1472 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1380 wrote to memory of 1472 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2412 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\LoaderMas.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\LoaderMas.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Roaming\LoaderMas.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\LoaderMas.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\LoaderMas.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\LoaderMas.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 848 N/A C:\Users\Admin\AppData\Roaming\LoaderMas.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 848 N/A C:\Users\Admin\AppData\Roaming\LoaderMas.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 848 N/A C:\Users\Admin\AppData\Roaming\LoaderMas.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\LoaderMas.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\LoaderMas.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 940 N/A C:\Users\Admin\AppData\Roaming\LoaderMas.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1380 wrote to memory of 2696 N/A C:\Windows\System32\cmd.exe C:\Windows\Performance\wininit.exe
PID 1380 wrote to memory of 2696 N/A C:\Windows\System32\cmd.exe C:\Windows\Performance\wininit.exe
PID 1380 wrote to memory of 2696 N/A C:\Windows\System32\cmd.exe C:\Windows\Performance\wininit.exe
PID 2548 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 2548 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 2548 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\Umbral.exe C:\Windows\System32\Wbem\wmic.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe

"C:\Users\Admin\AppData\Local\Temp\aec009724ba208376f91cbfafd60db1e965f9016f17f14bfb3b074dde1f6ae28.exe"

C:\Users\Admin\AppData\Roaming\Nursultan (17).exe

"C:\Users\Admin\AppData\Roaming\Nursultan (17).exe"

C:\Users\Admin\AppData\Roaming\t.bat

"C:\Users\Admin\AppData\Roaming\t.bat"

C:\Users\Admin\AppData\Roaming\Umbral.exe

"C:\Users\Admin\AppData\Roaming\Umbral.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\perfdhcpSvc\LUps3wjkA6jhdk7xRy8J55z2u.vbe"

C:\Users\Admin\AppData\Roaming\Nursultan.exe

"C:\Users\Admin\AppData\Roaming\Nursultan.exe"

C:\Users\Admin\AppData\Roaming\LoaderMas.exe

"C:\Users\Admin\AppData\Roaming\LoaderMas.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\perfdhcpSvc\mStUjP0ksX5N.bat" "

C:\perfdhcpSvc\Chainprovider.exe

"C:\perfdhcpSvc\Chainprovider.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "LoaderMasL" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\LoaderMas.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "LoaderMas" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\LoaderMas.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "LoaderMasL" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\LoaderMas.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\Branding\ShellBrd\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\Branding\ShellBrd\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\perfdhcpSvc\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\perfdhcpSvc\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\perfdhcpSvc\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Common Files\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ChainproviderC" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\Chainprovider.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Chainprovider" /sc ONLOGON /tr "'C:\Users\Default User\Chainprovider.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ChainproviderC" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\Chainprovider.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "LoaderMasL" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\Corporate\LoaderMas.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "LoaderMas" /sc ONLOGON /tr "'C:\Windows\Help\Corporate\LoaderMas.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "LoaderMasL" /sc MINUTE /mo 11 /tr "'C:\Windows\Help\Corporate\LoaderMas.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\es-ES\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\es-ES\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\es-ES\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ChainproviderC" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\en-US\Chainprovider.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Chainprovider" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\Chainprovider.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ChainproviderC" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\en-US\Chainprovider.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Windows\Performance\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Performance\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\Panther\actionqueue\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Panther\actionqueue\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\actionqueue\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Globalization\Sorting\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Globalization\Sorting\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\Sorting\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ChainproviderC" /sc MINUTE /mo 5 /tr "'C:\Nurik\Chainprovider.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Chainprovider" /sc ONLOGON /tr "'C:\Nurik\Chainprovider.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ChainproviderC" /sc MINUTE /mo 12 /tr "'C:\Nurik\Chainprovider.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\en-US\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\en-US\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Nurik\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Nurik\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Nurik\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NursultanN" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\Nursultan.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Nursultan" /sc ONLOGON /tr "'C:\Windows\en-US\Nursultan.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "NursultanN" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\Nursultan.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\Windows\it-IT\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Help\Windows\it-IT\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\Help\Windows\it-IT\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\pt-BR\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\pt-BR\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\System32\pt-BR\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XMHatfN2ms.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\LoaderMas.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LoaderMas.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'

C:\Windows\Performance\wininit.exe

"C:\Windows\Performance\wininit.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 a0948305.xsph.ru udp
RU 141.8.192.103:80 a0948305.xsph.ru tcp
N/A 127.0.0.1:30683 tcp
N/A 127.0.0.1:30683 tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
N/A 127.0.0.1:30683 tcp
N/A 127.0.0.1:30683 tcp
N/A 127.0.0.1:30683 tcp
N/A 127.0.0.1:30683 tcp

Files

memory/1300-0-0x000007FEF5313000-0x000007FEF5314000-memory.dmp

memory/1300-1-0x0000000000100000-0x00000000014D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Nursultan (17).exe

MD5 ed965403e795c3b563d67c734472ad93
SHA1 6b8b929239d5ef8f1f546c591c67acaf560de4dc
SHA256 6b7473e7177ef0666f6afe36b257d0730dababefc209ee1c5f2da319dbe1633d
SHA512 bd860103c5ac1bcc02bfefc669616a1b0103dfb3c611b0e4499cf4b1fc67d49c9cd57c1839936b75e0f0008aec0f84cb0af712feb334957972661405a137f649

C:\Users\Admin\AppData\Roaming\t.bat

MD5 d85bd59cf0808fb894f60773e1594a0a
SHA1 84b9d205f3ae6ca4f8f1bb938ee8b4d452444cde
SHA256 f3ef597673421e514d7fed82b40d65386c3811c4a8f5553afd59fc632bca8746
SHA512 225788e3e98449f53e6206c585315a37c9ff6ed0b5425b2a98e50c7ac45ab3c187ccf7626f126ba300bd8dbdf89c864e89f85d6264edc89281745b081ec58f97

memory/2548-17-0x0000000000240000-0x0000000000280000-memory.dmp

C:\Users\Admin\AppData\Roaming\Umbral.exe

MD5 f48ef033300ec9fd3c77afff5c20e95f
SHA1 22d6125b980474b3f54937003a765cdd5352f9a8
SHA256 72ee11a905ca278130f02397422b4cc4944851065ce0072f9888b70c5ad40f1e
SHA512 847ee8cdb14879089c861168d6be90325304df490668a38447b37772423e6dab5e32a5df344ceb58410d3b24cf25cd7221e8768951e5aca14820996a1e8304bc

memory/2116-19-0x0000000000210000-0x000000000144A000-memory.dmp

C:\perfdhcpSvc\LUps3wjkA6jhdk7xRy8J55z2u.vbe

MD5 00b53f3e200522631227cac1a07e0646
SHA1 a0c69d58c7ca10f5fd5e1320b1b2f92081d7fcfe
SHA256 486c050aadc42906113b0c5c8485dff36b0187f343a732542608a91b0565146c
SHA512 22241ae8a31c7e564c9fb652947e4fe17f80c6e94dfe1a3bb5890f6eb97797ee32ccfff5d647eef02bda31bd47c5d95521cd0c6349a01e501e6e064ea6306243

memory/2116-28-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

C:\Users\Admin\AppData\Roaming\LoaderMas.exe

MD5 a0dbdf3af38ead2237ccb781a098a431
SHA1 1434296af6c5530eb036718e860490e0adc3321a
SHA256 6f483da6b36646bf6f33db0c210bd3683ff29428a44d916a2f26a4240c1a9901
SHA512 dd7dc91a2e09b0c3906efbb486fb84d0289dc61338afd75d203f1ab2f49556c9523a8a9abc913363a45dde8194f5b2ee9d3d659807250047331944c39006edc3

memory/2412-39-0x0000000001270000-0x0000000001286000-memory.dmp

C:\Users\Admin\AppData\Roaming\Nursultan.exe

MD5 e504e3fc36fe4d6f182c98923979a779
SHA1 3ba9f1a9a15b79639a20cfcf79c9de31d15a17a6
SHA256 70b7b95bb952b3325476867307fc5bd4df5769b97bbcdd8b60e7b46e1b38e4a0
SHA512 63bbbc3ccf14b2846df64b8edae52b6431df52aa9e03569a28ca239ab02db94bf79ca8a0a30529e35a04ee5845768d752b99e6ce3830ab440c57850180ad1647

memory/2116-40-0x000007FEF5310000-0x000007FEF5CFC000-memory.dmp

C:\perfdhcpSvc\mStUjP0ksX5N.bat

MD5 a9330c6da12d90d5d956ae2bbcf017d7
SHA1 7ebaa14eed80db6d9f0c0c0f1ecab1a9c3f61410
SHA256 b49853470383dce14680f656aca7ea449b1d6aabb3f18d4165ebd7e3e7545393
SHA512 557c91cc1cc0d7309f50e286644a2da543c0283d4a1659f7d31554282ddc48b5f972d98d5a01433078fdbe6cc813bb6f7c120e2307fae48c5d81be44ae823228

memory/1512-47-0x0000000001390000-0x0000000001466000-memory.dmp

C:\perfdhcpSvc\Chainprovider.exe

MD5 d2ec227ddac047e735393e58e742fd44
SHA1 7aae5c76378f7cfcff8bb983695fa4c2577a20e2
SHA256 0e679527f2df9f87d33c82023256fac276c36006579d2d71877ccab4be847cce
SHA512 5a11b292a574bd2ca6c225af1e4c9f95004a49ce816cc59a73d4ab6e2a0b007a58ab56e5e0c004901c3ebe4ec06054e6e801f8e659711856857add6d43f38979

memory/2392-56-0x0000000076FA0000-0x0000000076FA2000-memory.dmp

memory/2392-54-0x0000000076FA0000-0x0000000076FA2000-memory.dmp

memory/2392-52-0x0000000076FA0000-0x0000000076FA2000-memory.dmp

memory/2392-58-0x0000000140000000-0x0000000142153000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XMHatfN2ms.bat

MD5 eecbfbd86abc36a779d1bddf6b1d7d6b
SHA1 3692b9863b3336b9f07f6c29c8a3fb27083706bd
SHA256 8fcc2d6ef2c2ee719faed94726a9024a6f959c6de8e0203f21fd4d433d8dfe7f
SHA512 f1763e3a01023daca1389addbc484567bb9dadf9e22bc35e8aa87d53ebb5c542aa9adeae5e059b59f116bb0ff870af971c1279cb3ffcb79c86099790e16d100e

memory/2108-104-0x000000001B180000-0x000000001B462000-memory.dmp

memory/2108-105-0x0000000002620000-0x0000000002628000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 7ef30f465b541b6ebc742d7e21acec95
SHA1 5f9b92013d48270c52e8a026fe0722ed1b92db98
SHA256 b8e72811635068281559ef3cf58e68551a275fc09d8de0dd6021f8dc949e3d2b
SHA512 13efb453c7c6f988d3feb6b0188a136218e773a04a1ebf07ed9f5877b02ec62efdb7b6be8be40800fcec01c570016fd67cac7d5b5a9cc5f321a7102175066028

memory/2804-111-0x000000001B110000-0x000000001B3F2000-memory.dmp

memory/2804-112-0x0000000002060000-0x0000000002068000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/848-119-0x000000001B290000-0x000000001B572000-memory.dmp

memory/2696-127-0x0000000000040000-0x0000000000116000-memory.dmp