dcrat | 06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe
Size

46.0MB
MD5

2bdf60ce1391ccc1a829a41c8b531dd5
SHA1

8fecb37b06dd016f820cbc55c1446aa34666bf12
SHA256

06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1
SHA512

0091fc481589bb93b2c4352b600220691cd7f0e0ae7979d6cdf4c529db97613d40cf693b01e3b119bc69a3414ba3f700561ee2364474f48a80f2c9763f357359
SSDEEP

24576:f5r3oaR/k4XDG/BcoNWmt2G/nvxW3Ww0tXegr2pdxgLHw8dQefBkrzCL7:dmtbA30XeY6o/QAU+L

Score

10^/10

dcrat umbral execution infostealer rat spyware stealer

Malware Config

Extracted

Family

umbral

https://discordapp.com/api/webhooks/1253005353222668289/_twANrdJlJok9NDlMWHxe2qUewe11QbdTTPK9sqVpjZ9uRjyV2p28YwCPVaWlpRMyL50

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Umbral payload 3 IoCs

resource	yara_rule
behavioral1/files/0x003700000001448b-12.dat	family_umbral
behavioral1/memory/2084-22-0x0000000000400000-0x0000000000562000-memory.dmp	family_umbral
behavioral1/memory/2612-23-0x00000000011C0000-0x0000000001200000-memory.dmp	family_umbral

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2944	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2944	schtasks.exe	34

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000145d4-18.dat	dcrat
behavioral1/memory/2084-22-0x0000000000400000-0x0000000000562000-memory.dmp	dcrat
behavioral1/files/0x000700000001475f-61.dat	dcrat
behavioral1/memory/1456-64-0x00000000011A0000-0x0000000001276000-memory.dmp	dcrat
behavioral1/memory/2464-121-0x0000000000BC0000-0x0000000000C96000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1368	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Executes dropped EXE 5 IoCs

pid	Process
2032	X8Checker 2.6.exe
2612	Umbral.exe
2860	8XChecker.exe
1456	bridgefont.exe
2464	Umbral.exe

Loads dropped DLL 6 IoCs

pid	Process
2084	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe
2084	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe
2084	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe
2084	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe
2820	cmd.exe
2820	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\6feec19d54a440	bridgefont.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\cmd.exe	bridgefont.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe	bridgefont.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\c5b4cb5e9653cc	bridgefont.exe
File created	C:\Program Files\Windows Sidebar\csrss.exe	bridgefont.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Umbral.exe	bridgefont.exe
File created	C:\Program Files (x86)\Windows Portable Devices\56085415360792	bridgefont.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe	bridgefont.exe
File created	C:\Program Files\Windows Sidebar\886983d96e3d3e	bridgefont.exe
File created	C:\Program Files (x86)\Google\CrashReports\winlogon.exe	bridgefont.exe
File created	C:\Program Files (x86)\Google\CrashReports\cc11b995f2a76d	bridgefont.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\ebf1f9fa8afd6d	bridgefont.exe
File created	C:\Program Files (x86)\Windows Portable Devices\wininit.exe	bridgefont.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\c5b4cb5e9653cc	bridgefont.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\CSC\v2.0.6\conhost.exe	bridgefont.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3028	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1312	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2452	schtasks.exe
2300	schtasks.exe
2984	schtasks.exe
2384	schtasks.exe
484	schtasks.exe
596	schtasks.exe
1760	schtasks.exe
2116	schtasks.exe
1912	schtasks.exe
2576	schtasks.exe
2408	schtasks.exe
1552	schtasks.exe
2880	schtasks.exe
908	schtasks.exe
2328	schtasks.exe
1564	schtasks.exe
1560	schtasks.exe
1584	schtasks.exe
2152	schtasks.exe
2796	schtasks.exe
264	schtasks.exe
2680	schtasks.exe
2836	schtasks.exe
2892	schtasks.exe
1972	schtasks.exe
2084	schtasks.exe
2780	schtasks.exe
2212	schtasks.exe
2216	schtasks.exe
872	schtasks.exe
1748	schtasks.exe
2732	schtasks.exe
948	schtasks.exe
2020	schtasks.exe
1980	schtasks.exe
2824	schtasks.exe
1728	schtasks.exe
3052	schtasks.exe
2668	schtasks.exe
1680	schtasks.exe
1256	schtasks.exe
2292	schtasks.exe
2628	schtasks.exe
1428	schtasks.exe
2124	schtasks.exe
2868	schtasks.exe
1568	schtasks.exe
1796	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2612	Umbral.exe
1368	powershell.exe
2584	powershell.exe
2404	powershell.exe
1456	bridgefont.exe
2952	powershell.exe
1472	powershell.exe
2464	Umbral.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2612	Umbral.exe
Token: SeIncreaseQuotaPrivilege	2984	wmic.exe
Token: SeSecurityPrivilege	2984	wmic.exe
Token: SeTakeOwnershipPrivilege	2984	wmic.exe
Token: SeLoadDriverPrivilege	2984	wmic.exe
Token: SeSystemProfilePrivilege	2984	wmic.exe
Token: SeSystemtimePrivilege	2984	wmic.exe
Token: SeProfSingleProcessPrivilege	2984	wmic.exe
Token: SeIncBasePriorityPrivilege	2984	wmic.exe
Token: SeCreatePagefilePrivilege	2984	wmic.exe
Token: SeBackupPrivilege	2984	wmic.exe
Token: SeRestorePrivilege	2984	wmic.exe
Token: SeShutdownPrivilege	2984	wmic.exe
Token: SeDebugPrivilege	2984	wmic.exe
Token: SeSystemEnvironmentPrivilege	2984	wmic.exe
Token: SeRemoteShutdownPrivilege	2984	wmic.exe
Token: SeUndockPrivilege	2984	wmic.exe
Token: SeManageVolumePrivilege	2984	wmic.exe
Token: 33	2984	wmic.exe
Token: 34	2984	wmic.exe
Token: 35	2984	wmic.exe
Token: SeIncreaseQuotaPrivilege	2984	wmic.exe
Token: SeSecurityPrivilege	2984	wmic.exe
Token: SeTakeOwnershipPrivilege	2984	wmic.exe
Token: SeLoadDriverPrivilege	2984	wmic.exe
Token: SeSystemProfilePrivilege	2984	wmic.exe
Token: SeSystemtimePrivilege	2984	wmic.exe
Token: SeProfSingleProcessPrivilege	2984	wmic.exe
Token: SeIncBasePriorityPrivilege	2984	wmic.exe
Token: SeCreatePagefilePrivilege	2984	wmic.exe
Token: SeBackupPrivilege	2984	wmic.exe
Token: SeRestorePrivilege	2984	wmic.exe
Token: SeShutdownPrivilege	2984	wmic.exe
Token: SeDebugPrivilege	2984	wmic.exe
Token: SeSystemEnvironmentPrivilege	2984	wmic.exe
Token: SeRemoteShutdownPrivilege	2984	wmic.exe
Token: SeUndockPrivilege	2984	wmic.exe
Token: SeManageVolumePrivilege	2984	wmic.exe
Token: 33	2984	wmic.exe
Token: 34	2984	wmic.exe
Token: 35	2984	wmic.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	1456	bridgefont.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeIncreaseQuotaPrivilege	2176	wmic.exe
Token: SeSecurityPrivilege	2176	wmic.exe
Token: SeTakeOwnershipPrivilege	2176	wmic.exe
Token: SeLoadDriverPrivilege	2176	wmic.exe
Token: SeSystemProfilePrivilege	2176	wmic.exe
Token: SeSystemtimePrivilege	2176	wmic.exe
Token: SeProfSingleProcessPrivilege	2176	wmic.exe
Token: SeIncBasePriorityPrivilege	2176	wmic.exe
Token: SeCreatePagefilePrivilege	2176	wmic.exe
Token: SeBackupPrivilege	2176	wmic.exe
Token: SeRestorePrivilege	2176	wmic.exe
Token: SeShutdownPrivilege	2176	wmic.exe
Token: SeDebugPrivilege	2176	wmic.exe
Token: SeSystemEnvironmentPrivilege	2176	wmic.exe
Token: SeRemoteShutdownPrivilege	2176	wmic.exe
Token: SeUndockPrivilege	2176	wmic.exe
Token: SeManageVolumePrivilege	2176	wmic.exe
Token: 33	2176	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2032	2084	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	28
PID 2084 wrote to memory of 2032	2084	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	28
PID 2084 wrote to memory of 2032	2084	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	28
PID 2084 wrote to memory of 2032	2084	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	28
PID 2084 wrote to memory of 2612	2084	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	29
PID 2084 wrote to memory of 2612	2084	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	29
PID 2084 wrote to memory of 2612	2084	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	29
PID 2084 wrote to memory of 2612	2084	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	29
PID 2084 wrote to memory of 2860	2084	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	30
PID 2084 wrote to memory of 2860	2084	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	30
PID 2084 wrote to memory of 2860	2084	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	30
PID 2084 wrote to memory of 2860	2084	06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe	30
PID 2860 wrote to memory of 2644	2860	8XChecker.exe	31
PID 2860 wrote to memory of 2644	2860	8XChecker.exe	31
PID 2860 wrote to memory of 2644	2860	8XChecker.exe	31
PID 2860 wrote to memory of 2644	2860	8XChecker.exe	31
PID 2612 wrote to memory of 2984	2612	Umbral.exe	32
PID 2612 wrote to memory of 2984	2612	Umbral.exe	32
PID 2612 wrote to memory of 2984	2612	Umbral.exe	32
PID 2612 wrote to memory of 1596	2612	Umbral.exe	35
PID 2612 wrote to memory of 1596	2612	Umbral.exe	35
PID 2612 wrote to memory of 1596	2612	Umbral.exe	35
PID 2612 wrote to memory of 1368	2612	Umbral.exe	37
PID 2612 wrote to memory of 1368	2612	Umbral.exe	37
PID 2612 wrote to memory of 1368	2612	Umbral.exe	37
PID 2612 wrote to memory of 2584	2612	Umbral.exe	39
PID 2612 wrote to memory of 2584	2612	Umbral.exe	39
PID 2612 wrote to memory of 2584	2612	Umbral.exe	39
PID 2612 wrote to memory of 2404	2612	Umbral.exe	41
PID 2612 wrote to memory of 2404	2612	Umbral.exe	41
PID 2612 wrote to memory of 2404	2612	Umbral.exe	41
PID 2644 wrote to memory of 2820	2644	WScript.exe	43
PID 2644 wrote to memory of 2820	2644	WScript.exe	43
PID 2644 wrote to memory of 2820	2644	WScript.exe	43
PID 2644 wrote to memory of 2820	2644	WScript.exe	43
PID 2820 wrote to memory of 1456	2820	cmd.exe	45
PID 2820 wrote to memory of 1456	2820	cmd.exe	45
PID 2820 wrote to memory of 1456	2820	cmd.exe	45
PID 2820 wrote to memory of 1456	2820	cmd.exe	45
PID 2612 wrote to memory of 2952	2612	Umbral.exe	46
PID 2612 wrote to memory of 2952	2612	Umbral.exe	46
PID 2612 wrote to memory of 2952	2612	Umbral.exe	46
PID 2612 wrote to memory of 2176	2612	Umbral.exe	66
PID 2612 wrote to memory of 2176	2612	Umbral.exe	66
PID 2612 wrote to memory of 2176	2612	Umbral.exe	66
PID 2612 wrote to memory of 1528	2612	Umbral.exe	74
PID 2612 wrote to memory of 1528	2612	Umbral.exe	74
PID 2612 wrote to memory of 1528	2612	Umbral.exe	74
PID 2612 wrote to memory of 2848	2612	Umbral.exe	81
PID 2612 wrote to memory of 2848	2612	Umbral.exe	81
PID 2612 wrote to memory of 2848	2612	Umbral.exe	81
PID 2612 wrote to memory of 1472	2612	Umbral.exe	88
PID 2612 wrote to memory of 1472	2612	Umbral.exe	88
PID 2612 wrote to memory of 1472	2612	Umbral.exe	88
PID 1456 wrote to memory of 2464	1456	bridgefont.exe	104
PID 1456 wrote to memory of 2464	1456	bridgefont.exe	104
PID 1456 wrote to memory of 2464	1456	bridgefont.exe	104
PID 2612 wrote to memory of 3028	2612	Umbral.exe	105
PID 2612 wrote to memory of 3028	2612	Umbral.exe	105
PID 2612 wrote to memory of 3028	2612	Umbral.exe	105
PID 2612 wrote to memory of 1468	2612	Umbral.exe	107
PID 2612 wrote to memory of 1468	2612	Umbral.exe	107
PID 2612 wrote to memory of 1468	2612	Umbral.exe	107
PID 1468 wrote to memory of 1312	1468	cmd.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1596	attrib.exe

C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe
"C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe
  "C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe"
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:1596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2404
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2176
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:1528
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1472
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3028
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:1312
- C:\Users\Admin\AppData\Local\Temp\8XChecker.exe
  "C:\Users\Admin\AppData\Local\Temp\8XChecker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Reviewwinbrokernet\86Wn4vQvMoqlspy5.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Reviewwinbrokernet\NckHnt5ezZ5X7x5KKKZDHVFQBsAwD.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Reviewwinbrokernet\bridgefont.exe
        
        "C:\Reviewwinbrokernet\bridgefont.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1456
      - C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Umbral.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Umbral.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "UmbralU" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Umbral.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Umbral" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Umbral.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "UmbralU" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Umbral.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\CrashReports\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\CrashReports\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Reviewwinbrokernet\86Wn4vQvMoqlspy5.vbe

Filesize
224B

MD5
d0546d4e82d204a215d2202b8122bebf

SHA1
b4b1c33b5104d1d003670c341908a01cc0a4a09b

SHA256
6f1ff6622e86a07eeb4c514424e78f7a9272ba7922de6dcf1df7810f40ab6756

SHA512
91d46ca23a26764f516ae273ae54cf689f303e772e954696e7e0ee7794b9b664be0aa2f432f34822b23657fb2c8bc489650f5b4d36e9b8de3d96a6ab864b9925

Download Submit
C:\Reviewwinbrokernet\NckHnt5ezZ5X7x5KKKZDHVFQBsAwD.bat

Filesize
38B

MD5
5ca65390126e266243ff3881f9cfb3f2

SHA1
228f50250b0cff6894fcc595c1dc1cbcdfd1b4b6

SHA256
ce08fb9623e455e0fd404378ec059c61cbf2c9de162f49c6cf59d244e0cdca54

SHA512
4f211680121ea9ce99c9dfa78de84b2d149902a94eda40d88e7e3cc0c2ba1910be157a84cadc4cc6bf36fbcc20f050f0766a30e9bc1481c93a2c45e6b7b7c47b

Download Submit
C:\Reviewwinbrokernet\bridgefont.exe

Filesize
828KB

MD5
b5c2e9124dfa9d37f7b2032b94127a37

SHA1
3f162c1dff58ff017d4a95540a220b7355765eb6

SHA256
15f729a2209101f7c6ecdaea74121dff0aec9fc1cb6bf3c6a30094af95bc5876

SHA512
edfbf86105464cc2cd214ec7da355f120d1913179855270d0a286bab67bc6c354151dc209a1f1e25ad777b523250ed2f1307e4c5e61434038a488f875c921b46

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ca7ae9e4931b7d571cf3478070da8775

SHA1
312c39f3b4961c6650945aadb85581c44589be86

SHA256
bcc4dee52c502a8033f905e407a56158a0e09ffa459beb5bca2a13ddebd78942

SHA512
1ec26c9bd0ef93026b9cf807ddb2dcefca5fd6bd9961078b506eb31ecc007d58daaa53bf8fdde0de520bd98f97c08456c11c117f1ba15c5c02abc9e5883f9133

Download Submit
\Users\Admin\AppData\Local\Temp\8XChecker.exe

Filesize
1.1MB

MD5
562a032b64898a5f86890120f1a6872b

SHA1
2a96ddcf1fc64ec4ab23597cbfce61bed40dd27a

SHA256
bb99ec3195fb0a972271667234885e97ff017df9cc64e605f2d5aafb469bd2a3

SHA512
871fe5fa1da1df87e909e1f9b1276e9d6a1dcaa0e5da7ed5d2df338f12c1b3ac02442ebd65138cbf7a0eb4b6e9237e806fe844f6dd15e352669fdc50cfa8960b

Download Submit
\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
231KB

MD5
ec2aed743841885a579338921df5073b

SHA1
8167b69da03e79cc4d013f2b1e2c972a9fa15296

SHA256
f3742ed689ca175bd615de562301102cd1bb72f65b3af8660883d5ea31bada2b

SHA512
aa4430171bd657439957cd5f3da3babf43725fce801c46377d003cd2f019bbb145eaef5de84e87f8bbf81a679733923ae3c5ff54f55e31cb575e13a4073ccc7c

Download Submit
\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe

Filesize
9KB

MD5
26abb9e459e5976f658ce80d6433f1b1

SHA1
3c8f02c1cf7b8ae82be3deea4b360497f6fee1c3

SHA256
60cc77b5d4210cef0a9032908b179142f212155426fdae48055c5f72811f7a12

SHA512
c2c02aa1db8036c7309100bb683ec7708fedfb129d763d86e03d9d6adc3688423ec04cb5b596eaf99300787f90d641e53350e1ceed0e8b11d6f29333e04b4ce8

Download Submit
memory/1368-38-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/1368-37-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/1456-64-0x00000000011A0000-0x0000000001276000-memory.dmp

Filesize
856KB

Download
memory/1472-109-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/1472-110-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/2032-10-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2084-22-0x0000000000400000-0x0000000000562000-memory.dmp

Filesize
1.4MB

Download
memory/2464-121-0x0000000000BC0000-0x0000000000C96000-memory.dmp

Filesize
856KB

Download
memory/2584-44-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2584-45-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/2612-23-0x00000000011C0000-0x0000000001200000-memory.dmp

Filesize
256KB

Download
memory/2952-74-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download
memory/2952-73-0x000000001B4A0000-0x000000001B782000-memory.dmp

Filesize
2.9MB

Download