Malware Analysis Report

2024-10-10 09:54

Sample ID 240704-j2mjcs1hrm
Target 06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe
SHA256 06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1
Tags
dcrat umbral infostealer rat stealer execution spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1

Threat Level: Known bad

The file 06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe was found to be: Known bad.

Malicious Activity Summary

dcrat umbral infostealer rat stealer execution spyware

DcRat

DCRat payload

Detect Umbral payload

Umbral

Dcrat family

Umbral family

Process spawned unexpected child process

DCRat payload

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Looks up external IP address via web service

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Detects videocard installed

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-04 08:10

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A

Umbral family

umbral

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-04 08:09

Reported

2024-07-04 08:12

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe"

Signatures

DcRat

rat infostealer dcrat

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Umbral

stealer umbral

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Portable Devices\conhost.exe C:\Reviewwinbrokernet\bridgefont.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\088424020bedd6 C:\Reviewwinbrokernet\bridgefont.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\spoolsv.exe C:\Reviewwinbrokernet\bridgefont.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\f3b6ecef712a24 C:\Reviewwinbrokernet\bridgefont.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\audiodg.exe C:\Reviewwinbrokernet\bridgefont.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\42af1c969fbb7b C:\Reviewwinbrokernet\bridgefont.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SoftwareDistribution\Idle.exe C:\Reviewwinbrokernet\bridgefont.exe N/A
File created C:\Windows\SoftwareDistribution\6ccacd8608530f C:\Reviewwinbrokernet\bridgefont.exe N/A
File created C:\Windows\ShellNew\csrss.exe C:\Reviewwinbrokernet\bridgefont.exe N/A
File created C:\Windows\ShellNew\886983d96e3d3e C:\Reviewwinbrokernet\bridgefont.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe N/A
Token: SeDebugPrivilege N/A C:\Reviewwinbrokernet\bridgefont.exe N/A
Token: SeDebugPrivilege N/A C:\Reviewwinbrokernet\spoolsv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1952 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe
PID 1952 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe
PID 1952 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe
PID 1952 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe
PID 1952 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe
PID 1952 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe
PID 1952 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe
PID 1952 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe
PID 1952 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe C:\Users\Admin\AppData\Local\Temp\8XChecker.exe
PID 1952 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe C:\Users\Admin\AppData\Local\Temp\8XChecker.exe
PID 1952 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe C:\Users\Admin\AppData\Local\Temp\8XChecker.exe
PID 1952 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe C:\Users\Admin\AppData\Local\Temp\8XChecker.exe
PID 2692 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\8XChecker.exe C:\Windows\SysWOW64\WScript.exe
PID 2692 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\8XChecker.exe C:\Windows\SysWOW64\WScript.exe
PID 2692 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\8XChecker.exe C:\Windows\SysWOW64\WScript.exe
PID 2692 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\8XChecker.exe C:\Windows\SysWOW64\WScript.exe
PID 2504 wrote to memory of 2512 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2512 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2512 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2512 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Reviewwinbrokernet\bridgefont.exe
PID 2512 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Reviewwinbrokernet\bridgefont.exe
PID 2512 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Reviewwinbrokernet\bridgefont.exe
PID 2512 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Reviewwinbrokernet\bridgefont.exe
PID 2568 wrote to memory of 2068 N/A C:\Reviewwinbrokernet\bridgefont.exe C:\Reviewwinbrokernet\spoolsv.exe
PID 2568 wrote to memory of 2068 N/A C:\Reviewwinbrokernet\bridgefont.exe C:\Reviewwinbrokernet\spoolsv.exe
PID 2568 wrote to memory of 2068 N/A C:\Reviewwinbrokernet\bridgefont.exe C:\Reviewwinbrokernet\spoolsv.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe

"C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe"

C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe

"C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe"

C:\Users\Admin\AppData\Local\Temp\Umbral.exe

"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"

C:\Users\Admin\AppData\Local\Temp\8XChecker.exe

"C:\Users\Admin\AppData\Local\Temp\8XChecker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Reviewwinbrokernet\86Wn4vQvMoqlspy5.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Reviewwinbrokernet\NckHnt5ezZ5X7x5KKKZDHVFQBsAwD.bat" "

C:\Reviewwinbrokernet\bridgefont.exe

"C:\Reviewwinbrokernet\bridgefont.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Start Menu\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "UmbralU" /sc MINUTE /mo 6 /tr "'C:\Reviewwinbrokernet\Umbral.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Umbral" /sc ONLOGON /tr "'C:\Reviewwinbrokernet\Umbral.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "UmbralU" /sc MINUTE /mo 7 /tr "'C:\Reviewwinbrokernet\Umbral.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\SoftwareDistribution\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\SoftwareDistribution\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellNew\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ShellNew\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\ShellNew\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Downloads\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Downloads\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Downloads\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Reviewwinbrokernet\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Reviewwinbrokernet\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Reviewwinbrokernet\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Reviewwinbrokernet\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Reviewwinbrokernet\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Reviewwinbrokernet\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\8f60a382-0d98-11ef-817d-5aba25856535\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Reviewwinbrokernet\sppsvc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Reviewwinbrokernet\sppsvc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Reviewwinbrokernet\sppsvc.exe'" /rl HIGHEST /f

C:\Reviewwinbrokernet\spoolsv.exe

"C:\Reviewwinbrokernet\spoolsv.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 a0996805.xsph.ru udp
US 8.8.8.8:53 a0996805.xsph.ru udp
US 8.8.8.8:53 gstatic.com udp

Files

\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe

MD5 26abb9e459e5976f658ce80d6433f1b1
SHA1 3c8f02c1cf7b8ae82be3deea4b360497f6fee1c3
SHA256 60cc77b5d4210cef0a9032908b179142f212155426fdae48055c5f72811f7a12
SHA512 c2c02aa1db8036c7309100bb683ec7708fedfb129d763d86e03d9d6adc3688423ec04cb5b596eaf99300787f90d641e53350e1ceed0e8b11d6f29333e04b4ce8

memory/2212-10-0x0000000000400000-0x000000000040A000-memory.dmp

\Users\Admin\AppData\Local\Temp\Umbral.exe

MD5 ec2aed743841885a579338921df5073b
SHA1 8167b69da03e79cc4d013f2b1e2c972a9fa15296
SHA256 f3742ed689ca175bd615de562301102cd1bb72f65b3af8660883d5ea31bada2b
SHA512 aa4430171bd657439957cd5f3da3babf43725fce801c46377d003cd2f019bbb145eaef5de84e87f8bbf81a679733923ae3c5ff54f55e31cb575e13a4073ccc7c

\Users\Admin\AppData\Local\Temp\8XChecker.exe

MD5 562a032b64898a5f86890120f1a6872b
SHA1 2a96ddcf1fc64ec4ab23597cbfce61bed40dd27a
SHA256 bb99ec3195fb0a972271667234885e97ff017df9cc64e605f2d5aafb469bd2a3
SHA512 871fe5fa1da1df87e909e1f9b1276e9d6a1dcaa0e5da7ed5d2df338f12c1b3ac02442ebd65138cbf7a0eb4b6e9237e806fe844f6dd15e352669fdc50cfa8960b

memory/1952-22-0x0000000000400000-0x0000000000562000-memory.dmp

memory/2296-23-0x0000000000390000-0x00000000003D0000-memory.dmp

C:\Reviewwinbrokernet\86Wn4vQvMoqlspy5.vbe

MD5 d0546d4e82d204a215d2202b8122bebf
SHA1 b4b1c33b5104d1d003670c341908a01cc0a4a09b
SHA256 6f1ff6622e86a07eeb4c514424e78f7a9272ba7922de6dcf1df7810f40ab6756
SHA512 91d46ca23a26764f516ae273ae54cf689f303e772e954696e7e0ee7794b9b664be0aa2f432f34822b23657fb2c8bc489650f5b4d36e9b8de3d96a6ab864b9925

C:\Reviewwinbrokernet\NckHnt5ezZ5X7x5KKKZDHVFQBsAwD.bat

MD5 5ca65390126e266243ff3881f9cfb3f2
SHA1 228f50250b0cff6894fcc595c1dc1cbcdfd1b4b6
SHA256 ce08fb9623e455e0fd404378ec059c61cbf2c9de162f49c6cf59d244e0cdca54
SHA512 4f211680121ea9ce99c9dfa78de84b2d149902a94eda40d88e7e3cc0c2ba1910be157a84cadc4cc6bf36fbcc20f050f0766a30e9bc1481c93a2c45e6b7b7c47b

\Reviewwinbrokernet\bridgefont.exe

MD5 b5c2e9124dfa9d37f7b2032b94127a37
SHA1 3f162c1dff58ff017d4a95540a220b7355765eb6
SHA256 15f729a2209101f7c6ecdaea74121dff0aec9fc1cb6bf3c6a30094af95bc5876
SHA512 edfbf86105464cc2cd214ec7da355f120d1913179855270d0a286bab67bc6c354151dc209a1f1e25ad777b523250ed2f1307e4c5e61434038a488f875c921b46

memory/2568-38-0x0000000001210000-0x00000000012E6000-memory.dmp

memory/2068-79-0x0000000000A10000-0x0000000000AE6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-04 08:09

Reported

2024-07-04 08:12

Platform

win10v2004-20240508-en

Max time kernel

93s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe"

Signatures

DcRat

rat infostealer dcrat

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Umbral

stealer umbral

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\Umbral.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Reviewwinbrokernet\bridgefont.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8XChecker.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Security\cmd.exe C:\Reviewwinbrokernet\bridgefont.exe N/A
File created C:\Program Files\Windows Security\ebf1f9fa8afd6d C:\Reviewwinbrokernet\bridgefont.exe N/A
File created C:\Program Files\Java\wininit.exe C:\Reviewwinbrokernet\bridgefont.exe N/A
File created C:\Program Files\Java\56085415360792 C:\Reviewwinbrokernet\bridgefont.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\RemotePackages\RemoteApps\cmd.exe C:\Reviewwinbrokernet\bridgefont.exe N/A
File created C:\Windows\RemotePackages\RemoteApps\ebf1f9fa8afd6d C:\Reviewwinbrokernet\bridgefont.exe N/A
File created C:\Windows\apppatch\it-IT\lsass.exe C:\Reviewwinbrokernet\bridgefont.exe N/A
File created C:\Windows\apppatch\it-IT\6203df4a6bafc7 C:\Reviewwinbrokernet\bridgefont.exe N/A

Enumerates physical storage devices

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\8XChecker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Reviewwinbrokernet\bridgefont.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4812 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe
PID 4812 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe
PID 4812 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe
PID 4812 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe
PID 4812 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe C:\Users\Admin\AppData\Local\Temp\Umbral.exe
PID 4812 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe C:\Users\Admin\AppData\Local\Temp\8XChecker.exe
PID 4812 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe C:\Users\Admin\AppData\Local\Temp\8XChecker.exe
PID 4812 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe C:\Users\Admin\AppData\Local\Temp\8XChecker.exe
PID 3516 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\8XChecker.exe C:\Windows\SysWOW64\WScript.exe
PID 3516 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\8XChecker.exe C:\Windows\SysWOW64\WScript.exe
PID 3516 wrote to memory of 512 N/A C:\Users\Admin\AppData\Local\Temp\8XChecker.exe C:\Windows\SysWOW64\WScript.exe
PID 4848 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4848 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4848 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\SYSTEM32\attrib.exe
PID 4848 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\SYSTEM32\attrib.exe
PID 4848 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4848 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4848 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4848 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4848 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4848 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4848 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4848 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4848 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4848 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4848 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4848 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 512 wrote to memory of 4724 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 512 wrote to memory of 4724 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 512 wrote to memory of 4724 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4848 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4724 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Reviewwinbrokernet\bridgefont.exe
PID 4724 wrote to memory of 4876 N/A C:\Windows\SysWOW64\cmd.exe C:\Reviewwinbrokernet\bridgefont.exe
PID 4848 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4848 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4848 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4848 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\System32\Wbem\wmic.exe
PID 4876 wrote to memory of 3084 N/A C:\Reviewwinbrokernet\bridgefont.exe C:\Windows\System32\cmd.exe
PID 4876 wrote to memory of 3084 N/A C:\Reviewwinbrokernet\bridgefont.exe C:\Windows\System32\cmd.exe
PID 3084 wrote to memory of 2196 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3084 wrote to memory of 2196 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3084 wrote to memory of 1268 N/A C:\Windows\System32\cmd.exe C:\Program Files\Java\wininit.exe
PID 3084 wrote to memory of 1268 N/A C:\Windows\System32\cmd.exe C:\Program Files\Java\wininit.exe
PID 4848 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\SYSTEM32\cmd.exe
PID 4848 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\Umbral.exe C:\Windows\SYSTEM32\cmd.exe
PID 5108 wrote to memory of 4644 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE
PID 5108 wrote to memory of 4644 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\PING.EXE

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe

"C:\Users\Admin\AppData\Local\Temp\06b5199b7753075d90d3adf5d33adcef9b1c3254d0471a70c282e2cc1391f1b1.exe"

C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe

"C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe"

C:\Users\Admin\AppData\Local\Temp\Umbral.exe

"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"

C:\Users\Admin\AppData\Local\Temp\8XChecker.exe

"C:\Users\Admin\AppData\Local\Temp\8XChecker.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Reviewwinbrokernet\86Wn4vQvMoqlspy5.vbe"

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\SYSTEM32\attrib.exe

"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Reviewwinbrokernet\NckHnt5ezZ5X7x5KKKZDHVFQBsAwD.bat" "

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Reviewwinbrokernet\bridgefont.exe

"C:\Reviewwinbrokernet\bridgefont.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\RemotePackages\RemoteApps\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\RemoteApps\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Java\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Reviewwinbrokernet\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Reviewwinbrokernet\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Reviewwinbrokernet\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\apppatch\it-IT\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\apppatch\it-IT\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\apppatch\it-IT\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Security\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Security\cmd.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ub3qIscBkM.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files\Java\wininit.exe

"C:\Program Files\Java\wininit.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause

C:\Windows\system32\PING.EXE

ping localhost

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
GB 142.250.200.3:443 gstatic.com tcp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.134.233:443 discordapp.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 a0996805.xsph.ru udp
RU 141.8.192.103:80 a0996805.xsph.ru tcp
US 8.8.8.8:53 103.192.8.141.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\X8Checker 2.6.exe

MD5 26abb9e459e5976f658ce80d6433f1b1
SHA1 3c8f02c1cf7b8ae82be3deea4b360497f6fee1c3
SHA256 60cc77b5d4210cef0a9032908b179142f212155426fdae48055c5f72811f7a12
SHA512 c2c02aa1db8036c7309100bb683ec7708fedfb129d763d86e03d9d6adc3688423ec04cb5b596eaf99300787f90d641e53350e1ceed0e8b11d6f29333e04b4ce8

memory/3068-9-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Umbral.exe

MD5 ec2aed743841885a579338921df5073b
SHA1 8167b69da03e79cc4d013f2b1e2c972a9fa15296
SHA256 f3742ed689ca175bd615de562301102cd1bb72f65b3af8660883d5ea31bada2b
SHA512 aa4430171bd657439957cd5f3da3babf43725fce801c46377d003cd2f019bbb145eaef5de84e87f8bbf81a679733923ae3c5ff54f55e31cb575e13a4073ccc7c

memory/4848-23-0x00007FFFB7A33000-0x00007FFFB7A35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8XChecker.exe

MD5 562a032b64898a5f86890120f1a6872b
SHA1 2a96ddcf1fc64ec4ab23597cbfce61bed40dd27a
SHA256 bb99ec3195fb0a972271667234885e97ff017df9cc64e605f2d5aafb469bd2a3
SHA512 871fe5fa1da1df87e909e1f9b1276e9d6a1dcaa0e5da7ed5d2df338f12c1b3ac02442ebd65138cbf7a0eb4b6e9237e806fe844f6dd15e352669fdc50cfa8960b

memory/4812-29-0x0000000000400000-0x0000000000562000-memory.dmp

memory/4848-26-0x000001B6F06F0000-0x000001B6F0730000-memory.dmp

C:\Reviewwinbrokernet\86Wn4vQvMoqlspy5.vbe

MD5 d0546d4e82d204a215d2202b8122bebf
SHA1 b4b1c33b5104d1d003670c341908a01cc0a4a09b
SHA256 6f1ff6622e86a07eeb4c514424e78f7a9272ba7922de6dcf1df7810f40ab6756
SHA512 91d46ca23a26764f516ae273ae54cf689f303e772e954696e7e0ee7794b9b664be0aa2f432f34822b23657fb2c8bc489650f5b4d36e9b8de3d96a6ab864b9925

memory/2924-48-0x000001A6B4010000-0x000001A6B4032000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ztipoklr.4n0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d28a889fd956d5cb3accfbaf1143eb6f
SHA1 157ba54b365341f8ff06707d996b3635da8446f7
SHA256 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA512 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

memory/4848-65-0x000001B6F2E20000-0x000001B6F2E96000-memory.dmp

memory/4848-66-0x000001B6F2EA0000-0x000001B6F2EF0000-memory.dmp

memory/4848-67-0x000001B6F2DA0000-0x000001B6F2DBE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 12173b1aca6955ae22ad4191426d90d0
SHA1 95b030cf0d3eb0f111411548df9e04f6320acabd
SHA256 da87ae0f4c63ef90d704ef108619f785aa22d0cde911d8cf63f26672c17cc0bb
SHA512 557de75f87923214aa26768ad5d6d72f3870195561731e760e035a85f93329ac5235480cdabbe5f16a3c53138a719948b2d6064bb98efdba083cd51c7de0b827

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 276798eeb29a49dc6e199768bc9c2e71
SHA1 5fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256 cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA512 0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

memory/4848-103-0x000001B6F2DE0000-0x000001B6F2DEA000-memory.dmp

memory/4848-104-0x000001B6F2FF0000-0x000001B6F3002000-memory.dmp

C:\Reviewwinbrokernet\NckHnt5ezZ5X7x5KKKZDHVFQBsAwD.bat

MD5 5ca65390126e266243ff3881f9cfb3f2
SHA1 228f50250b0cff6894fcc595c1dc1cbcdfd1b4b6
SHA256 ce08fb9623e455e0fd404378ec059c61cbf2c9de162f49c6cf59d244e0cdca54
SHA512 4f211680121ea9ce99c9dfa78de84b2d149902a94eda40d88e7e3cc0c2ba1910be157a84cadc4cc6bf36fbcc20f050f0766a30e9bc1481c93a2c45e6b7b7c47b

C:\Reviewwinbrokernet\bridgefont.exe

MD5 b5c2e9124dfa9d37f7b2032b94127a37
SHA1 3f162c1dff58ff017d4a95540a220b7355765eb6
SHA256 15f729a2209101f7c6ecdaea74121dff0aec9fc1cb6bf3c6a30094af95bc5876
SHA512 edfbf86105464cc2cd214ec7da355f120d1913179855270d0a286bab67bc6c354151dc209a1f1e25ad777b523250ed2f1307e4c5e61434038a488f875c921b46

memory/4876-111-0x0000000000A80000-0x0000000000B56000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 805936d027df43027fa3d20542b25b3a
SHA1 7c5c8212fcf802615888a878823870b3ff0459ab
SHA256 327e0021a4ad74c25efa6f01662bc9fd6b6d158ecbc63a236c32bc26c43404c7
SHA512 5eb98a37bd5ff2646b7393adbf03624460bad30923523644807a624d2477c99364f65b79a5e13cc34a84212f6d621d36df2e9f4b8ea93a0ad459913e2772a19d

C:\Users\Admin\AppData\Local\Temp\ub3qIscBkM.bat

MD5 aede8ccf5ba86ad025263721ca4d194a
SHA1 f1f21d0de775a1e9d314125df54fe64ea3c0b361
SHA256 33bc0d0e78b079033d97e129b8bf161e9870d18da3b740fdefd43add43af6c1d
SHA512 d59cdb79614924aa91767e3cb88d00f8ba888287379a7abc8bd615f5dced18effd2f662e147abda55861c516b87e6e0670a3611b2ddf47ae47752c7fe61c9cb8