umbral | hxxps://mega[.]nz/folder/iG4GlTRZ#Xa2tQ1iSr93n28K_EJWBMQ

Analysis

max time kernel
59s
max time network
57s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
24-06-2024 23:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/folder/iG4GlTRZ#Xa2tQ1iSr93n28K_EJWBMQ

Score

10^/10

umbral evasion execution persistence stealer themida

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000900000001ab47-189.dat	family_umbral
behavioral1/memory/2008-237-0x0000029CE9B30000-0x0000029CE9B70000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	map.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1680	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cheeto.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\KdphrfJqsCLNXDdltpBWekh\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\KdphrfJqsCLNXDdltpBWekh"	map.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	map.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	map.exe

Themida packer 5 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/4944-220-0x00007FF750220000-0x00007FF750B36000-memory.dmp	themida
behavioral1/memory/4944-230-0x00007FF750220000-0x00007FF750B36000-memory.dmp	themida
behavioral1/memory/4944-231-0x00007FF750220000-0x00007FF750B36000-memory.dmp	themida
behavioral1/memory/4944-232-0x00007FF750220000-0x00007FF750B36000-memory.dmp	themida
behavioral1/memory/4944-236-0x00007FF750220000-0x00007FF750B36000-memory.dmp	themida

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
49	discord.com
50	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
47	ip-api.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4944	map.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2264	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133637439519301399"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2576	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3708	chrome.exe
3708	chrome.exe
1680	powershell.exe
1680	powershell.exe
1680	powershell.exe
1680	powershell.exe
2280	powershell.exe
2280	powershell.exe
2280	powershell.exe
2280	powershell.exe
220	powershell.exe
220	powershell.exe
220	powershell.exe
220	powershell.exe
3096	powershell.exe
3096	powershell.exe
3096	powershell.exe
3096	powershell.exe
1996	powershell.exe
1996	powershell.exe
1996	powershell.exe
1996	powershell.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
4944	map.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3708	chrome.exe
3708	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe
Token: SeShutdownPrivilege	3708	chrome.exe
Token: SeCreatePagefilePrivilege	3708	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
2576	NOTEPAD.EXE

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe
3708	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4944	map.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 1984	3708	chrome.exe	73
PID 3708 wrote to memory of 1984	3708	chrome.exe	73
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 2212	3708	chrome.exe	75
PID 3708 wrote to memory of 4076	3708	chrome.exe	76
PID 3708 wrote to memory of 4076	3708	chrome.exe	76
PID 3708 wrote to memory of 3656	3708	chrome.exe	77
PID 3708 wrote to memory of 3656	3708	chrome.exe	77
PID 3708 wrote to memory of 3656	3708	chrome.exe	77
PID 3708 wrote to memory of 3656	3708	chrome.exe	77
PID 3708 wrote to memory of 3656	3708	chrome.exe	77
PID 3708 wrote to memory of 3656	3708	chrome.exe	77
PID 3708 wrote to memory of 3656	3708	chrome.exe	77
PID 3708 wrote to memory of 3656	3708	chrome.exe	77
PID 3708 wrote to memory of 3656	3708	chrome.exe	77
PID 3708 wrote to memory of 3656	3708	chrome.exe	77
PID 3708 wrote to memory of 3656	3708	chrome.exe	77
PID 3708 wrote to memory of 3656	3708	chrome.exe	77
PID 3708 wrote to memory of 3656	3708	chrome.exe	77
PID 3708 wrote to memory of 3656	3708	chrome.exe	77
PID 3708 wrote to memory of 3656	3708	chrome.exe	77
PID 3708 wrote to memory of 3656	3708	chrome.exe	77
PID 3708 wrote to memory of 3656	3708	chrome.exe	77
PID 3708 wrote to memory of 3656	3708	chrome.exe	77
PID 3708 wrote to memory of 3656	3708	chrome.exe	77
PID 3708 wrote to memory of 3656	3708	chrome.exe	77
PID 3708 wrote to memory of 3656	3708	chrome.exe	77
PID 3708 wrote to memory of 3656	3708	chrome.exe	77

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/folder/iG4GlTRZ#Xa2tQ1iSr93n28K_EJWBMQ
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff935d89758,0x7ff935d89768,0x7ff935d89778
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1748,i,14964434225943421191,10380810133836295089,131072 /prefetch:2
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1792 --field-trial-handle=1748,i,14964434225943421191,10380810133836295089,131072 /prefetch:8
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2064 --field-trial-handle=1748,i,14964434225943421191,10380810133836295089,131072 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2892 --field-trial-handle=1748,i,14964434225943421191,10380810133836295089,131072 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2904 --field-trial-handle=1748,i,14964434225943421191,10380810133836295089,131072 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1748,i,14964434225943421191,10380810133836295089,131072 /prefetch:8
  2⤵
  PID:4520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1748,i,14964434225943421191,10380810133836295089,131072 /prefetch:8
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5136 --field-trial-handle=1748,i,14964434225943421191,10380810133836295089,131072 /prefetch:8
  2⤵
  PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 --field-trial-handle=1748,i,14964434225943421191,10380810133836295089,131072 /prefetch:8
  2⤵
  PID:1008

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1708

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xf8
1⤵
PID:2924

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1340

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\release\release\readme.txt
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:2576

C:\Users\Admin\Downloads\release\release\map\map.exe
"C:\Users\Admin\Downloads\release\release\map\map.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Sets service image path in registry
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: LoadsDriver
- Suspicious use of SetWindowsHookEx
PID:4944

C:\Users\Admin\Downloads\release\release\main\cheeto.exe
"C:\Users\Admin\Downloads\release\release\main\cheeto.exe"
1⤵
- Drops file in Drivers directory
PID:2008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\release\release\main\cheeto.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3096
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:1408
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:2192
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:4752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1996
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000021

Filesize
21KB

MD5
b1dfa46eee24480e9211c9ef246bbb93

SHA1
80437c519fac962873a5768f958c1c350766da15

SHA256
fc79a40b2172a04a5c2fe0d5111ebeb401b9a84ce80c6e9e5b96c9c73c9b0398

SHA512
44aefedf8a4c0c8cbc43c1260dc2bbc4605f83a189b6ef50e99058f54a58b61eb88af3f08164671bad4bd9c5e3b97b755f2fa433490bef56aa15cdf37fb412b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
72B

MD5
9a77a2417a772ab2f991383c0928c652

SHA1
bdc3ac814f9fdd270fdd1a98991a7270cb8e3674

SHA256
fa924c45e7d4aeb568896da088220522a459fcbb2389a9d4e9b0fa842a46d9fe

SHA512
1ba51ad9d0921d2551d9a7045034706fec859888f7283006176b196c91262117ab5721253cbcdcb57725fce0e8dfd9cfd7334da1d9e6eda6ee38d447bc75f975

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\Origins\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Filesize
186B

MD5
52eb1e0e80e81f7b4cec775002fc7d28

SHA1
615a0fe298b0801e940c1dc7e81207a056552b26

SHA256
03f825a83b681164e2b667a1735f82182558055c73afec47042d9dd4d36c9e58

SHA512
9d3a201548ac665d8badba6bdebf01b82976e4addace3c3b521bc64edeb1dcc7557d60e7636ce005f78b90c320c514caf00597b04ea0ef0d1acb0d7471530260

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
961d7ee8dc78d66eca9276c76305a4bc

SHA1
c93baeb8323bd4225b90477048eb14aeecc05546

SHA256
9c866fb6a1d1a0da81d219f2f1e93c6e0257601cc26087e78fa6c2e02cfacc22

SHA512
6db7e3ad7f1a60d3151cc3f53e0124858b46054a668d3bec9ec895dbd80df0b03213404f4c9c4430747b7fffa5c26775b720ee350d2642d519afbb0bfd6a5de6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
a02adfffc2fc81c5e6e9953894dc7f84

SHA1
1e5e35484aeb07e3997bb5da26e1db694c0694ba

SHA256
7daf17b6dbc2a72c9ce5b5b0d8f9f77dc9821af0758aca452624bf0b92a5c20c

SHA512
dfc7c6c55357496a791e9292c5c69bfaaa52946b320973d2eb0c9b62657773b23bd62ac29f36cf855eaafda9bafb743be435e014013134296e83ee4686cdb404

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
1174d82e6bc6e2c8df4b755962b26248

SHA1
770e9f3d15b8748de7f73da1003741e18a9e7703

SHA256
442e1baa5bcceb6e0ffffa6b1bb96ec15d50832826f7b45a9ebb59e1bffbaa71

SHA512
67522c917c94d4dcef8ed1c7d4da15a48ee5bd9a2586d2bfe545c05507faee1296ecba1093bed7c12bfdddf5421d07f76ec8f337f39ca74feb307e7c50a80682

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
2ededcb0a3c41782348c2dc12a8029b3

SHA1
be485325a6cfb1339f9ec6a5109514bc5d4b4da8

SHA256
e5e638bdf2f9236c32019f6e482629bcf12699a4464414fabca6ce5ea528bd0d

SHA512
42449eb2d344728c352bc6133b3685ab1d8834ccea28c420d04827263ebb351f63aa25cb73b7de92ac0a7acb8519b12a99ca7d7a4e6cfb87e3f1dc71bafd228c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bf4299f4e058664a0bc4012adf51a8ff

SHA1
c89db86f2f4cd76778568b2cb7caa2afbbd25208

SHA256
0293324db27266d2d0e4fe4e319553128c33568b3bb17bbbbb925b736d398737

SHA512
e570f926928ad9bd97fa9b654ab3bf7c3abc883657c7e561d43f8b874ab00a5f785a9b0ab2f430b03520203e9f450ce3f3bd1dd1636b7122f0557b7a0fb7822d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
5302ab4f2c602a6ab3734129bc26a170

SHA1
26d4e07dd14bba0a7cbb108ff97065f7b06756c0

SHA256
2ff94eab31d727a34c64e4de3d441bc851d17dce7104a4d9fd3359f0ad18fe4b

SHA512
667fadc98c849a6a059a5283e841fe9ec1d0e9ef6ea0a2a15049a1a88a28901902ba1784e744ed6cf4e8db1ce4c388c6abac03b7feb788fe57ebe34de582b978

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c36f.TMP

Filesize
48B

MD5
bb69059858951126c2c34ea8c8967b7a

SHA1
8606d8b9a900d48585bb32774295574b1474e1c0

SHA256
2768fa53b55774749a4a4df37ddb6bc87c7f38084ad761cb184e363bf179ba19

SHA512
529428dce8603199ae9bc88ce422af03a89a8d13d955b7b4287fab5790f0691e471555af11358c3efcf52706ad875dc0845a2fa658dc68f8ca9f91e1b440e6db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

Filesize
8KB

MD5
af3520adb8c7e6f67e7c7da194a32e24

SHA1
16ab88aae466c87481927d8e69706674dfb0e811

SHA256
5aab39176d2e4bd06372565ec4fe5c3eed4714317115790582198681ca9de8b7

SHA512
2a10475088d6732968592c66ff450ad9613513ad0334649c3177e842eecb95d6c4e69cab8fe0cff13bd4bf6a5d474a7d4df7705e00f778396a1ee09e7f7abfa8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
41722e33199b2f9fde089eccb17c7e17

SHA1
a9e512d5f31bf66231a97453f06992c7f4038236

SHA256
033c88b30c1cf019f4139463f23fdd2210cc76f63ba96a37ad3872b10860f7a6

SHA512
251b1f3b0f9efff5cc4161093b667ce8c2bf33e4cb170b674e7aca57962e5f24e111b9a95c78c5694b89785ed39258d8da2d87d5c20e84b12856b2894548621c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8ea31fba2da65ce5e15ecf07f99d748e

SHA1
f9b5237dc46a9cbe05cbb1a8276958199ad20ec4

SHA256
7e7092d5bc556a562df2b1b3728cb6a1dcafdcf035973033e52c2d2bb286a4c7

SHA512
1fae9748b05015449d588d8689e53d40722942c3a69baa2a5d36c7b177e5f52e6c62a7c95fa03355cbacb96cda429a1b888e8c4c97be1e7a807c964a102f9b15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4481ee26552f99b7168bf2110282e680

SHA1
dfb6f6678e71268095eb623cc826066ac5781a62

SHA256
f47e34a6682ea8c43abf397abaa87f97543785a11259f66b0a6694ce8a987c29

SHA512
20fce4cbfe59782f6b19d8c12361987030a41daaf2a47629eb83104bc1f5c212074b8069fbab4c899f3ac4b0bdfa9f21c8d1b5851452fc984c57210b98436680

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bbc63b50dec399c4ed9911c112d323ae

SHA1
fe52b8defc29deec0c5cab9d011d086f8e7cbfce

SHA256
70384d514db0a25d06682eb8b1cf9bce123b70d634adee79ad1f7e83253d610b

SHA512
284500c2f9904cca7ffe6ed6d5b4d7eceece7a56c1283317aa85d926e2c9a75c3bcf8ec9ccde51c2fac63e4ecb7ddf5a7c794a95d0d49dd43514bbdacd56ab4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bf74f98aa43cb2d651802169aa85d8b9

SHA1
24a1f01795accb09aadc89479c26d6e3dc8daa70

SHA256
fd036d6e558ee05e270c2f7a0afca3952895a2807771518a65238df6e133d0f8

SHA512
2028bb04ca3b01f2d7ee34791eb69a72e6d4ef257e15dd20ca77f0df5eaf1a32f5406f84c96424fc51acdb3374cef6407b96462dbcb7ca7ce194f544801e2c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kzpuspm2.0jw.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Downloads\release.zip.crdownload

Filesize
3.6MB

MD5
36d7d89f533951086328341f0c7138a9

SHA1
88b2b8860dc1b9235f8d33dea6a35050a2602e6d

SHA256
5d7df54b987e4172e9a9d83d6f04a12ae2b28064fbaeed475d82a889590c19af

SHA512
b25cd6e9aa6715d6e350ad54d01bea5cb9e4b9bf028be1d88f515e767cfcacb2460ded9bdc155bc75cf325fc9a6d2faafe831ee948b3464987774f86fbfba471

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
577f27e6d74bd8c5b7b0371f2b1e991c

SHA1
b334ccfe13792f82b698960cceaee2e690b85528

SHA256
0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9

SHA512
944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c

Download Submit
memory/1680-245-0x000001A3F1950000-0x000001A3F19C6000-memory.dmp

Filesize
472KB

Download
memory/1680-242-0x000001A3F17A0000-0x000001A3F17C2000-memory.dmp

Filesize
136KB

Download
memory/2008-316-0x0000029CEB7F0000-0x0000029CEB840000-memory.dmp

Filesize
320KB

Download
memory/2008-237-0x0000029CE9B30000-0x0000029CE9B70000-memory.dmp

Filesize
256KB

Download
memory/2008-320-0x0000029CEB770000-0x0000029CEB78E000-memory.dmp

Filesize
120KB

Download
memory/2008-386-0x0000029CEB7A0000-0x0000029CEB7AA000-memory.dmp

Filesize
40KB

Download
memory/2008-387-0x0000029CEB7D0000-0x0000029CEB7E2000-memory.dmp

Filesize
72KB

Download
memory/4944-220-0x00007FF750220000-0x00007FF750B36000-memory.dmp

Filesize
9.1MB

Download
memory/4944-236-0x00007FF750220000-0x00007FF750B36000-memory.dmp

Filesize
9.1MB

Download
memory/4944-232-0x00007FF750220000-0x00007FF750B36000-memory.dmp

Filesize
9.1MB

Download
memory/4944-231-0x00007FF750220000-0x00007FF750B36000-memory.dmp

Filesize
9.1MB

Download
memory/4944-230-0x00007FF750220000-0x00007FF750B36000-memory.dmp

Filesize
9.1MB

Download