umbral | hxxps://github[.]com/OpenSourcePrograms/FiveM-HXCheats/archive/refs/heads/main[.]zip

Analysis

max time kernel
73s
max time network
79s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
09-07-2024 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/OpenSourcePrograms/FiveM-HXCheats/archive/refs/heads/main.zip

Score

10^/10

umbral execution stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/2784-101-0x0000022BAEF50000-0x0000022BAEF9C000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4792	powershell.exe
1440	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
1	discord.com
19	discord.com
24	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1760	wmic.exe
3980	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1300643590-245460719-3687711119-1000_Classes\Local Settings	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\FiveM-HXCheats-main.zip:Zone.Identifier	msedge.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\nNpO9.scr\:Zone.Identifier:$DATA	FiveMCheats.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\L3dXQ.scr\:Zone.Identifier:$DATA	FiveMCheats.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1132	PING.EXE
1896	PING.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
3524	msedge.exe
3524	msedge.exe
4848	msedge.exe
4848	msedge.exe
4432	msedge.exe
4432	msedge.exe
4320	identity_helper.exe
4320	identity_helper.exe
2856	msedge.exe
2856	msedge.exe
2784	FiveMCheats.exe
2784	FiveMCheats.exe
4792	powershell.exe
4792	powershell.exe
4792	powershell.exe
3496	powershell.exe
3496	powershell.exe
3496	powershell.exe
5068	powershell.exe
5068	powershell.exe
5068	powershell.exe
2536	powershell.exe
2536	powershell.exe
2536	powershell.exe
3032	powershell.exe
3032	powershell.exe
3032	powershell.exe
3032	FiveMCheats.exe
3032	FiveMCheats.exe
1440	powershell.exe
1440	powershell.exe
1440	powershell.exe
1988	powershell.exe
1988	powershell.exe
1988	powershell.exe
2400	powershell.exe
2400	powershell.exe
2400	powershell.exe
3020	powershell.exe
3020	powershell.exe
3020	powershell.exe
1732	powershell.exe
1732	powershell.exe
1732	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	FiveMCheats.exe
Token: SeIncreaseQuotaPrivilege	844	wmic.exe
Token: SeSecurityPrivilege	844	wmic.exe
Token: SeTakeOwnershipPrivilege	844	wmic.exe
Token: SeLoadDriverPrivilege	844	wmic.exe
Token: SeSystemProfilePrivilege	844	wmic.exe
Token: SeSystemtimePrivilege	844	wmic.exe
Token: SeProfSingleProcessPrivilege	844	wmic.exe
Token: SeIncBasePriorityPrivilege	844	wmic.exe
Token: SeCreatePagefilePrivilege	844	wmic.exe
Token: SeBackupPrivilege	844	wmic.exe
Token: SeRestorePrivilege	844	wmic.exe
Token: SeShutdownPrivilege	844	wmic.exe
Token: SeDebugPrivilege	844	wmic.exe
Token: SeSystemEnvironmentPrivilege	844	wmic.exe
Token: SeRemoteShutdownPrivilege	844	wmic.exe
Token: SeUndockPrivilege	844	wmic.exe
Token: SeManageVolumePrivilege	844	wmic.exe
Token: 33	844	wmic.exe
Token: 34	844	wmic.exe
Token: 35	844	wmic.exe
Token: 36	844	wmic.exe
Token: SeIncreaseQuotaPrivilege	844	wmic.exe
Token: SeSecurityPrivilege	844	wmic.exe
Token: SeTakeOwnershipPrivilege	844	wmic.exe
Token: SeLoadDriverPrivilege	844	wmic.exe
Token: SeSystemProfilePrivilege	844	wmic.exe
Token: SeSystemtimePrivilege	844	wmic.exe
Token: SeProfSingleProcessPrivilege	844	wmic.exe
Token: SeIncBasePriorityPrivilege	844	wmic.exe
Token: SeCreatePagefilePrivilege	844	wmic.exe
Token: SeBackupPrivilege	844	wmic.exe
Token: SeRestorePrivilege	844	wmic.exe
Token: SeShutdownPrivilege	844	wmic.exe
Token: SeDebugPrivilege	844	wmic.exe
Token: SeSystemEnvironmentPrivilege	844	wmic.exe
Token: SeRemoteShutdownPrivilege	844	wmic.exe
Token: SeUndockPrivilege	844	wmic.exe
Token: SeManageVolumePrivilege	844	wmic.exe
Token: 33	844	wmic.exe
Token: 34	844	wmic.exe
Token: 35	844	wmic.exe
Token: 36	844	wmic.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeDebugPrivilege	3496	powershell.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeIncreaseQuotaPrivilege	3712	wmic.exe
Token: SeSecurityPrivilege	3712	wmic.exe
Token: SeTakeOwnershipPrivilege	3712	wmic.exe
Token: SeLoadDriverPrivilege	3712	wmic.exe
Token: SeSystemProfilePrivilege	3712	wmic.exe
Token: SeSystemtimePrivilege	3712	wmic.exe
Token: SeProfSingleProcessPrivilege	3712	wmic.exe
Token: SeIncBasePriorityPrivilege	3712	wmic.exe
Token: SeCreatePagefilePrivilege	3712	wmic.exe
Token: SeBackupPrivilege	3712	wmic.exe
Token: SeRestorePrivilege	3712	wmic.exe
Token: SeShutdownPrivilege	3712	wmic.exe
Token: SeDebugPrivilege	3712	wmic.exe
Token: SeSystemEnvironmentPrivilege	3712	wmic.exe
Token: SeRemoteShutdownPrivilege	3712	wmic.exe
Token: SeUndockPrivilege	3712	wmic.exe
Token: SeManageVolumePrivilege	3712	wmic.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe
4848	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4848 wrote to memory of 2728	4848	msedge.exe	80
PID 4848 wrote to memory of 2728	4848	msedge.exe	80
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 1436	4848	msedge.exe	82
PID 4848 wrote to memory of 3524	4848	msedge.exe	83
PID 4848 wrote to memory of 3524	4848	msedge.exe	83
PID 4848 wrote to memory of 280	4848	msedge.exe	84
PID 4848 wrote to memory of 280	4848	msedge.exe	84
PID 4848 wrote to memory of 280	4848	msedge.exe	84
PID 4848 wrote to memory of 280	4848	msedge.exe	84
PID 4848 wrote to memory of 280	4848	msedge.exe	84
PID 4848 wrote to memory of 280	4848	msedge.exe	84
PID 4848 wrote to memory of 280	4848	msedge.exe	84
PID 4848 wrote to memory of 280	4848	msedge.exe	84
PID 4848 wrote to memory of 280	4848	msedge.exe	84
PID 4848 wrote to memory of 280	4848	msedge.exe	84
PID 4848 wrote to memory of 280	4848	msedge.exe	84
PID 4848 wrote to memory of 280	4848	msedge.exe	84
PID 4848 wrote to memory of 280	4848	msedge.exe	84
PID 4848 wrote to memory of 280	4848	msedge.exe	84
PID 4848 wrote to memory of 280	4848	msedge.exe	84
PID 4848 wrote to memory of 280	4848	msedge.exe	84
PID 4848 wrote to memory of 280	4848	msedge.exe	84
PID 4848 wrote to memory of 280	4848	msedge.exe	84
PID 4848 wrote to memory of 280	4848	msedge.exe	84
PID 4848 wrote to memory of 280	4848	msedge.exe	84

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3276	attrib.exe
1612	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/OpenSourcePrograms/FiveM-HXCheats/archive/refs/heads/main.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcb3293cb8,0x7ffcb3293cc8,0x7ffcb3293cd8
  2⤵
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,11943667430377780842,12345422211435512481,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,11943667430377780842,12345422211435512481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,11943667430377780842,12345422211435512481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11943667430377780842,12345422211435512481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11943667430377780842,12345422211435512481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11943667430377780842,12345422211435512481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11943667430377780842,12345422211435512481,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11943667430377780842,12345422211435512481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,11943667430377780842,12345422211435512481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,11943667430377780842,12345422211435512481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6048 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11943667430377780842,12345422211435512481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11943667430377780842,12345422211435512481,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1856,11943667430377780842,12345422211435512481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3364

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:960

C:\Users\Admin\Downloads\FiveM-HXCheats-main\FiveM-HXCheats-main\FiveMCheats.exe
"C:\Users\Admin\Downloads\FiveM-HXCheats-main\FiveM-HXCheats-main\FiveMCheats.exe"
1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\FiveM-HXCheats-main\FiveM-HXCheats-main\FiveMCheats.exe"
  2⤵
  - Views/modifies file attributes
  PID:3276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\FiveM-HXCheats-main\FiveM-HXCheats-main\FiveMCheats.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3712
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:3744
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:4908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3032
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:1760
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\FiveM-HXCheats-main\FiveM-HXCheats-main\FiveMCheats.exe" && pause
  2⤵
  PID:1004
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - Runs ping.exe
    PID:1132

C:\Users\Admin\Downloads\FiveM-HXCheats-main\FiveM-HXCheats-main\FiveMCheats.exe
"C:\Users\Admin\Downloads\FiveM-HXCheats-main\FiveM-HXCheats-main\FiveMCheats.exe"
1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3032
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:3968
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\FiveM-HXCheats-main\FiveM-HXCheats-main\FiveMCheats.exe"
  2⤵
  - Views/modifies file attributes
  PID:1612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\FiveM-HXCheats-main\FiveM-HXCheats-main\FiveMCheats.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3020
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:3520
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:3428
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:1412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1732
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:3980
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\FiveM-HXCheats-main\FiveM-HXCheats-main\FiveMCheats.exe" && pause
  2⤵
  PID:3008
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - Runs ping.exe
    PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\FiveMCheats.exe.log

Filesize
1KB

MD5
5f36c205799cb2f8966c7d5130cea05c

SHA1
614993e3437ff9363c3eb698d7dba379a453dd6e

SHA256
8eaaf40fe7570c8fa593702f38fee2f54538ba6a77d7c54005e8d1f150f5180c

SHA512
7053cac09d2e71675771bae4ac25f1a47f96be662f6bb2aab24668ed4c1809fb1261b2d6465202c09bd0310bf875361a815db6dda6006dcfbbb5fb3c50c5927b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4af3ab7cb0460a8ca1bc42c663f441ea

SHA1
47603056b2829b869fbab04884da29544077fc3e

SHA256
e4c2390de67f4be3f7a84f4ef879a25c15c68c62a226ab9c9007c03597184369

SHA512
9c4cb6eee3f90f4cf46c0544d371cbe3b93a092f0057963e54bdbc6c6e584564aa4e3e8cc0085360ac7661a18c929c37cdabaa35035d925fc23446dba609323a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f9e5616c068d89c288975cccf486ba9

SHA1
049ff88576a2a7c47740819b750a2f8edfa0d0b7

SHA256
680a4ebe591a39c80dc406530a6e51aa0bdee8ab91b8d326f90616435b595e26

SHA512
98147f31a4d6372e73970295464c8943709632e78b15f581436f30d63f9cbdcbaaf9c80e2cce366f95709f52c7bb2283770de686dac7d1c0b7e2cb704b7a0383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
255B

MD5
d11edf9e08a127c768843acea41d0bc5

SHA1
ff1af9b39de4a3f547407fd9864ffdd2bb6c7354

SHA256
217e4d9d1412e45abf7a653f72a5ab8b53bc8fc6f377f52a042668a41abc7478

SHA512
92c3f0def567b0e2f2523ed25eb9d4abff06070b8be744fea4a6678f25f292439d7bc0c8015eaa6281b7f43149eebb3d3821cd6d6436598481113694b11ddea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a6ff4ec3ab597121e4b7bbc3dcb16f9b

SHA1
4b42e0e1b9d39e042f90c6d9878b126347e87f13

SHA256
ef1cf5d3312d557a0f1907a5ad944ce879534ee0c4bf1f33b82a1015f075916d

SHA512
9367d639b0b43b9001210923f61043a6adfcbe2f3c4f91187d1ad68f349c119abccea245e51d1c7d1e1f2e3e8c2030ccbdd69434963013d139203387fd1d66fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
17e5c491e432237f5b37a9a0c077f31f

SHA1
087d728ca84f08156503632003f72d697c4fff26

SHA256
e208a4c454009ce8ed2532076eeca218c61121bfff9906f79f47dfc557ac8ca7

SHA512
6b00c33ef767496d58dec45adc702a0f8b463afc924afc5c6f576de7b52a64c63bb18f79ed6fb8a35314015663cdc1590171723c0d748ecf4e1938a57160de53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b83989015bf4428322826c29c8e36dcc

SHA1
78f67b42a868ab2e14caa98025e04fcd68cca36a

SHA256
b08ad4d29c2b791246c9acb542b662bdd9823c47c5ba6b64e5ed518c1d08adde

SHA512
7b6729b31892414ad18cc907f27c52b04a3a9f5a22abf4e70b4292dc930730854716605adcb6f00ed71cd224e44a13729e43bc9dcc44aeae3fae39dcd32a3b1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b2c2884de53126da705816d0baf19740

SHA1
faeea74200633e76d4b5a98f6385bacef6964e82

SHA256
13ee1fd9d49252fc8994689f8756236f3ca23922e71431148705b44f6d8e9c24

SHA512
a48b00213bba4c2d3452fbf4193af2a8472ff06d76e4d1e01741d602a758f32664eafa911e14d0322c3f8c36271c1a84172085e6468dc3182b50107c7cb16c0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2ead7eb013f9be79b3be239bc5710bda

SHA1
8ebfff2a16b49d27e56f8d38a740b4f44ca93ce5

SHA256
62b83f04cb3ebe00ff48163d991bbea3d648921a7d2a216afe5bcbb08c454b48

SHA512
bb1cebb3a2fd54f43dd32c6081f4d8015a4931549c3a49c15a112e9a6dc3aaaaa2e34118a414f3c3a8169d7a8330e05309e94349d5bd9678cf86de883327d839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
6bddc96a32b9ed8fc70b141ccf4a39b2

SHA1
0f33c0699da40a5eadcec646791cf21cdb0dd7c6

SHA256
cb3853abe77eb0da8a1caccb49e97a573b6f35570722eb759116a645d724c132

SHA512
e41f1597b4129b759e4199db195df1c24e47cc47dc9850fab2d48e44bc3d37dc3658fbfbb62332a0b93c552587d7fab09de1634f605faa2209b8470c2a6eaca6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
57083a8e45ebe4fd84c7c0f137ec3e21

SHA1
857b5ea57f7bcf03cadee122106c6e58792a9b84

SHA256
f20102c4dc409cad3cdaf7a330c3a18a730a9d7d902b9fbee2a84186cba93d40

SHA512
4bbc21c07c05ee1f783242f0fb59324d5ff9ae18bdf892f02980d582fed83380888eeba58e1a6a321507cfd5d4fe82a328a0d3482b29633be4e3ebbeac636f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c321dfee531730b7e0b81470b947da3f

SHA1
0488401f4fc03bcdab19eeff194ff12f4439e1cb

SHA256
6d7da148fe930cf085b5369427eb24e66844d7f00fcc197f056e0763c7a76117

SHA512
eee78a9529b1d89631ac8dbaef716eba95166d8c465a2c075bf89d28fab4c25a48c4d29d7f19ab0249b245bf45fac63214b092aaef9b3a09b4f8e6cfa85a076a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
4fadcea4f2d98263f2acf9264e6e4718

SHA1
2b98137ab21f8d4bb8bdfbb86731b531d2a52113

SHA256
dfc4e8bd319c845495eeddd27477ce61a968c5f585b0a1804ce8e062e2b0b4ff

SHA512
023ec1a07ae7e6b61a2d26403c3828d67d4af06e006fde110bc3e44d2aa7c77ec18557a817f7e76702174efc83060bb3a7a4a91c618df1ba48cb898ef0573f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fcbfea2bed3d0d2533fe957f0f83e35c

SHA1
70ca46e89e31d8918c482848cd566090aaffd910

SHA256
e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38

SHA512
d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
4b92d741d003e8d1f0394874017a6fe9

SHA1
1a4bebc2637bce160dae38d4d0bfdeb6b398059d

SHA256
8c8532230d71f0818daebff0d2ab496b02c25bdaa7156701f663b5474ad876fc

SHA512
5c2e84b072314aaae414f98f7dbeb13e030561b53270803d0cf7a8c6ed59368dcfdc4666e69abef39fcac5b75968a1174aca501023297a276a219ed0464612c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
de1cbc191bee1d162d00561785ff3e3f

SHA1
e65c6208aaeb730c3242fec9afbfe797fb464f66

SHA256
7eda0e7287adda6d5511bb314988c270a1ec05a6bd7fcbfab698ed7b4b195434

SHA512
af507d8a805f43842e87414b43c1a0f8973f3d663d2efeb0556b9d212741d159e2f0d0e0528588d9dba1278cca1efd37ab4d28c118c4424345191d0b016d2013

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
93f78040b1fcfeb79ad2ecca9ac70141

SHA1
5600cbb31fac8557c28e258f4ed5c78e826aaa7e

SHA256
c5fd6720ce5eecae0039348ca478a62901269281eb4c13f5816eb67832932071

SHA512
5837066bc3ec2547fa3d57c6a764f41f3af2841b2e231c2e4e8fb173a955412e33b4ee4136924e0abab1c9632ab14bd2b3af0410d716fff3addd8a48125d537e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3xjgbeu3.nbt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\FiveM-HXCheats-main.zip

Filesize
99KB

MD5
31d133e14d399fcb5116d66eb979c74b

SHA1
414e8fe4dcd79e1f8c7fe7a51e2d853e16a9e92c

SHA256
756ec53a4aa8f2ecaad1772d20570fbb53daa6b1c34946ee088e16b1d87b55a1

SHA512
810ad4a5b2ffa30801d63d640a5a95f7803486e34b330d1a615eea3869e6a54881fbfb538c1b7e4fb90ebe2281dcaf7b0b9fdadb50cb0c66333883e51dbd9fc5

Download Submit
C:\Users\Admin\Downloads\FiveM-HXCheats-main.zip:Zone.Identifier

Filesize
117B

MD5
d4dc65a27b5b831a9a3dd54979df33b7

SHA1
4c58a74c2151bd0a8e95495da0e3c919df73f3a4

SHA256
bfff9fe67298daf79656d40926bc362e0e7152c39844fb74f026089207b8e9c0

SHA512
63708069e69983935bad5661c2614af578b6533606012066d968e1afde2ca6dc9df2852efb8f3ccf1600fa98267206a6b80db500c57a5942117afa1889bfe0f3

Download Submit
memory/2784-164-0x0000022BC94F0000-0x0000022BC9502000-memory.dmp

Filesize
72KB

Download
memory/2784-163-0x0000022BB0C90000-0x0000022BB0C9A000-memory.dmp

Filesize
40KB

Download
memory/2784-101-0x0000022BAEF50000-0x0000022BAEF9C000-memory.dmp

Filesize
304KB

Download
memory/2784-129-0x0000022BB0C60000-0x0000022BB0C7E000-memory.dmp

Filesize
120KB

Download
memory/2784-127-0x0000022BC94A0000-0x0000022BC94F0000-memory.dmp

Filesize
320KB

Download
memory/2784-126-0x0000022BC97D0000-0x0000022BC9846000-memory.dmp

Filesize
472KB

Download
memory/4792-102-0x00000289D9140000-0x00000289D9162000-memory.dmp

Filesize
136KB

Download