umbral | hxxps://github[.]com/Ezoterik01/WinLocker-Builder-093

Analysis

max time kernel
42s
max time network
48s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Ezoterik01/WinLocker-Builder-093

Score

10^/10

umbral credential_access discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000235a8-244.dat	family_umbral
behavioral1/memory/5248-253-0x00000229C32D0000-0x00000229C3310000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5436	powershell.exe
5508	powershell.exe
6092	powershell.exe
6044	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	AlzProject.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	BuilderWinLock093.exe

Executes dropped EXE 3 IoCs

pid	Process
5948	BuilderWinLock093.exe
6104	upO Builder 0.9.3.exe
5248	AlzProject.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
94	discord.com
95	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
82	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BuilderWinLock093.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upO Builder 0.9.3.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5652	PING.EXE
5460	cmd.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5440	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5652	PING.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
4344	msedge.exe
4344	msedge.exe
2752	msedge.exe
2752	msedge.exe
4988	identity_helper.exe
4988	identity_helper.exe
2144	msedge.exe
2144	msedge.exe
5248	AlzProject.exe
5248	AlzProject.exe
5436	powershell.exe
5436	powershell.exe
5436	powershell.exe
5508	powershell.exe
5508	powershell.exe
5508	powershell.exe
6092	powershell.exe
6092	powershell.exe
6092	powershell.exe
4252	powershell.exe
4252	powershell.exe
4252	powershell.exe
6044	powershell.exe
6044	powershell.exe
6044	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5828	7zG.exe
Token: 35	5828	7zG.exe
Token: SeSecurityPrivilege	5828	7zG.exe
Token: SeSecurityPrivilege	5828	7zG.exe
Token: SeDebugPrivilege	5248	AlzProject.exe
Token: SeIncreaseQuotaPrivilege	5336	wmic.exe
Token: SeSecurityPrivilege	5336	wmic.exe
Token: SeTakeOwnershipPrivilege	5336	wmic.exe
Token: SeLoadDriverPrivilege	5336	wmic.exe
Token: SeSystemProfilePrivilege	5336	wmic.exe
Token: SeSystemtimePrivilege	5336	wmic.exe
Token: SeProfSingleProcessPrivilege	5336	wmic.exe
Token: SeIncBasePriorityPrivilege	5336	wmic.exe
Token: SeCreatePagefilePrivilege	5336	wmic.exe
Token: SeBackupPrivilege	5336	wmic.exe
Token: SeRestorePrivilege	5336	wmic.exe
Token: SeShutdownPrivilege	5336	wmic.exe
Token: SeDebugPrivilege	5336	wmic.exe
Token: SeSystemEnvironmentPrivilege	5336	wmic.exe
Token: SeRemoteShutdownPrivilege	5336	wmic.exe
Token: SeUndockPrivilege	5336	wmic.exe
Token: SeManageVolumePrivilege	5336	wmic.exe
Token: 33	5336	wmic.exe
Token: 34	5336	wmic.exe
Token: 35	5336	wmic.exe
Token: 36	5336	wmic.exe
Token: SeIncreaseQuotaPrivilege	5336	wmic.exe
Token: SeSecurityPrivilege	5336	wmic.exe
Token: SeTakeOwnershipPrivilege	5336	wmic.exe
Token: SeLoadDriverPrivilege	5336	wmic.exe
Token: SeSystemProfilePrivilege	5336	wmic.exe
Token: SeSystemtimePrivilege	5336	wmic.exe
Token: SeProfSingleProcessPrivilege	5336	wmic.exe
Token: SeIncBasePriorityPrivilege	5336	wmic.exe
Token: SeCreatePagefilePrivilege	5336	wmic.exe
Token: SeBackupPrivilege	5336	wmic.exe
Token: SeRestorePrivilege	5336	wmic.exe
Token: SeShutdownPrivilege	5336	wmic.exe
Token: SeDebugPrivilege	5336	wmic.exe
Token: SeSystemEnvironmentPrivilege	5336	wmic.exe
Token: SeRemoteShutdownPrivilege	5336	wmic.exe
Token: SeUndockPrivilege	5336	wmic.exe
Token: SeManageVolumePrivilege	5336	wmic.exe
Token: 33	5336	wmic.exe
Token: 34	5336	wmic.exe
Token: 35	5336	wmic.exe
Token: 36	5336	wmic.exe
Token: SeDebugPrivilege	5436	powershell.exe
Token: SeDebugPrivilege	5508	powershell.exe
Token: SeDebugPrivilege	6092	powershell.exe
Token: SeDebugPrivilege	4252	powershell.exe
Token: SeIncreaseQuotaPrivilege	5840	wmic.exe
Token: SeSecurityPrivilege	5840	wmic.exe
Token: SeTakeOwnershipPrivilege	5840	wmic.exe
Token: SeLoadDriverPrivilege	5840	wmic.exe
Token: SeSystemProfilePrivilege	5840	wmic.exe
Token: SeSystemtimePrivilege	5840	wmic.exe
Token: SeProfSingleProcessPrivilege	5840	wmic.exe
Token: SeIncBasePriorityPrivilege	5840	wmic.exe
Token: SeCreatePagefilePrivilege	5840	wmic.exe
Token: SeBackupPrivilege	5840	wmic.exe
Token: SeRestorePrivilege	5840	wmic.exe
Token: SeShutdownPrivilege	5840	wmic.exe
Token: SeDebugPrivilege	5840	wmic.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
5828	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe
2752	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
6104	upO Builder 0.9.3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 636	2752	msedge.exe	85
PID 2752 wrote to memory of 636	2752	msedge.exe	85
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4944	2752	msedge.exe	86
PID 2752 wrote to memory of 4344	2752	msedge.exe	87
PID 2752 wrote to memory of 4344	2752	msedge.exe	87
PID 2752 wrote to memory of 3592	2752	msedge.exe	88
PID 2752 wrote to memory of 3592	2752	msedge.exe	88
PID 2752 wrote to memory of 3592	2752	msedge.exe	88
PID 2752 wrote to memory of 3592	2752	msedge.exe	88
PID 2752 wrote to memory of 3592	2752	msedge.exe	88
PID 2752 wrote to memory of 3592	2752	msedge.exe	88
PID 2752 wrote to memory of 3592	2752	msedge.exe	88
PID 2752 wrote to memory of 3592	2752	msedge.exe	88
PID 2752 wrote to memory of 3592	2752	msedge.exe	88
PID 2752 wrote to memory of 3592	2752	msedge.exe	88
PID 2752 wrote to memory of 3592	2752	msedge.exe	88
PID 2752 wrote to memory of 3592	2752	msedge.exe	88
PID 2752 wrote to memory of 3592	2752	msedge.exe	88
PID 2752 wrote to memory of 3592	2752	msedge.exe	88
PID 2752 wrote to memory of 3592	2752	msedge.exe	88
PID 2752 wrote to memory of 3592	2752	msedge.exe	88
PID 2752 wrote to memory of 3592	2752	msedge.exe	88
PID 2752 wrote to memory of 3592	2752	msedge.exe	88
PID 2752 wrote to memory of 3592	2752	msedge.exe	88
PID 2752 wrote to memory of 3592	2752	msedge.exe	88

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5408	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Ezoterik01/WinLocker-Builder-093
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa08db46f8,0x7ffa08db4708,0x7ffa08db4718
  2⤵
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,2132560649170002945,8632430193092743951,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,2132560649170002945,8632430193092743951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2484 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2132560649170002945,8632430193092743951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2132560649170002945,8632430193092743951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,2132560649170002945,8632430193092743951,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3360 /prefetch:8
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,2132560649170002945,8632430193092743951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,2132560649170002945,8632430193092743951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2036,2132560649170002945,8632430193092743951,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2132560649170002945,8632430193092743951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2036,2132560649170002945,8632430193092743951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2132560649170002945,8632430193092743951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:5472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2132560649170002945,8632430193092743951,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:5480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2132560649170002945,8632430193092743951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,2132560649170002945,8632430193092743951,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
  2⤵
  PID:5668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1432

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5272

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\WinLocker-Builder-093-main\WinLocker-Builder-093-main\" -an -ai#7zMap14746:204:7zEvent16756
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5828

C:\Users\Admin\Downloads\WinLocker-Builder-093-main\WinLocker-Builder-093-main\BuilderWinLock093.exe
"C:\Users\Admin\Downloads\WinLocker-Builder-093-main\WinLocker-Builder-093-main\BuilderWinLock093.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5948
- C:\Users\Admin\AppData\Local\Temp\upO Builder 0.9.3.exe
  "C:\Users\Admin\AppData\Local\Temp\upO Builder 0.9.3.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6104
- C:\Users\Admin\AppData\Local\Temp\AlzProject.exe
  "C:\Users\Admin\AppData\Local\Temp\AlzProject.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5248
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5336
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\AlzProject.exe"
    3⤵
    - Views/modifies file attributes
    PID:5408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\AlzProject.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5436
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4252
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5840
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:4932
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:5856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:6044
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5440
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\AlzProject.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5460
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
d9984337540abb50426d401688151a10

SHA1
fdc64d4abdd8c521ec56a5c3e968016b98d79020

SHA256
d74529421bd1c2f2573d669c43b73a6f78131176fbc4bf772f0d2568c0db6ba7

SHA512
2bd3731234cf98ef23ebf8638a73ccb91a2ec01233c4dbe0ac51871427875ed0696d786bfd1aebc7d00377a69cc36118ade3dc43b0e41936717253d47ee966f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
5a604d372f6b4079275440c4d0559aab

SHA1
00e04abecfa9e15bde6884951ddb77d80213eefc

SHA256
afa0509e8efe97f2ad9b9cf88b153f591e268a83963bd8d3d4de0e26bb3a622a

SHA512
f2b02a5df691eeb44dac98b8084981089b71c22b2604de44837e2633a18d8e0cc610c1dd89ab2421fe2d0f2948a01a910b83698791bbdfe7001ea1277bb0db25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
15KB

MD5
5d86fac6c2b9bee654761835c35e6099

SHA1
7a3a070d67eb2d44937fc1d6c6f9250cb4a1ad1b

SHA256
7a0ca9e02b22550f8c7b076303a42603565fa5fc1afc7be2962eb1de76b1802a

SHA512
7e36e30410b98e91a4666e3817fb35f6f459440fc2d9083683cd4f3dac93585b75e6df9fb8495efe7a4a330b2f08b3530c0ac7a1f2cc7b4628d15bfcc4a277e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ab20f583667150390cff3360e11d6ad4

SHA1
30f36a857108435ae44c2f68d921d27a58eecf38

SHA256
52ebad1bf7f049379a30e019ece23050596abb0d9591a87686a34454c0e1ff54

SHA512
9ecab70ebf2b68a1947a88e8cb69204548eadee66ae19cf1a9bf77b0950fcc257a0e26127594ca787a3f9857324840d108d44b468037f2d07c0238d02bd2e1c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4e7ce908f00a281593c80c3ddaee2f32

SHA1
1a862b0c8cc58ee305a58ed38d59d943d727256f

SHA256
aee0d58cc1df9cd73e7d344030734357f7833679608757fc140ceeed2ded871f

SHA512
f2216de41ee287c4ac63488fa74ecf101b5675acda0405389300feab82686bd35c1bc6ad9c5a9866d5c17dcea24b727af6010f18889129b96145040b5c3dfbf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
825bbac37b86c34ae7d429d4b4229d0d

SHA1
cc0bf429333b49b2170b132d1abc4302acf3abba

SHA256
ea3576d8f88499e9595fb773b5cd63845d59e0df98b0037b55dd59e4f150044c

SHA512
1be47c0d3df190d6c89a36065855e7c4e987766a49d9c5f62246da0cf3fb60cf3ded8c1a70b31bd73d33a008abd903d6558a7671ea8e8ca7a4ce442a5feeaac1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b3072dc11f804864a7bfa04744ca6042

SHA1
15e896cec3316c115d5a888902ea723caa94a31f

SHA256
493714b22b7000d2f92c3ab404ae9e6a42104475fc793ac1c87c97e2c14642f1

SHA512
b3e63472559bc915acd49138aa3b595abb6aaddc4934a0dbd37f66d9fa38f39415c7dd63ba3df63f876348af619a47610216da8f4516ba761d6a67d5a5fee2bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bad7583e8903c86b7e05da1e04b2c851

SHA1
868252e26b68831cb5270c2e6b3a9377c9485277

SHA256
a196b2c1c3d08be2c77457c4a3d5d7631dfbef3b2c60ea8f207afb48ee0ff2d3

SHA512
804f55a326ebaf8ae2429efb9f3c0913e84b20ac70433a321f0290a9fa15eccd43b658561a5777fa6cfe624a896892224ea665304572dc670af2fc784093cfe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
2af06a6b36db9473e4a7d9c7ab72b70b

SHA1
8ef34b9b961e51bdd1b8d7d9db2ec1b0a4764645

SHA256
18a2aa7e245c6732f95fb7749b2b4d29007f2c56a9c5bfbc5e3c127bdfe5f158

SHA512
3495567a5d5af94ae27be51313d9e2630c52017d808042fe0d56baa34fa1d246eb15c253d14c77c77a1d8f2f1c81680e623044ae95415b095696e7fa141ac7cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
227556da5e65f6819f477756808c17e4

SHA1
6ffce766e881ca2a60180bb25f4981b183f78279

SHA256
101f5fe8a4192f14e9f0a12c105ca81c9f176860930af44747185dd1bedb59a4

SHA512
d46b935809d2c4b7a041ad790f2db11c0a808df022c91ae9152b8769021b884fde49653a7a46557ef9ee65e274fe0b6c8503df9b50e6b3b849fefacf51f8bd6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
45ad40f012b09e141955482368549640

SHA1
3f9cd15875c1e397c3b2b5592805577ae88a96cb

SHA256
ea3b59172f1a33677f9cb3843fb4d6093b806d3a7cf2f3c6d4692f5421f656ce

SHA512
3de08f8affca1c1450088f560776cf3d65146cadac43c06eb922c7b3cea436e519966cf38458303ffeb1a58c53f8952cffda6c34216fda7594e014b516e83b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\AlzProject.exe

Filesize
230KB

MD5
12978bce7e1a9594978d13e53a990d17

SHA1
9ac5b0c51ea5d0fec28babdcb4e030a57492fdf7

SHA256
4d61ac3ab58cad748474613d4c84fde1809b3e2913356f69a3e3b813c5aa65ee

SHA512
1576d9eed5332362297344001ca2f50d8f47c42ac936406f8b93b118a31d61f0c80c063899edf92f94cc2d61e50bbd1b0d535b2932e594ff67b17db5da535ea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jamwbzot.jen.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\upO Builder 0.9.3.exe

Filesize
1.6MB

MD5
f53a6d6696c94df1c86062cd1f08252e

SHA1
2c9a1fcdc66cf2ec3efe7f65da3a4f57044de02b

SHA256
0201a6ca5e231e00341a00298d89e7d763f2350db2b63ae194d92ceb41bf44ac

SHA512
1538f8a5a36628428aed3251d078ac7419eab47dfe94346f7669aefe89be825387a7057f4d7b3168a63308cc35825f0aa0d41cdf912b791a6ad831928bea191c

Download Submit
C:\Users\Admin\Downloads\WinLocker-Builder-093-main.zip

Filesize
1.6MB

MD5
342fecbeaf39f683f185bc76753e5f82

SHA1
6fcc995a0d9a883af0cd3e7434cf73cc440a4b20

SHA256
612cc2ca3c8e5090efbc2bc84b2da484928342f9beec75a03b1a1dc6360480b7

SHA512
efc6b238d81c21d145aabfe21769623321dacbe3c2e3bd7d7a4ee06ebe18cebeb28a7f8ee2c1bd7219dc92878d411a6ac3d8fb6fb36d594a8d8348115049aeda

Download Submit
C:\Users\Admin\Downloads\WinLocker-Builder-093-main\WinLocker-Builder-093-main\BuilderWinLock093.exe

Filesize
1.6MB

MD5
84702c772c4eb819efa17b3d8f102389

SHA1
fc0eb73fdb7fe25ea03345d278bd8a1c25fe97ae

SHA256
742cd88e88049da366bc095a558b7a979e88d6918dea17138b825b5994e0341c

SHA512
a54084791d7b282b75a1a5319097f9454e24aad37fbd57f5b0a0f59a98da5b5ffdda7e41b844248b53b1a92a7d3add1103902a75133f03a98be35b7271ded75b

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/5248-291-0x00000229DDAA0000-0x00000229DDAF0000-memory.dmp

Filesize
320KB

Download
memory/5248-294-0x00000229C5070000-0x00000229C508E000-memory.dmp

Filesize
120KB

Download
memory/5248-253-0x00000229C32D0000-0x00000229C3310000-memory.dmp

Filesize
256KB

Download
memory/5248-332-0x00000229C50A0000-0x00000229C50AA000-memory.dmp

Filesize
40KB

Download
memory/5248-333-0x00000229C50D0000-0x00000229C50E2000-memory.dmp

Filesize
72KB

Download
memory/5248-290-0x00000229DDA20000-0x00000229DDA96000-memory.dmp

Filesize
472KB

Download
memory/5436-254-0x0000024253B80000-0x0000024253BA2000-memory.dmp

Filesize
136KB

Download
memory/6104-250-0x0000000000400000-0x0000000000BFB000-memory.dmp

Filesize
8.0MB

Download
memory/6104-355-0x0000000000400000-0x0000000000BFB000-memory.dmp

Filesize
8.0MB

Download
memory/6104-356-0x0000000000400000-0x0000000000BFB000-memory.dmp

Filesize
8.0MB

Download