asyncrat | d51154dab49e7c3199cb9fd75aa5c7f9eb58ed74c8ea5eb40601ee484dc0b578

Analysis

max time kernel
30s
max time network
31s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2024 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

neverlose crack.exe
Size

295KB
MD5

01cc2b2bcef2f12ab9a10905f999027d
SHA1

c62bb9b1532dc3f8638cc1ab5eb3b5f5185c2b40
SHA256

d51154dab49e7c3199cb9fd75aa5c7f9eb58ed74c8ea5eb40601ee484dc0b578
SHA512

025af3ae3fa059e364ef933cff47327436f08fb18379377caf7e71ced86f2c8adb4f56a79a643f3072c21b06e9e9b97f5945b9bdff1d29e798c6d9a5c3360d5c
SSDEEP

6144:DVOuy8Et9vsiTzIpoOhYyC8M4i7jyVvdOe4BWH5Y5/zu4cCGb19e:bFigGOTCz17jy9Yer6dzIpi

Score

10^/10

asyncrat njrat umbral xworm victim credential_access discovery evasion execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1273828074898718851/qR9eE6omxJxFL_jVry1J18IsVQ6bHhsk5rGr5VLxyO-92VJHyGPK43BBNMWtaUG56gE2

Extracted

Family

asyncrat

Botnet

Victim

127.0.0.1:1504

127.0.0.1:44256

meeting-compound.gl.at.ply.gg:1504

meeting-compound.gl.at.ply.gg:44256

Attributes

delay
1
install
true
install_file
System.exe
install_folder
%AppData%

aes.plain

Extracted

Family

njrat

Version

<- NjRAT 0.7d Horror Edition ->

Botnet

Victim

meeting-compound.gl.at.ply.gg:1504

Mutex

f8ff2d3def0ea5927a14148fb1c0ef4a

Attributes

reg_key
f8ff2d3def0ea5927a14148fb1c0ef4a
splitter
Y262SUCZ4UJJ

Extracted

Family

xworm

meeting-compound.gl.at.ply.gg:44256

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023447-46.dat	family_umbral
behavioral1/memory/4472-54-0x000001BFCDC20000-0x000001BFCDC60000-memory.dmp	family_umbral

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00090000000233eb-4.dat	family_xworm
behavioral1/memory/1272-58-0x0000000000160000-0x0000000000176000-memory.dmp	family_xworm

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0008000000023443-15.dat	family_asyncrat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4728	powershell.exe
4936	powershell.exe
2960	powershell.exe
3112	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2236	attrib.exe
2168	attrib.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	neverlose crack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	INSTALLER1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	WizClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	WmZWbh4b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Payload.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizClient.lnk	WizClient.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WizClient.lnk	WizClient.exe

Executes dropped EXE 8 IoCs

pid	Process
1272	WizClient.exe
3968	INSTALLER1.exe
4472	Umbral.exe
3700	WmZWbh4b.exe
320	Payload.exe
4836	System.exe
3296	dllhost.exe
4816	$77svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WizClient = "C:\\Users\\Admin\\AppData\\Roaming\\WizClient.exe"	WizClient.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\Exec\\$77svchost.exe\""	WmZWbh4b.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	discord.com
20	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neverlose crack.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5000	cmd.exe
292	PING.EXE

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
1472	timeout.exe
4136	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4772	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
292	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4816	schtasks.exe
4424	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
4472	Umbral.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
4728	powershell.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
4728	powershell.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
4936	powershell.exe
3968	INSTALLER1.exe
4936	powershell.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
3968	INSTALLER1.exe
2960	powershell.exe
2960	powershell.exe
2960	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1272	WizClient.exe
Token: SeDebugPrivilege	4472	Umbral.exe
Token: SeIncreaseQuotaPrivilege	3760	wmic.exe
Token: SeSecurityPrivilege	3760	wmic.exe
Token: SeTakeOwnershipPrivilege	3760	wmic.exe
Token: SeLoadDriverPrivilege	3760	wmic.exe
Token: SeSystemProfilePrivilege	3760	wmic.exe
Token: SeSystemtimePrivilege	3760	wmic.exe
Token: SeProfSingleProcessPrivilege	3760	wmic.exe
Token: SeIncBasePriorityPrivilege	3760	wmic.exe
Token: SeCreatePagefilePrivilege	3760	wmic.exe
Token: SeBackupPrivilege	3760	wmic.exe
Token: SeRestorePrivilege	3760	wmic.exe
Token: SeShutdownPrivilege	3760	wmic.exe
Token: SeDebugPrivilege	3760	wmic.exe
Token: SeSystemEnvironmentPrivilege	3760	wmic.exe
Token: SeRemoteShutdownPrivilege	3760	wmic.exe
Token: SeUndockPrivilege	3760	wmic.exe
Token: SeManageVolumePrivilege	3760	wmic.exe
Token: 33	3760	wmic.exe
Token: 34	3760	wmic.exe
Token: 35	3760	wmic.exe
Token: 36	3760	wmic.exe
Token: SeIncreaseQuotaPrivilege	3760	wmic.exe
Token: SeSecurityPrivilege	3760	wmic.exe
Token: SeTakeOwnershipPrivilege	3760	wmic.exe
Token: SeLoadDriverPrivilege	3760	wmic.exe
Token: SeSystemProfilePrivilege	3760	wmic.exe
Token: SeSystemtimePrivilege	3760	wmic.exe
Token: SeProfSingleProcessPrivilege	3760	wmic.exe
Token: SeIncBasePriorityPrivilege	3760	wmic.exe
Token: SeCreatePagefilePrivilege	3760	wmic.exe
Token: SeBackupPrivilege	3760	wmic.exe
Token: SeRestorePrivilege	3760	wmic.exe
Token: SeShutdownPrivilege	3760	wmic.exe
Token: SeDebugPrivilege	3760	wmic.exe
Token: SeSystemEnvironmentPrivilege	3760	wmic.exe
Token: SeRemoteShutdownPrivilege	3760	wmic.exe
Token: SeUndockPrivilege	3760	wmic.exe
Token: SeManageVolumePrivilege	3760	wmic.exe
Token: 33	3760	wmic.exe
Token: 34	3760	wmic.exe
Token: 35	3760	wmic.exe
Token: 36	3760	wmic.exe
Token: SeDebugPrivilege	3968	INSTALLER1.exe
Token: SeDebugPrivilege	3968	INSTALLER1.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeBackupPrivilege	4672	vssvc.exe
Token: SeRestorePrivilege	4672	vssvc.exe
Token: SeAuditPrivilege	4672	vssvc.exe
Token: SeDebugPrivilege	744	powershell.exe
Token: SeDebugPrivilege	3700	WmZWbh4b.exe
Token: SeIncreaseQuotaPrivilege	1740	wmic.exe
Token: SeSecurityPrivilege	1740	wmic.exe
Token: SeTakeOwnershipPrivilege	1740	wmic.exe
Token: SeLoadDriverPrivilege	1740	wmic.exe
Token: SeSystemProfilePrivilege	1740	wmic.exe
Token: SeSystemtimePrivilege	1740	wmic.exe
Token: SeProfSingleProcessPrivilege	1740	wmic.exe
Token: SeIncBasePriorityPrivilege	1740	wmic.exe
Token: SeCreatePagefilePrivilege	1740	wmic.exe
Token: SeBackupPrivilege	1740	wmic.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1272	WizClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 1272	2588	neverlose crack.exe	84
PID 2588 wrote to memory of 1272	2588	neverlose crack.exe	84
PID 2588 wrote to memory of 3968	2588	neverlose crack.exe	85
PID 2588 wrote to memory of 3968	2588	neverlose crack.exe	85
PID 2588 wrote to memory of 4472	2588	neverlose crack.exe	86
PID 2588 wrote to memory of 4472	2588	neverlose crack.exe	86
PID 2588 wrote to memory of 3700	2588	neverlose crack.exe	87
PID 2588 wrote to memory of 3700	2588	neverlose crack.exe	87
PID 2588 wrote to memory of 320	2588	neverlose crack.exe	88
PID 2588 wrote to memory of 320	2588	neverlose crack.exe	88
PID 2588 wrote to memory of 320	2588	neverlose crack.exe	88
PID 4472 wrote to memory of 3760	4472	Umbral.exe	90
PID 4472 wrote to memory of 3760	4472	Umbral.exe	90
PID 4472 wrote to memory of 5056	4472	Umbral.exe	94
PID 4472 wrote to memory of 5056	4472	Umbral.exe	94
PID 4472 wrote to memory of 4728	4472	Umbral.exe	96
PID 4472 wrote to memory of 4728	4472	Umbral.exe	96
PID 4472 wrote to memory of 4936	4472	Umbral.exe	98
PID 4472 wrote to memory of 4936	4472	Umbral.exe	98
PID 3968 wrote to memory of 1120	3968	INSTALLER1.exe	101
PID 3968 wrote to memory of 1120	3968	INSTALLER1.exe	101
PID 3968 wrote to memory of 2620	3968	INSTALLER1.exe	103
PID 3968 wrote to memory of 2620	3968	INSTALLER1.exe	103
PID 2620 wrote to memory of 1472	2620	cmd.exe	105
PID 2620 wrote to memory of 1472	2620	cmd.exe	105
PID 1120 wrote to memory of 4816	1120	cmd.exe	106
PID 1120 wrote to memory of 4816	1120	cmd.exe	106
PID 4472 wrote to memory of 2960	4472	Umbral.exe	107
PID 4472 wrote to memory of 2960	4472	Umbral.exe	107
PID 1272 wrote to memory of 4424	1272	WizClient.exe	109
PID 1272 wrote to memory of 4424	1272	WizClient.exe	109
PID 4472 wrote to memory of 744	4472	Umbral.exe	114
PID 4472 wrote to memory of 744	4472	Umbral.exe	114
PID 3700 wrote to memory of 2236	3700	WmZWbh4b.exe	116
PID 3700 wrote to memory of 2236	3700	WmZWbh4b.exe	116
PID 3700 wrote to memory of 2168	3700	WmZWbh4b.exe	118
PID 3700 wrote to memory of 2168	3700	WmZWbh4b.exe	118
PID 4472 wrote to memory of 1740	4472	Umbral.exe	122
PID 4472 wrote to memory of 1740	4472	Umbral.exe	122
PID 4472 wrote to memory of 1160	4472	Umbral.exe	124
PID 4472 wrote to memory of 1160	4472	Umbral.exe	124
PID 4472 wrote to memory of 1460	4472	Umbral.exe	126
PID 4472 wrote to memory of 1460	4472	Umbral.exe	126
PID 4472 wrote to memory of 3112	4472	Umbral.exe	128
PID 4472 wrote to memory of 3112	4472	Umbral.exe	128
PID 4472 wrote to memory of 4772	4472	Umbral.exe	130
PID 4472 wrote to memory of 4772	4472	Umbral.exe	130
PID 2620 wrote to memory of 4836	2620	cmd.exe	132
PID 2620 wrote to memory of 4836	2620	cmd.exe	132
PID 4472 wrote to memory of 5000	4472	Umbral.exe	134
PID 4472 wrote to memory of 5000	4472	Umbral.exe	134
PID 5000 wrote to memory of 292	5000	cmd.exe	136
PID 5000 wrote to memory of 292	5000	cmd.exe	136
PID 320 wrote to memory of 3296	320	Payload.exe	137
PID 320 wrote to memory of 3296	320	Payload.exe	137
PID 320 wrote to memory of 3296	320	Payload.exe	137
PID 3296 wrote to memory of 2032	3296	dllhost.exe	141
PID 3296 wrote to memory of 2032	3296	dllhost.exe	141
PID 3296 wrote to memory of 2032	3296	dllhost.exe	141
PID 3700 wrote to memory of 3944	3700	WmZWbh4b.exe	143
PID 3700 wrote to memory of 3944	3700	WmZWbh4b.exe	143
PID 3944 wrote to memory of 4136	3944	cmd.exe	145
PID 3944 wrote to memory of 4136	3944	cmd.exe	145
PID 3944 wrote to memory of 4816	3944	cmd.exe	146

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2032	attrib.exe
5056	attrib.exe
2236	attrib.exe
2168	attrib.exe

C:\Users\Admin\AppData\Local\Temp\neverlose crack.exe
"C:\Users\Admin\AppData\Local\Temp\neverlose crack.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Users\Admin\AppData\Local\Temp\WizClient.exe
  "C:\Users\Admin\AppData\Local\Temp\WizClient.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1272
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WizClient" /tr "C:\Users\Admin\AppData\Roaming\WizClient.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4424
- C:\Users\Admin\AppData\Local\Temp\INSTALLER1.exe
  "C:\Users\Admin\AppData\Local\Temp\INSTALLER1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3968
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\Admin\AppData\Roaming\System.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "System" /tr '"C:\Users\Admin\AppData\Roaming\System.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6A04.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1472
  - - C:\Users\Admin\AppData\Roaming\System.exe
      "C:\Users\Admin\AppData\Roaming\System.exe"
      4⤵
      Executes dropped EXE
      PID:4836
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4472
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3760
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:5056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:744
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:1160
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3112
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4772
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:292
- C:\Users\Admin\AppData\Local\Temp\WmZWbh4b.exe
  "C:\Users\Admin\AppData\Local\Temp\WmZWbh4b.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3700
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Exec"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2236
- - C:\Windows\System32\attrib.exe
    "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\Exec\$77svchost.exe"
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBEEB.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3944
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:4136
  - - C:\Users\Admin\Exec\$77svchost.exe
      "C:\Users\Admin\Exec\$77svchost.exe"
      4⤵
      Executes dropped EXE
      PID:4816
- C:\Users\Admin\AppData\Local\Temp\Payload.exe
  "C:\Users\Admin\AppData\Local\Temp\Payload.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Users\Admin\AppData\Local\Temp\dllhost.exe
    "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3296
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h "C:\Users\Admin\AppData\Local\Temp\dllhost.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:2032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
f4bf3ca8753d6bb9725419fec1ec74b9

SHA1
71fce9d17d1d92873236a9a827c52eb9e4827f3d

SHA256
ca8697e4ada4c3d4aac2899b8aad4052ccd605fccee05ee0a831368bde2f7417

SHA512
a55a107ae8bcf833ea674413c765cd55096146c9634dff41884fcc851c12fe47753308099525c99ae44883facfb668c8b292dd915263f34ebd1190391cb28a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ec79fae4e7c09310ebf4f2d85a33a638

SHA1
f2bdd995b12e65e7ed437d228f22223b59e76efb

SHA256
e9c4723a5fe34e081c3d2f548a1d472394cc7aa58056fcf44ca542061381243a

SHA512
af9dda12f6bb388d826fe03a4a8beed9bda23a978aa55a2af6a43271660ee896a7ee3bcf2c4d2f1e6180902791d8c23560f1c2ec097a501d8c6f4f6c49075625

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSTALLER1.exe

Filesize
63KB

MD5
6c575ec28ef4f6108f2acf9775938100

SHA1
c3b5d9f59b53768817d3c6dd93a49cef5a40a9e2

SHA256
609d9f9c8da8f777e17ff1a716c07e39e3b2d7fd76086436cf2e2383fe8bcd8c

SHA512
950f48b90492b7f0ac702c2cfd8822eab510819024fbcba2407217280e9d069c39aeae27f4bd6e6ce37efc9de52fad52ad15a07b8ce43c58f43bb5926278ddd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Payload.exe

Filesize
54KB

MD5
29527eb6dd3c1e2b8dbc17d70ad1fb20

SHA1
8fafd2e9914b32797c957f58a1254afc7dccf5af

SHA256
dafc09f9798d4c1134845b08749c514a3478ed4a45837e12fd717012ec27c694

SHA512
52e315cd12482d8a147e5d810e7fbb116cc15b4163e3015f5d579b0621980a15195a4354528bce24a3aff1e47766d95dea71f09563da8e43c781020006bb0e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
229KB

MD5
62099472f40d33f1caf73e36e866b9e7

SHA1
9d1e27b780ba14d0e41d366d79b0f42d4a782e7e

SHA256
f343ca46350a3c48f888be39bf1247fcab2bcd731889fc16828aac5f681edebc

SHA512
3356bd93afdff76dfc995b8bba3fc96d772e371c3ae6f289cbdb58cffef4906a5f8c2755152765c8cc96b5fc61e97186e42eceaa5e8619d15e172441c95f9764

Download Submit
C:\Users\Admin\AppData\Local\Temp\WizClient.exe

Filesize
61KB

MD5
d63d40b2af636f58cfbabe878e42f0a7

SHA1
3f97fb34eceff4e64cd3adb6f5cb4f1fabaf06ed

SHA256
536699ce7a068f324c719b4f429bf0aefb82602fcc18ca4d99d76aa53fbdb19a

SHA512
e8d771744ad9b2fc85b6f7c655f0e24bd0e42fa4a6575ed4e3301c325750c6e52dbc0b8565b30adf1303986d026d9a4d6a936a9093be8707a8ddbac7933242b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WmZWbh4b.exe

Filesize
40KB

MD5
47f267290124f530b9c04563b533db83

SHA1
fccb81909c612554fce4303daeffc750a71ee44e

SHA256
479db498a032418957c1616b13187402d7f626afa32dd4fcf56313d78ec23eeb

SHA512
a81b1ca99fec7a536eabc62f57668e46b832e534ccba43f3ab25a9d33d394745d24bad5f72225244f20be5ddcb44529d72efa31b92bc9e03f34e3b9ddb4f9e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c2zsmq1u.pbr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6A04.tmp.bat

Filesize
150B

MD5
661b03e635639ebb344ee76e43ca4bc7

SHA1
0e4f5538e5b498c66823e10db4c0b5cec00c2907

SHA256
53afd6b1188e81406536a0b324568844ed60514a26fb02c80470bd987e882bd1

SHA512
340002a0ce40fe77e490a4e11d90446002f9008a67cb66037ecf64df893baeda61986a2cb20f294f79e83eb32b04c8b143ff829eaf41bd3faf7f130f742c443f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBEEB.tmp.bat

Filesize
143B

MD5
7df84e3665a9259e818c15fc04b9a983

SHA1
9c269fcbb07e79c78658be0faf56e5a1d58671fe

SHA256
228bee76b324b3d230eac76e69824adaf827408c3b32849a7de7e8a38d62e31e

SHA512
95c7790c3c8ff9365bc249f20cacf0eeeeecf5427835b1af6be7c4880468ffa8dccb7a02c1b6cdf48bc954a5fa8a607f472129cf173c9403b1be610e1e5a0aa5

Download Submit
memory/1272-58-0x0000000000160000-0x0000000000176000-memory.dmp

Filesize
88KB

Download
memory/1272-26-0x00007FFCB0D83000-0x00007FFCB0D85000-memory.dmp

Filesize
8KB

Download
memory/3700-60-0x0000000000530000-0x000000000053E000-memory.dmp

Filesize
56KB

Download
memory/3968-34-0x0000000000160000-0x0000000000176000-memory.dmp

Filesize
88KB

Download
memory/3968-93-0x00007FFCB0D80000-0x00007FFCB1841000-memory.dmp

Filesize
10.8MB

Download
memory/3968-62-0x00007FFCB0D80000-0x00007FFCB1841000-memory.dmp

Filesize
10.8MB

Download
memory/4472-101-0x000001BFCF9A0000-0x000001BFCF9BE000-memory.dmp

Filesize
120KB

Download
memory/4472-99-0x000001BFE8390000-0x000001BFE83E0000-memory.dmp

Filesize
320KB

Download
memory/4472-98-0x000001BFE8410000-0x000001BFE8486000-memory.dmp

Filesize
472KB

Download
memory/4472-54-0x000001BFCDC20000-0x000001BFCDC60000-memory.dmp

Filesize
256KB

Download
memory/4472-138-0x000001BFCF9E0000-0x000001BFCF9EA000-memory.dmp

Filesize
40KB

Download
memory/4472-139-0x000001BFE83E0000-0x000001BFE83F2000-memory.dmp

Filesize
72KB

Download
memory/4472-63-0x00007FFCB0D80000-0x00007FFCB1841000-memory.dmp

Filesize
10.8MB

Download
memory/4472-166-0x00007FFCB0D80000-0x00007FFCB1841000-memory.dmp

Filesize
10.8MB

Download
memory/4728-66-0x000001923DD00000-0x000001923DD22000-memory.dmp

Filesize
136KB

Download