Analysis
-
max time kernel
251s -
max time network
245s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
11-09-2024 04:50
General
-
Target
https://github.com/GLAZED4234234/Glazed-doxxing-tool/tree/6774281807d4f0860c60558e5bd6ec1f0048b9a8
Malware Config
Signatures
-
Detect Umbral payload 1 IoCs
-
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops file in Drivers directory 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Detects videocard installed 1 TTPs 2 IoCs
Uses WMIC.exe to determine videocard installed.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 3 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 50 IoCs
-
Suspicious use of SendNotifyMessage 40 IoCs
-
Suspicious use of SetWindowsHookEx 19 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/GLAZED4234234/Glazed-doxxing-tool/tree/6774281807d4f0860c60558e5bd6ec1f0048b9a81⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdfad146f8,0x7ffdfad14708,0x7ffdfad147182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,10927672329919590792,3358534350875056384,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,10927672329919590792,3358534350875056384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,10927672329919590792,3358534350875056384,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10927672329919590792,3358534350875056384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10927672329919590792,3358534350875056384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,10927672329919590792,3358534350875056384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,10927672329919590792,3358534350875056384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2188,10927672329919590792,3358534350875056384,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5476 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10927672329919590792,3358534350875056384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2188,10927672329919590792,3358534350875056384,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10927672329919590792,3358534350875056384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10927672329919590792,3358534350875056384,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10927672329919590792,3358534350875056384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10927672329919590792,3358534350875056384,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,10927672329919590792,3358534350875056384,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10927672329919590792,3358534350875056384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10927672329919590792,3358534350875056384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2188,10927672329919590792,3358534350875056384,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5384 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2188,10927672329919590792,3358534350875056384,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3344 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10927672329919590792,3358534350875056384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10927672329919590792,3358534350875056384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10927672329919590792,3358534350875056384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10927672329919590792,3358534350875056384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10927672329919590792,3358534350875056384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1132 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10927672329919590792,3358534350875056384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,10927672329919590792,3358534350875056384,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6984 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\Glazed-doxxing-tool-6774281807d4f0860c60558e5bd6ec1f0048b9a8\GlazedDoxxingTool.exe"C:\Users\Admin\Desktop\Glazed-doxxing-tool-6774281807d4f0860c60558e5bd6ec1f0048b9a8\GlazedDoxxingTool.exe"1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\Desktop\Glazed-doxxing-tool-6774281807d4f0860c60558e5bd6ec1f0048b9a8\GlazedDoxxingTool.exe"2⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Glazed-doxxing-tool-6774281807d4f0860c60558e5bd6ec1f0048b9a8\GlazedDoxxingTool.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Desktop\Glazed-doxxing-tool-6774281807d4f0860c60558e5bd6ec1f0048b9a8\GlazedDoxxingTool.exe" && pause2⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Glazed-doxxing-tool-6774281807d4f0860c60558e5bd6ec1f0048b9a8\GlazedDoxxingTool2⤵
-
-
C:\Users\Admin\Desktop\Glazed-doxxing-tool-6774281807d4f0860c60558e5bd6ec1f0048b9a8\GlazedDoxxingTool.exe"C:\Users\Admin\Desktop\Glazed-doxxing-tool-6774281807d4f0860c60558e5bd6ec1f0048b9a8\GlazedDoxxingTool.exe"1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\Desktop\Glazed-doxxing-tool-6774281807d4f0860c60558e5bd6ec1f0048b9a8\GlazedDoxxingTool.exe"2⤵
- Views/modifies file attributes
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Glazed-doxxing-tool-6774281807d4f0860c60558e5bd6ec1f0048b9a8\GlazedDoxxingTool.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 22⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY2⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory2⤵
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name2⤵
- Detects videocard installed
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Desktop\Glazed-doxxing-tool-6774281807d4f0860c60558e5bd6ec1f0048b9a8\GlazedDoxxingTool.exe" && pause2⤵
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\system32\PING.EXEping localhost3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Glazed-doxxing-tool-6774281807d4f0860c60558e5bd6ec1f0048b9a8\GlazedDoxxingTool.txt1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5547df619456b0e94d1b7663cf2f93ccb
SHA18807c99005eaf2cc44b0b5ec4fc6eac289bfb4e3
SHA2568b7130cc966f3f78e236b4e51eb12e1c82b0bd3f0773275d619b5c545168797a
SHA51201b4e32fdf6c7f2347075c8153bc75a2f32fe3cec19e1a777e263ec4f607b54e046f0e4c7c0bc22581d44cbbdbb076a63eaa50a742f381faad06c86c2b10f67f
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
152B
MD553bc70ecb115bdbabe67620c416fe9b3
SHA1af66ec51a13a59639eaf54d62ff3b4f092bb2fc1
SHA256b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771
SHA512cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921
-
Filesize
152B
MD5e765f3d75e6b0e4a7119c8b14d47d8da
SHA1cc9f7c7826c2e1a129e7d98884926076c3714fc0
SHA256986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89
SHA512a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079
-
Filesize
2KB
MD5baec4dacc78302b223d2f43aaadc0504
SHA106951e512797b5cd6ba19d44a7c5c8f646a6dbef
SHA2568ff2c48480c30bd9178b20639c608c6ce96f98a13657dcaf64d3b94a67e0f6d8
SHA512678f4194511d82c862c70138f83fa8d3eac5867b333df877ed40ea462ae75c88eedcd98790fc9f28c298d01a06c24d67c2ca29eeee0fd1bc92986c1aec2c5f6f
-
Filesize
4KB
MD5bd01dadc83340bf507e68d2d5e861f3c
SHA1c8d8a93b2e11248e3546858ea24f987592743fec
SHA256e38140716b750489acf83c8b81eb0daad42715890d6f9ee8c029ae0c687fdcb1
SHA5121182bba8a4e2c9c61613af315a120f2b9fc94738862c4af0f1a34db99e8d2421ef67078812c50758185bda72a53e3231a7461302fd16f8f637baf94d957c75b0
-
Filesize
20KB
MD5b583747069c10de4242573d75bd0b14b
SHA182a5f90865f2eb2419e932b95de8e650df855443
SHA256f8af4c977d302088c0816dfd2848930249a22ade8f484145b5b95332eb947e96
SHA512a941d1d8fcccdc7a7ef9cb8f13343f01796f77d438c0aaf518861ed7461e84dff8fcef5b305e74781b19d4c8fe982e16753b6e0d4b71e9aa58dc3a09efc62d3f
-
Filesize
15KB
MD53953dc0e76b0680b68ab17a0d62b7fdc
SHA1c947e588cff63604b7b0bdc8cba325cacd7f9d16
SHA256210fafa3acc92110b9cbf732c627543aefa662db06c6283ff85dd6f034f9496b
SHA512c1f98c7c86d6d667d3b3927b3a04e46a1a4d52bd2fbe16708fcb4780da3e9c3fe9df4d89b30b2f9170f815e4a307b35c30ad6f18dcd1c23d2fc22053ad34f747
-
Filesize
573B
MD50028a1a5c441a3cd5a60c34da771564f
SHA1e15d27a8322b435564ebcd36467b997d0fa8ef32
SHA2568dc36283781a25af9e2ae76d255ae311b2715396f710ff0e9850b0e64525759d
SHA512e26efd2be3114e733acdc00fb54150790872b10c88a7c4d3a19a16383bf58897ad89f14b3255a984f836666b98bafc099d8988532d03acda0dee7a7a7da3f40e
-
Filesize
5KB
MD56fc88808234de4917da9fa2a0564eea2
SHA1fbb2993c58c0de22c765d35803131ea044498dea
SHA2564f80dce30e8efaa3c5d52bc96a15fcd1a775f92d94928e0134a72e541fd28da7
SHA512c4e618d9bf9e16da2d1f48bb628e167c1042864d103e24a152b86395eb5116761d654972cc0949abcf72bbe65f637f78159638d8b6ac2a6b54ebe897b3ad3ca6
-
Filesize
6KB
MD5a0ccba569bc1486df30713579611d7bc
SHA18e73c669fb7977d31a706084fffe4090499cd69b
SHA256e2abe9d1cb68e40a0615a8942c2e113ec3a47cda4dda75662fe167c78fd8c2b6
SHA51256fcdc489b51da2b0403ca8659c640b736d5f9c9729529fe408dfb85098d47ba47d18690cb93c424554962652dbcc5f2a7d7a20f843809e9d1fe94314a8a03be
-
Filesize
6KB
MD5f1fa70ecfc8bdbfc21cc18c5361795f3
SHA14f4da518ddff2f80e86ca5b83df18a3cbc8241b1
SHA256306124972424105c90fb0aadd5895c0439c9ba609f3f009c989bbaa27021148c
SHA512f87d5884b2d9f24b8cef7802ddf082aa9532e330df4bb46ecb20e3c8c89cb64268639f93d158286858331d0e0cd9ae05db6e9a7671555a962b3ea996636b70fb
-
Filesize
7KB
MD5d882ba6361db67880d89430727e75d51
SHA132517556b722330fb1a731e1907ab284f9774809
SHA2560f09bf2065cad2dfd6210572484b62861c24c567ecb0b68e865011d8b2b81284
SHA512597dab1e08561d0de6d068bcb4c2ab16dcdc368c65b1b398f79c2b042d4a58a87092df5b5ddb3954deab88d659878d462bd6b47b67cd0a4db40eea92c1913cf6
-
Filesize
7KB
MD547043bfc6b9599f2a213064aa34f440b
SHA1d8159ed605dc0c95fc6d6de028c2688aa2ab6375
SHA256e7b018ee7b64f25d35f28ce264ea91cd7daaa56cde410caa8d7c2fd0acd79fd4
SHA512f5db4c7c5676bd5f0a4bbef665566b4e7b6a4f9a41e034d298e2bfde1edca582bb1c18c25ee18c38b439a55d7f5bf160721dfc5ec0492aa594deda675ee6e24a
-
Filesize
1KB
MD58ec550006e791ba386c978b59bf3b420
SHA12eaa735d4f63ee7c951894e06d9406de380f571d
SHA256140e3513b53f6da94e3081b9bd8933dee5d383b6c187c69202a5be096908df33
SHA512345f7b9f58792866ea80f9bbddf21d6e7cdb3d325a8fb2f86099884b099db55bbb89b54a216119bfcf43f98b1846dbbb8f5ab55729906c906eef0452d6aef35d
-
Filesize
1KB
MD55d58e795efdccd722f9904c46352c19d
SHA1a191207a8a26c37a08a8e0bfe3d9b568e852c2cd
SHA256140647aeb1077e60a166182f350f4097fd0725639c0ac1c7412f93185961cd8c
SHA5121c4f5f304f7c96d8cc5cec3e86b7f068591c638041069db08311064251528d9ab58ea4d65496cbe1e910a064f5be014a3d28b578b8b74f27cc2e7c28f3732bbf
-
Filesize
1KB
MD551592f35b756d53dc61f03b2b316190c
SHA1f1cfc4ec2ac25a13b0ce42590128b8746aca6cce
SHA256e49a9e73b2d0b45ce250cd902079531d521ed48578858206c4163d0a6da94d6b
SHA512c8c9fbe663db1b78d29f0b7a3b8584c62d81004935b65afd192ceb9855c69b568674f5c10602077c71a2aa60701b18f71e865533083a7f63363f75db3e2d4c1e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD56e947073abfce8cac287e89f63cc8e71
SHA101daa7c89f646f6679f9f83a01f3bc596312a33b
SHA256342c5b15d12ef8a2ef4a383b967da2513a1b81efba244d4a6f9bb6da31ef5c5c
SHA51225c9efe1b43be7b183df2b2ef240ad4ce64a06e0c44e8c00aed90dcdb01eb0b7fae674d38249a76e1a5566c678eb9a340bb8faaafd8fdb848cdc9e70f4cad598
-
Filesize
10KB
MD5d71b4eab2a57f991e57d98eaf3b0c50a
SHA10e21a83659ec85cf1f54a168d465354a238ee3c9
SHA2564b8bd4fd5eff3431a3c74a68303891653e46fab94d263f0cbc39ccb7fdd346bc
SHA512153ca21c82d500fbe96ed618e6a9bc090333a293965209bcd756523da246c478563288ee2141ea26ac5d36799db530b9f4867b63fa8a9d9f347fcec0fac9b9e0
-
Filesize
10KB
MD59c4dd6649f7830fef38f1f11ac240087
SHA18150edfb260d8cec1e9ef50df8171b3bae7a27aa
SHA25660757f4c800f99eefa336949b1d7a40dac1c505800b7e7c81d138e227c407707
SHA5124e9a5fda53ecb0b26922731d397ce8167b486f030a4cd5974bd597c67024c8e51b8946291a112643be674be58e40e39257ea42584f9f401a1b3d2389ca1c1bb0
-
Filesize
944B
MD5a8e8360d573a4ff072dcc6f09d992c88
SHA13446774433ceaf0b400073914facab11b98b6807
SHA256bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA5124ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe
-
Filesize
948B
MD574a6b79d36b4aae8b027a218bc6e1af7
SHA10350e46c1df6934903c4820a00b0bc4721779e5f
SHA25660c64f6803d7ad1408d0a8628100470859b16ef332d5f1bd8bb2debe51251d04
SHA51260e71435a9a23f4c144d641844f4182ddc9aa4ccd3e99232149a187112dce96458aab9587e9fea46f5dc5a52f5ca758969a04657a2b5b10241d3e4554f7c85e0
-
Filesize
1KB
MD5276798eeb29a49dc6e199768bc9c2e71
SHA15fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA5120d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2
-
Filesize
1KB
MD5dfb075cf387bf1f0b6d240c28a3c518a
SHA1b02773f692f6bf897b4356832f6bba594c3c4d80
SHA256d4216d5fc92b512d3593bb8b6b8be76206aed80667a160e7ab736d96cd805a04
SHA51206b994001b1e7427c0dcab73e7e60aabe23dcd0a96c3936870f2c3b35e86212d9528f16a0aa4eb76116ffb95514255390102a0f8b13ec875d5178bc86cb44ce8
-
Filesize
64B
MD5e2a7fc20b443bab1d5f443e5cced0003
SHA1fd875f15cf9bdea6d2e507365529fe151e26e399
SHA256b977c66cd381a362076f0634005a18dbe3644cacb8d17f710076f39fb9e8d72f
SHA5120442337dde316986c1b637ec1ee54159521a6b5b45cb1d6dcb07e16abd1babdd688d13132300f85e716c80c916f0e3ec04cf538a08a21a1efbf6737d6944ebed
-
Filesize
944B
MD596ff1ee586a153b4e7ce8661cabc0442
SHA1140d4ff1840cb40601489f3826954386af612136
SHA2560673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA5123404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569
-
Filesize
948B
MD58a377eca752c76804afb8bad4fcd7b80
SHA1a46eeeba2fc3a382f764f03b8e6f8ed8ce12aebe
SHA2567c7567b1c1b9357368951dea10ce096e716d4724ae24d3074ff1ae5bb525932e
SHA51283077a7e8e610660467d1e7b953a820cfd4da7300162a2e1b720a9d85b708fcbada05c99888631adee55e314aa658ee64bf78e36cbb29d5f4a56b0c94fc64586
-
Filesize
1KB
MD5dcac964589fef8f1dd8c401fc212ad5c
SHA1f518a7cfe430e90f61b5180133b1bc644e7e535f
SHA256658c2ff03e1d130ea4862b82e47c240161a74c70cf3a957568f521507486692e
SHA512b9b9a9b1afe65d9cd9f8a6c243363b7a1425677845c280d5dc4b01627009e73c0cdbec7418107839e832b8f2ece675233c8b4ef4cb4436e8464fca20ceda7871
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
247KB
MD530806c5f18105b025d6b5e3857c4a94d
SHA198e67da55b47904d44c411866a2793c5bddbd6a4
SHA256331be32ba0a03166d1b66eecd6fcd80f2bbb480daedd79486460611ba40b59c4
SHA51266e10e12696040d12adca4df2b6adaf7fb3006010f1cd8c203a493b972548a38802d1f37f709a3c54b6a0e39a5e3622e6ecf90ac165710813da81c3f6cf5a557
-
Filesize
2KB
MD54028457913f9d08b06137643fe3e01bc
SHA1a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14
SHA256289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58
SHA512c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
120KB
-
Filesize
472KB
-
Filesize
256KB
-
Filesize
320KB
-
Filesize
136KB