umbral | hxxps://gofile[.]io/d/2QsagS

Analysis

max time kernel
139s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/2QsagS

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

https://discordapp.com/api/webhooks/1311062014692691990/QOlNBtJ4kP7VezLjkFDpqHqnyZGXzVzAQsLT2dKDLnaQOGXpiEHw3Jkh_uiA09O7hIRB

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023ca7-158.dat	family_umbral
behavioral1/memory/3428-160-0x0000021AF40E0000-0x0000021AF4120000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3708	powershell.exe
3828	powershell.exe
676	powershell.exe
5552	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	porsche1.exe

Executes dropped EXE 2 IoCs

pid	Process
4016	porsche.exe
3428	porsche1.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
62	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5976	cmd.exe
6020	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5708	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	porsche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	porsche.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	porsche.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	porsche.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\NodeSlot = "6"	porsche.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	porsche.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	porsche.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	porsche.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	porsche.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	porsche.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	porsche.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	porsche.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	porsche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Documents"	porsche.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = ffffffff	porsche.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	porsche.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	porsche.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	porsche.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0	porsche.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\NodeSlot = "7"	porsche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Documents"	porsche.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	porsche.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	porsche.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e80922b16d365937a46956b92703aca08af0000	porsche.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "5"	porsche.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	porsche.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	porsche.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	porsche.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	porsche.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	porsche.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	porsche.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	porsche.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	porsche.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff	porsche.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	porsche.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	porsche.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	porsche.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	porsche.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	porsche.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	porsche.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	porsche.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	porsche.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	porsche.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	porsche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	porsche.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 60003100000000004759dc4b10004d594e4f54457e310000480009000400efbe4759db4b7c59b2952e000000ff28020000000100000000000000000000000000000090ddb5004d00790020004e006f007400650062006f006f006b00000018000000	porsche.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	porsche.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	porsche.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	porsche.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	porsche.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 6c003100000000004759db4b10004f4e454e4f547e310000540009000400efbe4759db4b4759e24b2e000000fe2802000000010000000000000000000000000000003e729e004f006e0065004e006f007400650020004e006f007400650062006f006f006b007300000018000000	porsche.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	porsche.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	porsche.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	porsche.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	porsche.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	porsche.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	porsche.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	porsche.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	porsche.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	porsche.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	porsche.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	porsche.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
6020	PING.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
3184	msedge.exe
3184	msedge.exe
2912	msedge.exe
2912	msedge.exe
2476	identity_helper.exe
2476	identity_helper.exe
1428	msedge.exe
1428	msedge.exe
3428	porsche1.exe
3428	porsche1.exe
3708	powershell.exe
3708	powershell.exe
3708	powershell.exe
3828	powershell.exe
3828	powershell.exe
3828	powershell.exe
676	powershell.exe
676	powershell.exe
676	powershell.exe
5164	powershell.exe
5164	powershell.exe
5164	powershell.exe
5552	powershell.exe
5552	powershell.exe
5552	powershell.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe
5152	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2792	7zG.exe
Token: 35	2792	7zG.exe
Token: SeSecurityPrivilege	2792	7zG.exe
Token: SeSecurityPrivilege	2792	7zG.exe
Token: SeDebugPrivilege	3428	porsche1.exe
Token: SeIncreaseQuotaPrivilege	1828	wmic.exe
Token: SeSecurityPrivilege	1828	wmic.exe
Token: SeTakeOwnershipPrivilege	1828	wmic.exe
Token: SeLoadDriverPrivilege	1828	wmic.exe
Token: SeSystemProfilePrivilege	1828	wmic.exe
Token: SeSystemtimePrivilege	1828	wmic.exe
Token: SeProfSingleProcessPrivilege	1828	wmic.exe
Token: SeIncBasePriorityPrivilege	1828	wmic.exe
Token: SeCreatePagefilePrivilege	1828	wmic.exe
Token: SeBackupPrivilege	1828	wmic.exe
Token: SeRestorePrivilege	1828	wmic.exe
Token: SeShutdownPrivilege	1828	wmic.exe
Token: SeDebugPrivilege	1828	wmic.exe
Token: SeSystemEnvironmentPrivilege	1828	wmic.exe
Token: SeRemoteShutdownPrivilege	1828	wmic.exe
Token: SeUndockPrivilege	1828	wmic.exe
Token: SeManageVolumePrivilege	1828	wmic.exe
Token: 33	1828	wmic.exe
Token: 34	1828	wmic.exe
Token: 35	1828	wmic.exe
Token: 36	1828	wmic.exe
Token: SeIncreaseQuotaPrivilege	1828	wmic.exe
Token: SeSecurityPrivilege	1828	wmic.exe
Token: SeTakeOwnershipPrivilege	1828	wmic.exe
Token: SeLoadDriverPrivilege	1828	wmic.exe
Token: SeSystemProfilePrivilege	1828	wmic.exe
Token: SeSystemtimePrivilege	1828	wmic.exe
Token: SeProfSingleProcessPrivilege	1828	wmic.exe
Token: SeIncBasePriorityPrivilege	1828	wmic.exe
Token: SeCreatePagefilePrivilege	1828	wmic.exe
Token: SeBackupPrivilege	1828	wmic.exe
Token: SeRestorePrivilege	1828	wmic.exe
Token: SeShutdownPrivilege	1828	wmic.exe
Token: SeDebugPrivilege	1828	wmic.exe
Token: SeSystemEnvironmentPrivilege	1828	wmic.exe
Token: SeRemoteShutdownPrivilege	1828	wmic.exe
Token: SeUndockPrivilege	1828	wmic.exe
Token: SeManageVolumePrivilege	1828	wmic.exe
Token: 33	1828	wmic.exe
Token: 34	1828	wmic.exe
Token: 35	1828	wmic.exe
Token: 36	1828	wmic.exe
Token: SeDebugPrivilege	3708	powershell.exe
Token: SeDebugPrivilege	3828	powershell.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	5164	powershell.exe
Token: SeIncreaseQuotaPrivilege	5376	wmic.exe
Token: SeSecurityPrivilege	5376	wmic.exe
Token: SeTakeOwnershipPrivilege	5376	wmic.exe
Token: SeLoadDriverPrivilege	5376	wmic.exe
Token: SeSystemProfilePrivilege	5376	wmic.exe
Token: SeSystemtimePrivilege	5376	wmic.exe
Token: SeProfSingleProcessPrivilege	5376	wmic.exe
Token: SeIncBasePriorityPrivilege	5376	wmic.exe
Token: SeCreatePagefilePrivilege	5376	wmic.exe
Token: SeBackupPrivilege	5376	wmic.exe
Token: SeRestorePrivilege	5376	wmic.exe
Token: SeShutdownPrivilege	5376	wmic.exe
Token: SeDebugPrivilege	5376	wmic.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
2792	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe
3184	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3024	OpenWith.exe
4016	porsche.exe
4016	porsche.exe
4016	porsche.exe
4016	porsche.exe
4016	porsche.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3184 wrote to memory of 2208	3184	msedge.exe	83
PID 3184 wrote to memory of 2208	3184	msedge.exe	83
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 4408	3184	msedge.exe	84
PID 3184 wrote to memory of 2912	3184	msedge.exe	85
PID 3184 wrote to memory of 2912	3184	msedge.exe	85
PID 3184 wrote to memory of 4168	3184	msedge.exe	86
PID 3184 wrote to memory of 4168	3184	msedge.exe	86
PID 3184 wrote to memory of 4168	3184	msedge.exe	86
PID 3184 wrote to memory of 4168	3184	msedge.exe	86
PID 3184 wrote to memory of 4168	3184	msedge.exe	86
PID 3184 wrote to memory of 4168	3184	msedge.exe	86
PID 3184 wrote to memory of 4168	3184	msedge.exe	86
PID 3184 wrote to memory of 4168	3184	msedge.exe	86
PID 3184 wrote to memory of 4168	3184	msedge.exe	86
PID 3184 wrote to memory of 4168	3184	msedge.exe	86
PID 3184 wrote to memory of 4168	3184	msedge.exe	86
PID 3184 wrote to memory of 4168	3184	msedge.exe	86
PID 3184 wrote to memory of 4168	3184	msedge.exe	86
PID 3184 wrote to memory of 4168	3184	msedge.exe	86
PID 3184 wrote to memory of 4168	3184	msedge.exe	86
PID 3184 wrote to memory of 4168	3184	msedge.exe	86
PID 3184 wrote to memory of 4168	3184	msedge.exe	86
PID 3184 wrote to memory of 4168	3184	msedge.exe	86
PID 3184 wrote to memory of 4168	3184	msedge.exe	86
PID 3184 wrote to memory of 4168	3184	msedge.exe	86

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2188	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/2QsagS
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb315846f8,0x7ffb31584708,0x7ffb31584718
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,14738506710726091622,10493139688198343731,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,14738506710726091622,10493139688198343731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,14738506710726091622,10493139688198343731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,14738506710726091622,10493139688198343731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,14738506710726091622,10493139688198343731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,14738506710726091622,10493139688198343731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,14738506710726091622,10493139688198343731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,14738506710726091622,10493139688198343731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,14738506710726091622,10493139688198343731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4260 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,14738506710726091622,10493139688198343731,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5724 /prefetch:8
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,14738506710726091622,10493139688198343731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,14738506710726091622,10493139688198343731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5944 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,14738506710726091622,10493139688198343731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,14738506710726091622,10493139688198343731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1736 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,14738506710726091622,10493139688198343731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:5768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,14738506710726091622,10493139688198343731,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,14738506710726091622,10493139688198343731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,14738506710726091622,10493139688198343731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,14738506710726091622,10493139688198343731,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5040 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3828

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3024

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3596

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Disney+ Checker\" -ad -an -ai#7zMap15571:92:7zEvent28357
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Disney+ Checker\Disney+ Checker\Start Checker Disney+.bat" "
1⤵
PID:2844
- C:\Users\Admin\Downloads\Disney+ Checker\Disney+ Checker\Data\Modules\porsche.exe
  Data\Modules\porsche.exe
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4016
- - C:\Windows\system32\rundll32.exe
    rundll32 url.dll,FileProtocolHandler https://t.me/AtlantisMultiChecker
    3⤵
    PID:6140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/AtlantisMultiChecker
      4⤵
      PID:1924
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb315846f8,0x7ffb31584708,0x7ffb31584718
        5⤵
        
        PID:1828
- C:\Users\Admin\Downloads\Disney+ Checker\Disney+ Checker\Data\Modules\porsche1.exe
  Data\Modules\porsche1.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3428
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1828
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\Downloads\Disney+ Checker\Disney+ Checker\Data\Modules\porsche1.exe"
    3⤵
    - Views/modifies file attributes
    PID:2188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Disney+ Checker\Disney+ Checker\Data\Modules\porsche1.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5164
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5376
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:5432
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:5488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5552
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5708
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\Disney+ Checker\Disney+ Checker\Data\Modules\porsche1.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:5976
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:6020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
6a26170261ffabc25d57bade4a6fa991

SHA1
a1861d6d9c15375df914c9ef9b5b89d3cf672a21

SHA256
cfef1eb0916bb174cf746a4e2262d314a869f531e8b6bb79bd5fb247ca048870

SHA512
d83547de3dd00eddacaf47be929033c91edf7e0ae9794872d2b3f7d6335ead3d3ea2a695ae5f102681e694efb67640fd7f525d952cac3fcc9a35a09f53ab67d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
194f962a08ab979e130c9b2107e45941

SHA1
e3d2647be9f9bd771dfd79994ab17c661ea2d5e7

SHA256
200fdb615ea5fa05584abad198dc48a5278cea9049dc28ecf0031156c3b326d3

SHA512
766e5f59fdc9f33600b027fe0b209594ba1454f2959c52b34dce84ec23bdaff0a4ba00cd9e7ccda7b1184b56480a53ed65f9f59b88cbc3fec6f52030c7b9502d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
562071cba007c6f0efa1078893ad6aee

SHA1
b5b381c14e0ee0abb267624ecf61eea473393d18

SHA256
1b2e6b9967e0f44794b0054e338527bb48c4897350218e9ddc4fbc02fada4d2b

SHA512
87152317cc6bf4f5160d07c80369e178844a8b32214c549f4bba7d6c1658db6bc47cae3f4ece1cb9e0d788504b9d160d275c4e04a2edc0e0b725c35b86ffdefb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
462B

MD5
54b11ebc9d746bf8b30859a8b80faf40

SHA1
d828d1e776fbe8a211389b46a94f47b94c45508d

SHA256
6527d607eeb9c46d675bad251f93fbd04e36624ba15b866737b427ba90753040

SHA512
76820c3811df98b736071389dae5a03cdc905d49502cbd8676ffc0b00ab91904dfcee135a3a7d38e0fc7867d1aa99400fd5603c701d4d6bd23a0a0ff9716be4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
524B

MD5
1257d29c42771e7686f74f53fc09da27

SHA1
b34d3d2dd7bd0973e56574fb01f2121001f35f7f

SHA256
b24eaaf9ba0f084f3aef90057407ed8bff8b6ba1620f33fd56e508f29f5480e3

SHA512
7cbeff6eabb7736fc6a459e6ab5b5a5134eb38d3292cb9dadb58252e76bd12df7d5ca1a24d64d0606e7592b514731cba59e83b0b4ef364226639b91607530a20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b3b8b3a9ee6509652a6ace7d63f84bef

SHA1
a83ef72ce964a52900f62d24e85571338a15c990

SHA256
468e8fbc34dd77ff83601dbb3d5b765af6843a1077d5d66c0923be0cd09a8fce

SHA512
8fe1afe3be4dbbe9a35a1f8769dddc31c4ab887c9854690baaff89716d1ced7c2b6de0c009a7ca39c65556155475f48fd140ce5d21c7c46afdcc56b100bcc6be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2182cea8c4faa816a97d097a0f62279c

SHA1
46302564a9a031b9ab3b4c92b30c282d03238bb2

SHA256
f4f96a3fc4050176aecfcb2676ea287a37cbb05726ff70cd5e9284c51eea24b9

SHA512
1ea71de70d74a639a0351fbe6bb258f838552896ab24fd9930d03d5bd28944f94e8a3a8dba47355329bbbff7c78963892971bf4908b07db0c41eab232d9f42a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b0f5d4e6c0f4b77055a5d06fbba76e1f

SHA1
af88a903504a2fcca5dd4de4aba378c6fb529d58

SHA256
0e0441dc5cc1ae47028da0fbf925d5084e889d613c409208bcd808a99b0591ab

SHA512
4ab06d1154483a0c4ed653fb3983880d56fd09692dfb5a090d4e2e5103a1ab6704616cf899a0ab3a0d81a065e0b0a05ca39a33e597be764907cd7f32c6822e6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
632055da730e9312bdeebe3738827f60

SHA1
044a592474d8170648884c36eaee9f24b5fce9b0

SHA256
f0ab3bac79aff9922537f890c29bb7820dd9ac671ce17b700a5c84beb37eae49

SHA512
39571d01433257c8557a7a22c946cc449f9caf6b5491859cd2a189d6c2167a60824c1a1f922abfc44b1106d571077083bc2071a2c38bb5411073b40c667c8ff2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586954.TMP

Filesize
370B

MD5
7f17d4809940aa5f1d49305c5124078e

SHA1
b2ae2982bf5c5e97afbf8650bf7fd7b4c5a49a37

SHA256
b7151d7e76747656ebc27f47ac5715c6100c191d2f4c7773ba5a275d59756c8e

SHA512
5ca1719a025284007dd95be9931350b9c197df987125f691c157360ba6747340e4e23ed829aec18e31b160b37d573fdaf977f8b8c666f4520b65573d72e435fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
efa6b04a67e1749a092d6d37351d62cc

SHA1
4702fadc9be42c3c40805cbad17de2c0aea23d4c

SHA256
973fbe5871cdea2911983603abb242afc499e43a87ae0eca77f3460b8eaa1c78

SHA512
993ed90da265efdb000d6d64b8844c5fc78fffac7c32b4c77996c29e5f9b8aa1800fffe35475a4aea9f01325c5dfaac6a097ae824809c05083043822cb4495a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
30ab4f7ff9215f125b0905a3d7890faf

SHA1
c68bd7bbd151ca61e5c1b43282feb037ea3694dc

SHA256
9a07513dfa0910471723b737b9a4f643700ffae5e1db0659f5ef9ba673c5be3a

SHA512
e0b9e71b77b53c54dce87d087e4818f29e204511f32a32e8b8fad98865aebe94d2f97b01d2a926dde12d5b2c3cf75af37b9cdcb065a31a8c0a4d605857255060

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6aca8b03e81d8ca85f904ddf2c9aa555

SHA1
cb24072b8e0c30b3907caddf7798db35d3206f31

SHA256
a64c9261384335f7c44cf36f37d401f022dc37ef6e48f73c7497caadf17b6175

SHA512
ff53ecb314cc8c90cfecd28f14d17e54e1665c3370060dfc2e21fbb440e60d01da9041ee458ac040939c100ae2f2bee11df88177929e4c711c05f415e356b192

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c65738617888921a153bd9b1ef516ee7

SHA1
5245e71ea3c181d76320c857b639272ac9e079b1

SHA256
4640ba4001fd16a593315299cbdd4988dc2c7075820687f1018aac40aca95c26

SHA512
2e2a0ebd93f9d8dd07a7599054bce232683e9add9a35e77b584618040bcfd84a42545352519ec4736cc379002210b6f3ed2d905591c6925c0981b0392b495bfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c3b84be2bbf3c65d814edb1e6d8df10f

SHA1
1e23ead985215ee938f5280a0144529654ed5f3c

SHA256
a4f8c5af90aedc806d37e2b2adc3f80d0d0d99b681b497988b44c826d7093b2b

SHA512
397860732aadd6e68d2193ae93ce9307779d267e64e21787ff6edc5428b388c132ddf69af3fb353a4f316f6ba86a5993e6d7da04d0475fe21accfac4b8ac6ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0rsphurm.waa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Disney+ Checker.rar

Filesize
3.3MB

MD5
a3e7ade1633e7a6342145f0e1383940b

SHA1
da33df782c81a6f9a8507744052418492c37ec90

SHA256
944b75417710ef12381c478546f2466779a06a7484010b060a84c308a7b6104e

SHA512
e1914ef890c8e95a34a2a0063f9af943bb34176c10bd4de4cad4a63ab65c2074e8cc3aa1195e4ccd23dc34f6c3fee3a4e320125302e17d802bfff7b93bf6aeff

Download Submit
C:\Users\Admin\Downloads\Disney+ Checker\Disney+ Checker\Data\Modules\porsche.exe

Filesize
6.6MB

MD5
982d28535a304e512d3bb1299efd16c3

SHA1
9ab6a3fc0062f0beea6208af3dfed59593757b02

SHA256
a9e9e5bb80a7ce020a6c524866aa36fcc249238c874ead4c8275e02e9c1a69f1

SHA512
d5a1f2ac4a7be7f3bbcf0c3cb2290d05f1ff5639a39388aed20f47d5bfae9c288918dbe47e8918b2c54c2909e5816b12fdf21334291dc0bfce5d581ec9453651

Download Submit
C:\Users\Admin\Downloads\Disney+ Checker\Disney+ Checker\Data\Modules\porsche1.exe

Filesize
228KB

MD5
a02ef51c400a390278e1bc1eef771aee

SHA1
a6a6b2cc45aa46905c4eae7fc190defee2c6aea9

SHA256
219f1e38f72fcdc8085210482f3a59ea3e480d102827284427118376d0603985

SHA512
eb28183c01409c93011b002474a003af5317b5fe3db0580b975581b1a2482a81a5c01a0184f6565133fcd2137e5b3e943db689ce2055c11d5b02d49123de2d5c

Download Submit
C:\Users\Admin\Downloads\Disney+ Checker\Disney+ Checker\Data\Modules\porsche1.exe.config

Filesize
163B

MD5
9a3d99ab612161dfe2116f5939b8bc05

SHA1
a0f4570011c4e5add32b247889eb1036c9f1cfa1

SHA256
97f54f7cda9454d4083f240408cd315a54c99be0d770f3a77baa18b00a410c8a

SHA512
4701a79ae88d0164c87930d35fc3e2ebab016e6bb7ea794f90b67268782b298ab65288b8364afcaadb5c4ce6b22630179426f5a53da60dde81cb6c90a88d8590

Download Submit
C:\Users\Admin\Downloads\Disney+ Checker\Disney+ Checker\Start Checker Disney+.bat

Filesize
63B

MD5
7cd830db1b8da52c0062cc6f260a9685

SHA1
ed401d18b0095fc94e4809b7d1ff433dd05697f4

SHA256
d3347618ea5777b3d58e2005afbebe1e9d484405919333f41bc0ddb189261758

SHA512
c735b66dc15a37221b65e9350115db78ee55cb3ef11f401bc9f744be2b1283a16937d62ca8344c071febd6ddd4ccf924b001bbb79a5d03519bf49328264ae097

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/3428-160-0x0000021AF40E0000-0x0000021AF4120000-memory.dmp

Filesize
256KB

Download
memory/3428-238-0x0000021AF5EC0000-0x0000021AF5ECA000-memory.dmp

Filesize
40KB

Download
memory/3428-239-0x0000021AF6890000-0x0000021AF68A2000-memory.dmp

Filesize
72KB

Download
memory/3428-196-0x0000021AF5E90000-0x0000021AF5EAE000-memory.dmp

Filesize
120KB

Download
memory/3428-194-0x0000021AF68E0000-0x0000021AF6930000-memory.dmp

Filesize
320KB

Download
memory/3428-192-0x0000021AF6810000-0x0000021AF6886000-memory.dmp

Filesize
472KB

Download
memory/3708-169-0x0000021603FC0000-0x0000021603FE2000-memory.dmp

Filesize
136KB

Download
memory/3708-175-0x000002161C3C0000-0x000002161C408000-memory.dmp

Filesize
288KB

Download
memory/3828-188-0x0000025478980000-0x00000254789C8000-memory.dmp

Filesize
288KB

Download
memory/5164-232-0x00000210A8C30000-0x00000210A8C78000-memory.dmp

Filesize
288KB

Download
memory/5552-256-0x000001B73C510000-0x000001B73C558000-memory.dmp

Filesize
288KB

Download
memory/5552-255-0x000001B73C4F0000-0x000001B73C50E000-memory.dmp

Filesize
120KB

Download