umbral | hxxps://file[.]io/z9WGrhMgNKMm

Analysis

max time kernel
316s
max time network
321s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2023 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://file.io/z9WGrhMgNKMm

Score

10^/10

umbral persistence stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1080132753695182890/OM88z5U1CQlUDMQ1n3UcwRfJ2sRQBlvT6lYXqOseT-tGSfD3DocUvIPJtq9zz0WItMTc

Signatures

Detect Umbral payload 7 IoCs

resource	yara_rule
behavioral1/files/0x00070000000232b6-337.dat	family_umbral
behavioral1/files/0x00070000000232b6-362.dat	family_umbral
behavioral1/files/0x00070000000232b6-361.dat	family_umbral
behavioral1/memory/2532-363-0x00000176EAF10000-0x00000176EAF50000-memory.dmp	family_umbral
behavioral1/files/0x00070000000232b6-652.dat	family_umbral
behavioral1/files/0x00070000000232b6-654.dat	family_umbral
behavioral1/files/0x00070000000232b6-656.dat	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Executes dropped EXE 4 IoCs

pid	Process
2532	Umbral.exe
4280	Umbral.exe
6580	Umbral.exe
4500	Umbral.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{3462D55B-8D68-4F2B-8AA6-9157334394BA}.catalogItem	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133333863762300893"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4868	chrome.exe
4868	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 44 IoCs

pid	Process
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeDebugPrivilege	2532	Umbral.exe
Token: SeShutdownPrivilege	4868	chrome.exe
Token: SeCreatePagefilePrivilege	4868	chrome.exe
Token: SeIncreaseQuotaPrivilege	7184	wmic.exe
Token: SeSecurityPrivilege	7184	wmic.exe
Token: SeTakeOwnershipPrivilege	7184	wmic.exe
Token: SeLoadDriverPrivilege	7184	wmic.exe
Token: SeSystemProfilePrivilege	7184	wmic.exe
Token: SeSystemtimePrivilege	7184	wmic.exe
Token: SeProfSingleProcessPrivilege	7184	wmic.exe
Token: SeIncBasePriorityPrivilege	7184	wmic.exe
Token: SeCreatePagefilePrivilege	7184	wmic.exe
Token: SeBackupPrivilege	7184	wmic.exe
Token: SeRestorePrivilege	7184	wmic.exe
Token: SeShutdownPrivilege	7184	wmic.exe
Token: SeDebugPrivilege	7184	wmic.exe
Token: SeSystemEnvironmentPrivilege	7184	wmic.exe
Token: SeRemoteShutdownPrivilege	7184	wmic.exe
Token: SeUndockPrivilege	7184	wmic.exe
Token: SeManageVolumePrivilege	7184	wmic.exe
Token: 33	7184	wmic.exe
Token: 34	7184	wmic.exe
Token: 35	7184	wmic.exe
Token: 36	7184	wmic.exe
Token: SeIncreaseQuotaPrivilege	7184	wmic.exe
Token: SeSecurityPrivilege	7184	wmic.exe
Token: SeTakeOwnershipPrivilege	7184	wmic.exe
Token: SeLoadDriverPrivilege	7184	wmic.exe
Token: SeSystemProfilePrivilege	7184	wmic.exe
Token: SeSystemtimePrivilege	7184	wmic.exe
Token: SeProfSingleProcessPrivilege	7184	wmic.exe
Token: SeIncBasePriorityPrivilege	7184	wmic.exe
Token: SeCreatePagefilePrivilege	7184	wmic.exe
Token: SeBackupPrivilege	7184	wmic.exe
Token: SeRestorePrivilege	7184	wmic.exe
Token: SeShutdownPrivilege	7184	wmic.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 852	4868	chrome.exe	85
PID 4868 wrote to memory of 852	4868	chrome.exe	85
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 436	4868	chrome.exe	87
PID 4868 wrote to memory of 3440	4868	chrome.exe	88
PID 4868 wrote to memory of 3440	4868	chrome.exe	88
PID 4868 wrote to memory of 1356	4868	chrome.exe	89
PID 4868 wrote to memory of 1356	4868	chrome.exe	89
PID 4868 wrote to memory of 1356	4868	chrome.exe	89
PID 4868 wrote to memory of 1356	4868	chrome.exe	89
PID 4868 wrote to memory of 1356	4868	chrome.exe	89
PID 4868 wrote to memory of 1356	4868	chrome.exe	89
PID 4868 wrote to memory of 1356	4868	chrome.exe	89
PID 4868 wrote to memory of 1356	4868	chrome.exe	89
PID 4868 wrote to memory of 1356	4868	chrome.exe	89
PID 4868 wrote to memory of 1356	4868	chrome.exe	89
PID 4868 wrote to memory of 1356	4868	chrome.exe	89
PID 4868 wrote to memory of 1356	4868	chrome.exe	89
PID 4868 wrote to memory of 1356	4868	chrome.exe	89
PID 4868 wrote to memory of 1356	4868	chrome.exe	89
PID 4868 wrote to memory of 1356	4868	chrome.exe	89
PID 4868 wrote to memory of 1356	4868	chrome.exe	89
PID 4868 wrote to memory of 1356	4868	chrome.exe	89
PID 4868 wrote to memory of 1356	4868	chrome.exe	89
PID 4868 wrote to memory of 1356	4868	chrome.exe	89
PID 4868 wrote to memory of 1356	4868	chrome.exe	89
PID 4868 wrote to memory of 1356	4868	chrome.exe	89
PID 4868 wrote to memory of 1356	4868	chrome.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://file.io/z9WGrhMgNKMm
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba1069758,0x7ffba1069768,0x7ffba1069778
  2⤵
  PID:852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:2
  2⤵
  PID:436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:8
  2⤵
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2176 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:8
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5000 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:8
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:8
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5680 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5596 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:8
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5184 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5460 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:3540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5272 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5236 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=6128 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6228 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:8
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=6440 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=6964 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=6948 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:2304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=6932 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=6896 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=6888 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=6860 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=7624 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=6572 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=6580 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=8172 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:5752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=8304 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:5780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=8316 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:5772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=8788 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:6048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=8700 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:6140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=8040 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:5492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=7484 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9636 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:8
  2⤵
  PID:6380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9596 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:8
  2⤵
  PID:6368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9488 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:8
  2⤵
  PID:6544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8696 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:8
  2⤵
  PID:6624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9900 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:8
  2⤵
  PID:6616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=11060 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:6756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=10912 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:6744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=11092 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:6764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=11132 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:6788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=11124 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:6780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=11108 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:6772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=10660 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:6736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=10524 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:6728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=10488 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:6720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=10196 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:6712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=10192 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:6704
- C:\Users\Admin\Downloads\Umbral.exe
  "C:\Users\Admin\Downloads\Umbral.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=11544 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:7324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=11280 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:7332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=10900 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:7316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=12520 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:7376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=12504 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:7368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=12488 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:7360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=11072 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:7352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=57 --mojo-platform-channel-handle=13300 --field-trial-handle=1916,i,5499758244249352181,6719407191380311292,131072 /prefetch:1
  2⤵
  PID:7788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:1660

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4988

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510 0x40c
1⤵
PID:848

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4668

C:\Users\Admin\Downloads\Umbral.exe
"C:\Users\Admin\Downloads\Umbral.exe"
1⤵
- Executes dropped EXE
PID:4280
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:3624

C:\Users\Admin\Downloads\Umbral.exe
"C:\Users\Admin\Downloads\Umbral.exe"
1⤵
- Executes dropped EXE
PID:6580
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2872

C:\Users\Admin\Downloads\Umbral.exe
"C:\Users\Admin\Downloads\Umbral.exe"
1⤵
- Executes dropped EXE
PID:4500
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
09de01f4eaf5826c22e10a802bab1860

SHA1
7865ee039c71854298d013f32d27f0e3939d08ea

SHA256
15f829b916a1133d6ad0f75ace621024ac2d96c67652854308b5e91fc72d5699

SHA512
51ec91ade97dab4d99cdd8d9d812a59a8a773292ed847b6bcfdc481aeb5b7ddcf90c88f739e55399c71095a9876080acf4e43a23af741cff6781fde655b85948

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
14KB

MD5
16bb6ba1338950a0f4e072fd20c62199

SHA1
038ff0b51775259b271eabd26f84adf3e096404f

SHA256
9c0bf338a75e77837f630fda6eef444f4d2f9aaf4f7c32e3c4461483301baf8c

SHA512
56d28fec33a5ab9aa4b26c31855f9810c1b8a6a73821e95c0a08e752d26c7dfb0b5286fed1e39aff3f548abde5ae18b79225bd0db0da95aa83f853f5691d2340

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
43c00161799ee4c7ce491b6303bdca93

SHA1
944ccd55fc7fae28ded4f5aaf524c273699ceda4

SHA256
89a471e6ca70fc8c0d84f18c9f2f9837d11ffad6ef6ffdfbc67b23d08a7dd1dc

SHA512
46c5e1bbc071f023762bac97595f749cb74d2a3ca731cc18b4282c856b9311e4f071c7c02a6351afa23804e2cde856d5986b177fca2ced94e4efc9268b955f5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
503f0592889912c11b33510960c07eb3

SHA1
2d3432e9fff1ca20f8746c4d6a7f8db3ca4a019d

SHA256
b76989f42e4afa0432b9bf0f00b80617f30c01fc3ad9d5e9896d1c1035810672

SHA512
b3e930310818a549f818d4b37a4028757758619ba9d3cfaf063086b8d9843470cf195b0fab4651155f8815a788e91b1e682d772ff7b359e7ca6aca22b4976484

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ac85b0d507d9ae13f86af96ba3b69f46

SHA1
9f22ff49cbf63657d6e4ae3e0180ca7c97da07e1

SHA256
b4e0e5f16f485d01be945d489b45601c9f6f62e7c857e88560d9e815ae8db93d

SHA512
ce7437cb87737452d9fe9004350987b2de0fa11fa43d9355a35ac54d21db17e7bdf6e8845977339fc82aa6f4f328a13003b25d786335830e0dcf45e8b27150b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8fae24d844ab59eb1eff481858384399

SHA1
d51ef05b6bb431b1d6ce2ea23a5b672523eaa8d8

SHA256
b55886b630ad0ad278b650d95ffec63596e7cc345b093dd37a04e83fab5ed703

SHA512
3484d3d98f201e24cd4ea8e7de74117da65cb2327ad373491864cbec4ae028f8541dc90860f50fcd37dfaf0f9b438f3834874c40f888c353137c0cf8a305ce90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
44cc44e135053536981786b42b665cdb

SHA1
69df46fa1c348fc1db568f145bd5771e889e737d

SHA256
d87b075898a397869a512a8de16dfbd5e82740d3e38b533c6b90d524a00e4f3f

SHA512
274bdefe3de2e99e712d6858634b8cff840a1e522a6b58d760b46941fcf44c858b512b71bd9b8a5d53f927b3922707147b126ee5d47133967cfbddbf36ba3b76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
174KB

MD5
9e4476d756605a3fc1db6b2cf06b3c2a

SHA1
14c28b2282772009460c38fe8148f92ab2c9ddc9

SHA256
229c99fe93730eec6297d3ebe3bd72277d52f6b967aac64ea048fa55178a0760

SHA512
81857ecd9a3c2d0c71d477df02b2b08377ca26ff54e3a42228a28dda7d3118335d9f9e61d1e69b6d8fc7c608d2d2bb1d0b2d743a11c75c0759ae565e1e1d59fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
174KB

MD5
3e517f49e863ca3158878b6fc0e63a9f

SHA1
a6be3379acebc9b5e1720f4ea3cb0ddb0eed99fb

SHA256
49688bfac5565b95be30bca958912c6b422737b365ffdc116f1776f52ffe6b05

SHA512
7e64a1f8472cfca262d1d9cdc54eda8a85b2e9b55948e8e455ebb818e7e1e8dc0793f8a567e71fede7f5820c6fb8bbdd30a4a21b7223c88c9e56e621669a83a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
89KB

MD5
165e4cc4b70a693e7f7e3409f7b72316

SHA1
2c26168f7f7219d364fe8d483a7d32a1511d5cc5

SHA256
72ce0257018c8c81b80031ec86cdc99955108922a7e1bf7a312609e279566fb8

SHA512
3dc456be22e25751942d79a468501edd772ccc0e5cc8779e53043bf3be0ac6a002c4b84eab7a69777b63550e2cab7795340cb4b7c8fc5d116e883b003a97a0bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

Filesize
1KB

MD5
8094b248fe3231e48995c2be32aeb08c

SHA1
2fe06e000ebec919bf982d033c5d1219c1f916b6

SHA256
136c30d964f4abbb5279bdc86d0e00578333782f15f05f0d2d050730dcb7a9bc

SHA512
bf27a3822008796370e2c506c910a40992b9240606ea1bc19f683b2fee86b81897660ac0cf8e746ca093dae9e408949e2e9002ded75678a69f020d3b0452801f

Download Submit
C:\Users\Admin\Downloads\Umbral.exe

Filesize
231KB

MD5
7ed9bb611ab79d8b1479bd60b3814d6a

SHA1
e8e0ccc69741f5552cd51002df03dae5a2051b06

SHA256
8dae232ae5f7ac2024f0571187ec02ff059bde905a518a562675fb1bc950709a

SHA512
62bbb17e640918a51bb1420a5aa2d4ead2b601748e57575aa8b8abb322fb58955e672598952036c17c1380ab57a9f658ca1bd3bf8c8b6dd488126bcace21dfee

Download Submit
C:\Users\Admin\Downloads\Umbral.exe

Filesize
231KB

MD5
7ed9bb611ab79d8b1479bd60b3814d6a

SHA1
e8e0ccc69741f5552cd51002df03dae5a2051b06

SHA256
8dae232ae5f7ac2024f0571187ec02ff059bde905a518a562675fb1bc950709a

SHA512
62bbb17e640918a51bb1420a5aa2d4ead2b601748e57575aa8b8abb322fb58955e672598952036c17c1380ab57a9f658ca1bd3bf8c8b6dd488126bcace21dfee

Download Submit
C:\Users\Admin\Downloads\Umbral.exe

Filesize
231KB

MD5
7ed9bb611ab79d8b1479bd60b3814d6a

SHA1
e8e0ccc69741f5552cd51002df03dae5a2051b06

SHA256
8dae232ae5f7ac2024f0571187ec02ff059bde905a518a562675fb1bc950709a

SHA512
62bbb17e640918a51bb1420a5aa2d4ead2b601748e57575aa8b8abb322fb58955e672598952036c17c1380ab57a9f658ca1bd3bf8c8b6dd488126bcace21dfee

Download Submit
C:\Users\Admin\Downloads\Umbral.exe

Filesize
231KB

MD5
7ed9bb611ab79d8b1479bd60b3814d6a

SHA1
e8e0ccc69741f5552cd51002df03dae5a2051b06

SHA256
8dae232ae5f7ac2024f0571187ec02ff059bde905a518a562675fb1bc950709a

SHA512
62bbb17e640918a51bb1420a5aa2d4ead2b601748e57575aa8b8abb322fb58955e672598952036c17c1380ab57a9f658ca1bd3bf8c8b6dd488126bcace21dfee

Download Submit
C:\Users\Admin\Downloads\Umbral.exe

Filesize
231KB

MD5
7ed9bb611ab79d8b1479bd60b3814d6a

SHA1
e8e0ccc69741f5552cd51002df03dae5a2051b06

SHA256
8dae232ae5f7ac2024f0571187ec02ff059bde905a518a562675fb1bc950709a

SHA512
62bbb17e640918a51bb1420a5aa2d4ead2b601748e57575aa8b8abb322fb58955e672598952036c17c1380ab57a9f658ca1bd3bf8c8b6dd488126bcace21dfee

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 968878.crdownload

Filesize
231KB

MD5
7ed9bb611ab79d8b1479bd60b3814d6a

SHA1
e8e0ccc69741f5552cd51002df03dae5a2051b06

SHA256
8dae232ae5f7ac2024f0571187ec02ff059bde905a518a562675fb1bc950709a

SHA512
62bbb17e640918a51bb1420a5aa2d4ead2b601748e57575aa8b8abb322fb58955e672598952036c17c1380ab57a9f658ca1bd3bf8c8b6dd488126bcace21dfee

Download Submit
memory/2532-363-0x00000176EAF10000-0x00000176EAF50000-memory.dmp

Filesize
256KB

Download
memory/2532-364-0x00000176ECC50000-0x00000176ECC60000-memory.dmp

Filesize
64KB

Download
memory/6580-655-0x000002A3B02A0000-0x000002A3B02B0000-memory.dmp

Filesize
64KB

Download
memory/6580-657-0x000002A3B02A0000-0x000002A3B02B0000-memory.dmp

Filesize
64KB

Download