umbral | 83226bd3592d2317a86ac4b722d640a1db44d1ddfdda174372e599a77c9cebb6

Analysis

max time kernel
494s
max time network
507s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
10-02-2024 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Saransk builder.rar
Size

3.2MB
MD5

647d26c35ba5632550d6f7f7981b25ad
SHA1

c414db069f94a31e7a282d29281f276c26b4fb6c
SHA256

83226bd3592d2317a86ac4b722d640a1db44d1ddfdda174372e599a77c9cebb6
SHA512

44c940d1820eaf65ec4be7c7a64bbd2ea5dda2a3a20ce453924374bec14e63bd3b7e701d6a87129e00286dace23004aa9dcc2c5330ac982f19035e9794fbb9aa
SSDEEP

49152:nySJ4KB3s4zaJ1Ldl41LCzvmUnfXlzdLrdmBHXcyShg9aOii0CSDEvBCR61suPf:9yKhs4k41LYfX5JRiHsyraNoPHPf

Score

10^/10

umbral agilenet stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0006000000023283-391.dat	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
5028	Umbral.builder.exe

Obfuscated with Agile.Net obfuscator 16 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/5028-101-0x000001AB8B840000-0x000001AB8B860000-memory.dmp	agile_net
behavioral2/files/0x000500000002250e-100.dat	agile_net
behavioral2/files/0x0006000000023271-104.dat	agile_net
behavioral2/memory/5028-105-0x000001AB8B860000-0x000001AB8B880000-memory.dmp	agile_net
behavioral2/files/0x0006000000023264-106.dat	agile_net
behavioral2/memory/5028-107-0x000001ABA4310000-0x000001ABA437E000-memory.dmp	agile_net
behavioral2/files/0x0007000000023259-108.dat	agile_net
behavioral2/memory/5028-115-0x000001ABA41B0000-0x000001ABA41CE000-memory.dmp	agile_net
behavioral2/files/0x0007000000023257-114.dat	agile_net
behavioral2/memory/5028-113-0x000001AB8B880000-0x000001AB8B890000-memory.dmp	agile_net
behavioral2/files/0x000600000002326d-112.dat	agile_net
behavioral2/memory/5028-111-0x000001ABA4380000-0x000001ABA43DA000-memory.dmp	agile_net
behavioral2/files/0x000800000002250d-110.dat	agile_net
behavioral2/memory/5028-109-0x000001AB8A040000-0x000001AB8A04E000-memory.dmp	agile_net
behavioral2/files/0x00020000000224ff-116.dat	agile_net
behavioral2/memory/5028-117-0x000001ABA4530000-0x000001ABA467A000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
61	pastebin.com
62	pastebin.com
63	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 55 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Umbral.builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Umbral.builder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Umbral.builder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Umbral.builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "3"	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Umbral.builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Umbral.builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e803accbfb42cdb4c42b0297fe99a87c6410000	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Umbral.builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Umbral.builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Umbral.builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Umbral.builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Umbral.builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Umbral.builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 68003100000000009e57c89a1000534152414e537e310000500009000400efbe4a5870954a5872952e000000fe24020000000300000000000000000000000000000055fc3e0053006100720061006e0073006b0020006200750069006c00640065007200000018000000	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	Umbral.builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "2"	Umbral.builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	Umbral.builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	Umbral.builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff	Umbral.builder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	Umbral.builder.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Umbral.builder.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Umbral.builder.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Umbral.builder.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Umbral.builder.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe
5028	Umbral.builder.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3792	7zFM.exe
5028	Umbral.builder.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	3792	7zFM.exe
Token: 35	3792	7zFM.exe
Token: SeSecurityPrivilege	3792	7zFM.exe
Token: SeDebugPrivilege	5028	Umbral.builder.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
3792	7zFM.exe
3792	7zFM.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
5028	Umbral.builder.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5028	Umbral.builder.exe
5028	Umbral.builder.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 3792	468	cmd.exe	84
PID 468 wrote to memory of 3792	468	cmd.exe	84
PID 1280 wrote to memory of 4752	1280	msedge.exe	99
PID 1280 wrote to memory of 4752	1280	msedge.exe	99
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 1500	1280	msedge.exe	100
PID 1280 wrote to memory of 4092	1280	msedge.exe	101
PID 1280 wrote to memory of 4092	1280	msedge.exe	101
PID 1280 wrote to memory of 3344	1280	msedge.exe	102
PID 1280 wrote to memory of 3344	1280	msedge.exe	102
PID 1280 wrote to memory of 3344	1280	msedge.exe	102
PID 1280 wrote to memory of 3344	1280	msedge.exe	102
PID 1280 wrote to memory of 3344	1280	msedge.exe	102
PID 1280 wrote to memory of 3344	1280	msedge.exe	102
PID 1280 wrote to memory of 3344	1280	msedge.exe	102
PID 1280 wrote to memory of 3344	1280	msedge.exe	102
PID 1280 wrote to memory of 3344	1280	msedge.exe	102
PID 1280 wrote to memory of 3344	1280	msedge.exe	102
PID 1280 wrote to memory of 3344	1280	msedge.exe	102
PID 1280 wrote to memory of 3344	1280	msedge.exe	102
PID 1280 wrote to memory of 3344	1280	msedge.exe	102
PID 1280 wrote to memory of 3344	1280	msedge.exe	102
PID 1280 wrote to memory of 3344	1280	msedge.exe	102
PID 1280 wrote to memory of 3344	1280	msedge.exe	102
PID 1280 wrote to memory of 3344	1280	msedge.exe	102
PID 1280 wrote to memory of 3344	1280	msedge.exe	102

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Saransk builder.rar"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:468
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Saransk builder.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3792

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3080

C:\Users\Admin\Desktop\Saransk builder\Umbral.builder.exe
"C:\Users\Admin\Desktop\Saransk builder\Umbral.builder.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9e7ad46f8,0x7ff9e7ad4708,0x7ff9e7ad4718
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3692 /prefetch:8
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3692 /prefetch:8
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
  2⤵
  PID:976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6904 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7268 /prefetch:1
  2⤵
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7384 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:1
  2⤵
  PID:5160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7828 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6032 /prefetch:8
  2⤵
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:1
  2⤵
  PID:6052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,2864304509855521839,9716293870456051626,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1292 /prefetch:2
  2⤵
  PID:4444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1386433ecc349475d39fb1e4f9e149a0

SHA1
f04f71ac77cb30f1d04fd16d42852322a8b2680f

SHA256
a7c79320a37d3516823f533e0ca73ed54fc4cdade9999b9827d06ea9f8916bbc

SHA512
fcd5449c58ead25955d01739929c42ffc89b9007bc2c8779c05271f2d053be66e05414c410738c35572ef31811aff908e7fe3dd7a9cef33c27acb308a420280e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
241KB

MD5
94eb3b562647cb059e1dc7e28e1c1d27

SHA1
761597bad8036d032f24915d1d8dea7fcb059b8b

SHA256
9442dc58fedfc285331b9059cc7e22e5eea150c4fca3b96a0e38b9fba8a04259

SHA512
8e989da8b4ac8b29964cff22828a82a52d92591b250b16490cf504ef8956b3d0cde3d25edf617aef0febafb487614584440da0766c191bdeabeea5674661ffad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
672B

MD5
6c24376bfd558ce55005f0b0b84d80d0

SHA1
51a5751adc179f5db697523ecf2571ee5a23d86e

SHA256
2a0ce44b9f7ad0d9497cca9929c4c1e4f57e019409329a1635672d5beed9fee0

SHA512
0b87ce5542949a9976517c3ee4b94ce2542a88c76c433bbb78bf34feb99948d9bae97a41817e0f50af0a1e46eba9ee6351033937008add6a9e873894d6db1c9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
254baf2a7839dc0703c123b6eae10470

SHA1
4812ad6c0398c179466c86b5e214ebac0ddab3f3

SHA256
7c782cf7d7da3db484cf3af6fa4e21f4601a692955cc698148563796f6883f94

SHA512
19f1a242e916049696f2e01284ba23c1e865499c6b5a11d2160def9b2315855064edf7dfd35f234f9b074205125f63dcd5bc5bddaf452d49d087b0263dcd57ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4ef65c14051246da0026b723cec22714

SHA1
877fe290cc9dfe4e61054d14fdaadc25dbc0428d

SHA256
6ee6c02d53546dffd2c18acf928b8f9086c07a680e10607ea3fcb7f25a1976fa

SHA512
7ae360b8fa392229edc9bf22135dc96e9d09965e4e4e5b35649377e0bf5fed3305eceb6fb7ee449aaa75a74c26c5d827f3a639328e2e0a3eb7b70f507cc9da6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
e0f184aecd41425f53ac614efae71d46

SHA1
02b15b3c796709874bf3514423b559c121f9c885

SHA256
9b93b9efc017efb0e30aadcd9c7c0f93c883bbc81b2ddb7f3f9ce3840b273e0f

SHA512
dcca7dab41a46c7b8f47a3434b8a6ba43ec6dd580d1f416e20b0d63bcf9da406faddd90090f3be020757d863cd5b9f1cf32a17bd63e573125c775a1b65a1437a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dfa2074c61bbfd7e07f811f70a141ea4

SHA1
2fe8cb08b109385c288d67be1c56b4d8555bdd7b

SHA256
688fbcf1cb72d6e550b0b7edba7f868cd984f74490a1af579fc2c1d372b0503c

SHA512
0288e7a9be98187cebefad619f366739ad58b617a7b615ddb2c77ad7afca7a83859d0db393229e80f9e2f6823de35ee0ef4f467c971e2ebe8f9d9dd5b5ef68ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
fb6c09b336ef4a5352ecbae5d8cba9f1

SHA1
3b35b9f424d0fb699c898a5ada84ab4bee9e2e95

SHA256
227e45f80aa3ff7dce15a58494bb9a6b08a5dc538f7c8fa3ab8196b53b09da2c

SHA512
133d470a328e50d32d827114309949b2ca6e804112d0a2cded1ff60c56d532d1f5a37ce4dc923e56ebd8fd7a72e3c19b309bf467972bc8beb0c1fb555f5efa68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1d8af2b9b70be28eaea4ed6817a404c3

SHA1
9e01319d227b1c174dcbfe46ec082604e6a961bc

SHA256
53c6f3190fbb5eb8db2d0f1c2228833a579d6dd33891944e66e8572bb91114d0

SHA512
d4bc2db394039052f8212e20cebd31a7a4f5b20e612823f2a00f00aebd5403a91a575a7869a0362ce80300752fe92ff5d98d551a060eb5b6a1cbefa0d2b0cc98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e664066e3aa135f185ed1c194b9fa1f8

SHA1
358ff3c6ad0580b8ae1e5ef2a89a4e597c2efdc5

SHA256
86e595be48dbc768a52d7ea62116036c024093e1302aced8c29dd6a2d9935617

SHA512
58710818b5f664006a5aa418da6c8cd3f709c2265bc161f81b9dfe6cdb8304fabaa4ce9deba419fe4281623feeeaa0321f481ae5855d347c6d8cf95968ee905e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8b21976d8a9386f81d03dc65c734da65

SHA1
7619e750624401bf816f9bd73e353208bdd50f47

SHA256
82f78889b461084ef0c50061d0d9fcec84f59bf03fa232218c592b0c8ae80c2f

SHA512
eb561557dbc91d6080eab870782a0b0c6bca70e05140d3418dff2de5b5e92147ed211c20821465add04d8d6c55b22ed53198f270dbdfb475a1e553e2df3a472b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
61ccb5c6b35703efc7e3effc07d2f97d

SHA1
d9e61f0b991eff200c78551bca2de865f7f1f43f

SHA256
8cef7587f61562e61a14397a8452472c1c8abaef72c0846fa2ca91de773bdd1e

SHA512
480a6fd68ce0ff4ca6ae69b79987d65afd103a01d7d77d9b1b99978c5d1331a447b0d6ef1adbe2ef664f5071bf78ce7f1b938cecd70da08de301d2293086a1a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59e7d6.TMP

Filesize
535B

MD5
fab91055cb7936f5190d771d544238df

SHA1
9f925b5967a70ef22ce7f6058f897e117e922f33

SHA256
28f6157ed865b5b99f0d6dbe466702efb72314a15f4e4d823115c0a0895e0a74

SHA512
ba536c4b7b6c49e0fe832a6d75c48a00db25efbc9f4036cffd082a4ed8168687ff5496de87ee43dea10eaa3611e69e20a6ba8949b6bb247b265c521274f73ce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
55686b25fa953c7eebbbe9c7bbd17d06

SHA1
824245ca04ac175b9e8e1a19077aa41c810ec713

SHA256
a7ebd41f3940aeeb74dc3abeada205a410853605ca5dfe83e85b7e507d03ae5e

SHA512
ba771e13991bb9d523968b0151975e77ca5b3c707303bcc685dbb0150f8540a3e0f0ce61fde72b94587907ec61ac0b958fb7fee8ae9ae3bdeb8de8f4de351d2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
56cf6618e28b165fdaea6ddca675ceb9

SHA1
bfbc69117458466c4a4dc2d53122c6f33a4051ae

SHA256
ec41d4f8a320227ce1da6e65669d704a30b6c30e9917d0e6a9a4efaffa0b388c

SHA512
2252d5bb5adb2e79e0738bfb61ac63b80ae639ec10476442a19595c9434809ecaf25ead2f0e058f4a6348fd1d0f39a6a20cf8beee0984fb5295ca8623620f785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
424a7c544d4852be7b387186acf3584c

SHA1
143055ffe0a456bd59b68968ee17a7ccaa27b93d

SHA256
77f61591afa3e99bae918d8387ccc660013f387a1a4df06f13324a8ab8d49858

SHA512
54c04a076f1be2de07a6bb1f80815d96579d34ab604a7c34cd440daded25b18bf0b486d34b6658114c61e4359324fa1489026960ff9d1e51b0bf8a4f1f683bf9

Download Submit
C:\Users\Admin\Desktop\Saransk builder\Bunifu.Licensing.dll

Filesize
1.3MB

MD5
2b2740e0c34a46de31cf9da8a75d77cf

SHA1
242324f1112e6387cda41686291b6e9a415eeb8c

SHA256
a9be91cae167702885a5ca74273db779e3e391e2e604cc03779ed403c53ebe43

SHA512
605eb300b159e6ed2ee872b6ee378eed7dde6541000221fcd94d52057be91cb3c7dd65c7203f05e0718303b157b6fb941498b5e653501f97f0417d459da6bc40

Download Submit
C:\Users\Admin\Desktop\Saransk builder\Bunifu.UI.WinForms.1.5.3.dll

Filesize
342KB

MD5
41c216d27c71a227774e680e95e99f31

SHA1
0a2a93d4ecbf4bbec2faf110066c6b4472b0dbf5

SHA256
012d717b4ac00c3686a772757f49c1908e223624e3974314cdb9fc9291073305

SHA512
e355ba11e41b668e4459f709e87c3e212c8986ea894791d9155791ea9d7315372fb51531eb69204ed2ee38e242de7629e4a2f090c05bf9deeea9ea965ffaf651

Download Submit
C:\Users\Admin\Desktop\Saransk builder\Bunifu.UI.WinForms.BunifuButton.dll

Filesize
107KB

MD5
21f999e5ac72a16077511d41590822de

SHA1
d8bb1a8a291f73cdf2b5658b2b65736c87db19dd

SHA256
2a62c78f1f0db2e3258135b50f7885e6734c31c74a8f2f5782f285aa268c2f71

SHA512
e04fe31870f266d772829053a6bb210a9513ff5c8c0f9a3a267ddbe1875125496caa602baf44a4e241ef84d933bd55b79af43d5871ed10c81711adecee78b8e3

Download Submit
C:\Users\Admin\Desktop\Saransk builder\Bunifu.UI.WinForms.BunifuCheckBox.dll

Filesize
102KB

MD5
ef11f59a9381df17d7ab94434f79f260

SHA1
ec11e46a636fe3927fd5fa7c30be65b958853ef0

SHA256
390252aeb6fd76a954a03853c3d883e0360dc8b3f2cf8cfed5ba94e4e5a24da4

SHA512
612b1b0f9204c605ff5e9b91816e674cdaea71fa69f81a5a7f475bf1cc8d5e12687deb1b0118b07b3d7e4764adede0576f8fc799f8155a65a70e5dafff50f73d

Download Submit
C:\Users\Admin\Desktop\Saransk builder\Bunifu.UI.WinForms.BunifuColorTransition.dll

Filesize
38KB

MD5
539d803013c0b1592d0e17a740d72687

SHA1
b0ce15e0f096d027b1d1482afa9d93bafd160f7a

SHA256
500adece1fba76dfb2fa628de9886a2661ed1a4e58a7717a5fee607206bb1d81

SHA512
77d8ab7a949db41a79371cf2ebd5d67bd4a38dd040de0073c878f50b2a6409fae2dc5db7cbf375fbc1bc571838b0a6d4848bdecc1420d91633b878585c94b9dd

Download Submit
C:\Users\Admin\Desktop\Saransk builder\Bunifu.UI.WinForms.BunifuLabel.dll

Filesize
420KB

MD5
73ca0338c9c3b7901d3621b346c76a7a

SHA1
79d26ee6e1bf0beb2ee0593562592de8ff01935b

SHA256
a505193910f7b8fd6123c00bb437bff3d2a4f28c970e24207d395554765e6ad4

SHA512
53e0b84dffbec8e465955bc91f1207ba56a55543ba3c00c66997b3ee3d4cb904e027915a12f7a9dc79ffef4cde633c9b7543436c4ab97785ca2169bc3d4aeede

Download Submit
C:\Users\Admin\Desktop\Saransk builder\Bunifu.UI.WinForms.BunifuShadowPanel.dll

Filesize
45KB

MD5
ebaf1a6efa8c7a04d174be7e0df602a7

SHA1
ce08c80e52b6cf3f62ba82408d8f32ae6bcef0d8

SHA256
1858b16074d7f9b73f462e3adcc77309800594fa96f2e0904c810eda4eaf5e86

SHA512
4ffd5dcb59a4a03273c4e88047c7d398f098302b9485d07cf5549ca0d72467102aafa69298e248250df154a8b09f7560e634cca9cb1af2838baf3965aa645b31

Download Submit
C:\Users\Admin\Desktop\Saransk builder\Bunifu.UI.WinForms.BunifuTextBox.dll

Filesize
112KB

MD5
fd2042c49df3e74e096b8cee8cc9fe43

SHA1
4ccdb0e13c24fb71f502d50e34f00c39bcacf307

SHA256
4569393e1aad7498c6a7c8a84f79d0cd7a1d0656e912d0ddb607b61163673976

SHA512
c93ad9cb411c311b0feeefdf2089c0c13098c7d2bab56345f4e9a7fc515965a3893c613d494adbbb066801eeb3dc32237a8322f7a5f876284a06b447efdad641

Download Submit
C:\Users\Admin\Desktop\Saransk builder\Mono.Cecil.Rocks.dll

Filesize
29KB

MD5
6fcdf77e1f173f269ff56752f273f094

SHA1
d9d26753c23fab955bb20289a20e37a1812888dc

SHA256
9db3edaa8bc6ccd7ac6e2517c743591658bd6bdd436a146e0eda101d30a1332e

SHA512
84f87537685ff55a681bf2acb4e35f77ea6ef3afc3cfb6257b7a72a62ba7f27e6a580fda89ddde2d8f9c22cce6a94622b58fe344d8fa52ff163d7cbc7d7a1804

Download Submit
C:\Users\Admin\Desktop\Saransk builder\Mono.Cecil.dll

Filesize
352KB

MD5
037dbbacc199b24bc0ee91f60a561f06

SHA1
3f82ecbe123c783b24705862c066018f827355b6

SHA256
71c8b01208ab37a5164f5bacd69054899db9fc00f2da87dbd07dc1ee40fc06a8

SHA512
dfa108f22e5e9250d0fdecb91317278c6212773d87b9fa36ab896c3f7a66a549da3d57f71b24778fe0727408eab89cc078f260dfd245c8738a0fe78b9c812549

Download Submit
C:\Users\Admin\Desktop\Saransk builder\Umbral.builder.exe

Filesize
113KB

MD5
2523aa0cb9c8e02ae7c62dc7e0ff54b8

SHA1
77fc1a8278dd03132df7e805daa5815e65f663ca

SHA256
6b58b3755464f350f325eafab38b65155bb9387c520511e98d8cb850013ebc35

SHA512
c4b065f51d5928b29229857f77054817d86113ce23caf62811064bb04149c9b3c7c9c876309f57d5d0ce21627283bf556b4ea63012074002367416b8abf2fbc9

Download Submit
C:\Users\Admin\Desktop\Saransk builder\Umbral.builder.exe.config

Filesize
163B

MD5
dccd44fb11b8e4ebdfb822e809a54b6f

SHA1
1889d5ae8c7c70c051cbde104af6e0f31f8c1b63

SHA256
6862b25736259f7bfd344e43eea10a703885be381eee2a745ceb12916b01a158

SHA512
dadffe41bdadfc3a79cb34369c9a8b37ce4833aee18058b02dcb13d64007f022b80b63ab404572c60278937cf83b06b00712ff9ee302e725b9d5c7fe14bd5f50

Download Submit
C:\Users\Admin\Desktop\Saransk builder\Umbral.payload

Filesize
230KB

MD5
da7d94f96e8b7f035020b7721e968ec1

SHA1
a30abe39a9e27e5eb76fb509eb4f9edeb7c36f5e

SHA256
23d651ed623affcb1b71457c07c4f887a6ac44b04ceef74850292ab38d1b3287

SHA512
181bf779331cbe6f456a44963004e84d8850e1a61350bae66c4e5001d185740c5fbab44b536e3e055871029db23409db376778488ea1d0098ac89786387bd6e2

Download Submit
C:\Users\Admin\Desktop\Saransk builder\Vestris.ResourceLib.dll

Filesize
76KB

MD5
944ce5123c94c66a50376e7b37e3a6a6

SHA1
a1936ac79c987a5ba47ca3d023f740401f73529b

SHA256
7da3f0e77c4dddc82df7c16c8c781fade599b7c91e3d32eefbce215b8f06b12a

SHA512
4c034ff51cc01567f3cb0796575528ca44623b864eb606266bcf955a9259ed26b20bec0086d79038158d3a5af2ada0a90f59d7c6aae9e545294fe77825dbe08b

Download Submit
C:\Users\Admin\Desktop\Saransk builder\jose-jwt.dll

Filesize
81KB

MD5
3932710fd1cfc829efaee90f08e74208

SHA1
105d65bfbc12e8e9c27d6dde9484bc85e7a7f77e

SHA256
a02b713b6a99cb0b3f85e9f389275bf904eee8be848b2a8c41507c64b264133a

SHA512
0ecb5a5b1ab5308f6c48428e244639f8d5f9a4514f9822a92f29798b1b3e7a0d60922c93543e637abd22613643feeb18cc17cdc9e906a06bc649971e678c0715

Download Submit
memory/5028-115-0x000001ABA41B0000-0x000001ABA41CE000-memory.dmp

Filesize
120KB

Download
memory/5028-124-0x000001AB8B890000-0x000001AB8B8A0000-memory.dmp

Filesize
64KB

Download
memory/5028-123-0x000001AB8B890000-0x000001AB8B8A0000-memory.dmp

Filesize
64KB

Download
memory/5028-122-0x00007FF9D7420000-0x00007FF9D7EE1000-memory.dmp

Filesize
10.8MB

Download
memory/5028-121-0x000001AB8B890000-0x000001AB8B8A0000-memory.dmp

Filesize
64KB

Download
memory/5028-120-0x000001AB8B890000-0x000001AB8B8A0000-memory.dmp

Filesize
64KB

Download
memory/5028-119-0x000001ABA41D0000-0x000001ABA4200000-memory.dmp

Filesize
192KB

Download
memory/5028-118-0x000001ABA4680000-0x000001ABA4796000-memory.dmp

Filesize
1.1MB

Download
memory/5028-117-0x000001ABA4530000-0x000001ABA467A000-memory.dmp

Filesize
1.3MB

Download
memory/5028-109-0x000001AB8A040000-0x000001AB8A04E000-memory.dmp

Filesize
56KB

Download
memory/5028-390-0x000001ABABEE0000-0x000001ABABEFA000-memory.dmp

Filesize
104KB

Download
memory/5028-111-0x000001ABA4380000-0x000001ABA43DA000-memory.dmp

Filesize
360KB

Download
memory/5028-388-0x000001ABA5180000-0x000001ABA518E000-memory.dmp

Filesize
56KB

Download
memory/5028-113-0x000001AB8B880000-0x000001AB8B890000-memory.dmp

Filesize
64KB

Download
memory/5028-386-0x000001ABABFA0000-0x000001ABABFFE000-memory.dmp

Filesize
376KB

Download
memory/5028-107-0x000001ABA4310000-0x000001ABA437E000-memory.dmp

Filesize
440KB

Download
memory/5028-393-0x000001ABABF00000-0x000001ABABF1A000-memory.dmp

Filesize
104KB

Download
memory/5028-105-0x000001AB8B860000-0x000001AB8B880000-memory.dmp

Filesize
128KB

Download
memory/5028-103-0x000001AB8B890000-0x000001AB8B8A0000-memory.dmp

Filesize
64KB

Download
memory/5028-101-0x000001AB8B840000-0x000001AB8B860000-memory.dmp

Filesize
128KB

Download
memory/5028-102-0x00007FF9D7420000-0x00007FF9D7EE1000-memory.dmp

Filesize
10.8MB

Download
memory/5028-99-0x000001AB89C00000-0x000001AB89C22000-memory.dmp

Filesize
136KB

Download