umbral | e3b335a6210e3756c9dad7dfa16d7e2852a9674dd15e8c9b9c4f538cc7ed1014

Analysis

max time kernel
1113s
max time network
1760s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
16-06-2024 17:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb186d77def7fb80cf24a010111b3bfe.jpg
Size

10KB
MD5

4459c04d0262372202aabc164d1432d8
SHA1

fb98e4e39b158c2f70301e3af57ff84734f6c28e
SHA256

e3b335a6210e3756c9dad7dfa16d7e2852a9674dd15e8c9b9c4f538cc7ed1014
SHA512

5b55c896fd271ea9449fab422fafd590b4717c7c51f1d21b93b663ec5ecdaa5572faea0e84433549ef951a2e3b2cc5b3580f356b50fb13d0cb009583a1d243b8
SSDEEP

192:IVjpz4P10PcxLIf6ME4c9PfmR3L9z5Lu94Z780qPw2lYgXVhpbuTSDhZgU:I9p1clIfNUfmxl5L7Z780qPwylhpDh6U

Score

10^/10

umbral execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000e00000001a434-1096.dat	family_umbral
behavioral1/memory/2496-1133-0x00000000000B0000-0x00000000000F0000-memory.dmp	family_umbral
behavioral1/memory/484-1321-0x0000000000B00000-0x0000000000B40000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2252	powershell.exe
1136	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Executes dropped EXE 2 IoCs

pid	Process
2496	Umbral.exe
484	Umbral.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
120	ip-api.com
136	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2196	wmic.exe
1568	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1984	PING.EXE
2504	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2496	Umbral.exe
1136	powershell.exe
752	powershell.exe
2296	powershell.exe
2712	powershell.exe
2264	powershell.exe
484	Umbral.exe
2252	powershell.exe
1064	powershell.exe
1672	powershell.exe
1948	powershell.exe
1688	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe
Token: SeShutdownPrivilege	2084	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1856	rundll32.exe
1856	rundll32.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe
2084	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2676	2084	chrome.exe	31
PID 2084 wrote to memory of 2676	2084	chrome.exe	31
PID 2084 wrote to memory of 2676	2084	chrome.exe	31
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 2488	2084	chrome.exe	33
PID 2084 wrote to memory of 1156	2084	chrome.exe	34
PID 2084 wrote to memory of 1156	2084	chrome.exe	34
PID 2084 wrote to memory of 1156	2084	chrome.exe	34
PID 2084 wrote to memory of 2920	2084	chrome.exe	35
PID 2084 wrote to memory of 2920	2084	chrome.exe	35
PID 2084 wrote to memory of 2920	2084	chrome.exe	35
PID 2084 wrote to memory of 2920	2084	chrome.exe	35
PID 2084 wrote to memory of 2920	2084	chrome.exe	35
PID 2084 wrote to memory of 2920	2084	chrome.exe	35
PID 2084 wrote to memory of 2920	2084	chrome.exe	35
PID 2084 wrote to memory of 2920	2084	chrome.exe	35
PID 2084 wrote to memory of 2920	2084	chrome.exe	35
PID 2084 wrote to memory of 2920	2084	chrome.exe	35
PID 2084 wrote to memory of 2920	2084	chrome.exe	35
PID 2084 wrote to memory of 2920	2084	chrome.exe	35
PID 2084 wrote to memory of 2920	2084	chrome.exe	35
PID 2084 wrote to memory of 2920	2084	chrome.exe	35
PID 2084 wrote to memory of 2920	2084	chrome.exe	35
PID 2084 wrote to memory of 2920	2084	chrome.exe	35
PID 2084 wrote to memory of 2920	2084	chrome.exe	35
PID 2084 wrote to memory of 2920	2084	chrome.exe	35
PID 2084 wrote to memory of 2920	2084	chrome.exe	35

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1976	attrib.exe
2964	attrib.exe

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\cb186d77def7fb80cf24a010111b3bfe.jpg
1⤵
- Suspicious use of FindShellTrayWindow
PID:1856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6c99758,0x7fef6c99768,0x7fef6c99778
  2⤵
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1104 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:2
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:8
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1548 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:8
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2228 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2312 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1328 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:2
  2⤵
  PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1456 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:1
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3464 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:8
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3584 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:8
  2⤵
  PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3608 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:8
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2828 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=2540 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:8
  2⤵
  PID:800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3704 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2544 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:1
  2⤵
  PID:860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=540 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=1652 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2784 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:1
  2⤵
  PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4300 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:8
  2⤵
  PID:1888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4308 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:8
  2⤵
  PID:344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4356 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:8
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4524 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:8
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4348 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:8
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4420 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:8
  2⤵
  PID:612
- C:\Users\Admin\Downloads\Umbral.exe
  "C:\Users\Admin\Downloads\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2496
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2008
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\Downloads\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:1976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2712
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:1952
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:2276
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2264
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2196
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\Umbral.exe" && pause
    3⤵
    PID:892
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3908 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:8
  2⤵
  PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4504 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:8
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3936 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:8
  2⤵
  PID:612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4048 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:8
  2⤵
  PID:684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4224 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:8
  2⤵
  PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3788 --field-trial-handle=1296,i,6763850129403207607,8440245510156857639,131072 /prefetch:8
  2⤵
  PID:2112

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "657208058670800963-1757765183-1076455550-135142755718765000941961705652813917237"
1⤵
PID:2548

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:912

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x58c
1⤵
PID:800

C:\Users\Admin\Downloads\Umbral.exe
"C:\Users\Admin\Downloads\Umbral.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:484
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:1892
- C:\Windows\system32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\Umbral.exe"
  2⤵
  - Views/modifies file attributes
  PID:2964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Umbral.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1948
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:2244
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:2912
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1688
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:1568
- C:\Windows\system32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\Umbral.exe" && pause
  2⤵
  PID:2176
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - Runs ping.exe
    PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
dce15200afaf8990f6cd5d93a1a320f5

SHA1
fd62c000218b83ad74f2b39acdc563df63162ca6

SHA256
5789acd028d7150494bc168e57335004d2d529899b32cdfe66ae6be1c13886c1

SHA512
9ac6f77f4ccfc366ab4bb3f33acc200d09a52c1e69c4ace72028c7802abf6ff9257f42f6b8bffb598483d70f0534a3d51fb7b0e6d39d938a91a4aaef737fb33f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
988faffe3803db639f860dac1cb7bee4

SHA1
14fdba1ddffd7c255446532c893645bd257c40c3

SHA256
22dfb1b36ed931d8caef7fa6bc89d2ab2518403685a5dac74ab436e4df8e0ac9

SHA512
1909014e12f5d8c0046e740699ac3853e4d0033c45b73a5805bd89bfe2d57341aa7ac38428a3981435926154df6d9394ca7c91cab9e1b86f620447ec0f4468ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5cf333629d5d562019995145098ebf44

SHA1
caba18b3e9df51c57b34a165d94f5b81a210c522

SHA256
826676777c4e347330faeb494a96bf6b9dab8bf860c3b49bec013c63e8a39094

SHA512
e98ddd251e46ec4ab339d54cb8b53dbc4ae1a63141bcd5d50957704238bad07fdcc8ee68b198aed376912d276b814854d326cf295e21e1676d81196bef242e0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e3702b48f43bea5200f0118214b6aab

SHA1
306a640e483f8161ea21ba1d5514241a503796cf

SHA256
2765963b6a7dac642a2d9f8cf5a38a6e86b9ba68123dd6a070a8385f61784484

SHA512
ca68ae00ee3cb4f01ef65980d4d8391bce6d532a330c89ee3402f701fa7692494c7f7228796389d651b01484179331014e292dbd0b878eb85304d4840a960d1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2a93b31ec562f039a0c0352b13f8226

SHA1
2746f3bb0dd2d0e89709587d7ee1a302f2f1bf11

SHA256
c0ac401007afc907f48e177ac68cf8cc29d6670581084a7998b05c88ddc31059

SHA512
9d92f5fd2635ff682a869d3e2f512d9599db0b0f67cb2d039f83b183601571ac431b63e1b29ccbc5ed627ee7156ed700607c9004aa0b860b73074db4854abc5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9be874bc0321cb35ae61048d7a93a6d6

SHA1
89d9bb9aef8918502ac218b2dbb602a151a757eb

SHA256
4487bac4c0f2cf7e7e258d5e1efa10a7254481df6d059648547f769affcfa884

SHA512
9422ce6ef83025be1dca1589e786ab6f335faef29f353413c53519ae7bdaa0034e7009562e26dc02e4aa8ba639d0a689b9291aa85e5dcf895fc2642093b26c6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6976b70e3c1512ca2d2f255af0f50ba2

SHA1
93e11a6bec059ccd27c84fad6380224e6b6ea05d

SHA256
f502fa11e9464a5595b2fbc9b90320499335e01817b0ae3bc50b2eac73f8c87e

SHA512
ed73371e3e2210b0a30362ae645c20eb490ca08c0d083275bc11312696b59b2edf368cb2b74a56f83ced67dd5158640ea325f15c4172a91942a37942537c0354

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e61ff91d69bbb893e59d61237663adb

SHA1
4d9151c1209bd2915d025cf53dab837f15f86238

SHA256
68b5df153c6a752204e1df2b868908d9eb8034f7265c9cbb6019453e9ad537a7

SHA512
1377d2192e329eec114ff53f36c317c1cc587d3823dfc311ec94a4f26d913731963e230d50c2d6e4589880cbe9366cdfa211c56c4fff27d68c68525b1d4b0941

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87d102d1ad876ba98d9772993dd88eee

SHA1
af345ae599d53e0a2fc2c05c13c26d687d4a8695

SHA256
e3bc3b22974ead6cb6a57eb42376fb3adb8de939fef31b9704817ea4d9ce69f9

SHA512
4723fff93c6d76727e8fbfad27d5363db9ab8ea740b740f8b582e216e4d666a217022fd335e10aa31626c011119a2d27aaf48b4b1248fa89192dd5cac7402d04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
776af465ab5712720aa3a31a771e2f91

SHA1
c8db61fe7da96b9ceeacd4cd19f4182c4bdf67ed

SHA256
3e498babd109b657c5d6503df57e16e7232b6f19bf45442136638ac771e02da0

SHA512
b2e420c0e5ea438b3f8a3d6503edb64137c8eb08671bae7c4c3ded12de6254738bddf78263f5479f00250e9d49a1d0da37c000d3524e545f43e7532a1745d32b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
523908842ec78fb748d3a057a76ca487

SHA1
e0046fddeb1c402ee49e643753881c3c80fbe7d9

SHA256
536a00a709b4710b824de31c1a1d5779e43694a516a79cd02f9c6b744b998b28

SHA512
0e4b3a7ba5be6733700e3c7e8420ae460b8f0d30c2dc465d091077254c47a58074aae7feb0196ad95f9801870ae047a51fc7f2fd18ebb8141413f86e984fedc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\4eb3b9c5-72a7-45d5-9b24-10210d0326be.tmp

Filesize
5KB

MD5
49efcc8bf00e6fa88c873f2fffea5f9f

SHA1
4cb7dd8137a63fd8ce10604546f6f843cc5df667

SHA256
fdc7bf40243d4aa2ff9d342f216062dcfb94dc7321240e1ff549d4c2749a6fa8

SHA512
a3f43608061c29ae102570bc9cb1fd55452eec7079c13a97d6b3038627d951e653dd2839cce1dd0a9888ff32eede95df9585bf0fe2a580cadfec333bb9d3474f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_download.oxy.st_0.indexeddb.leveldb\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_oxy.st_0.indexeddb.leveldb\CURRENT~RFf7a4e20.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000007.log

Filesize
829B

MD5
9d51a4fa355db4f615b16b3acba6900e

SHA1
57315dacd60a6e1e5073e67250d3428fda979874

SHA256
b9b81c31cac9310b9eebf1d6d714e79cee9430fd816df6e04aedc2d4d9059724

SHA512
a1b46df2aa18e0cc67db4eb51137280f76afd5827c7e835e2892d157d8059cf7bde541d19158de6c72f018e0977127ff0c1e4d92293945b0b912fb2979fbed44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000007.log

Filesize
1KB

MD5
34014cf6506afd329f9498da2fd3e7ae

SHA1
ba38024153e3eb5222a60772c6c5a696d8beab1d

SHA256
5bb62106503dad059474d7b76957f6081c7f5c65b952079606a751f46cc577d7

SHA512
3596bb07203fed62972902b316abacc8db424652e25794a1bbf6e92713526d5a0570e504d9a067dacd7ded5b069cfaa0f6a41809aff3382ed6e44e2b5cdcc73b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
20f84c53656886521a83a592cab97fae

SHA1
748406ef9afa1e198a1ae6fbffe33f34aa4b386e

SHA256
aa73f30ab03a07192ae425f9be428198b6475abd1f7d0a1c3e79f2302dc3f341

SHA512
f063524b2e5f24bc3b8f6e881c0f1c222aa60aeeed112f9495cda70c6da16c7967225d5c79b69df8b9dad4e075f1fba7c1b2164f2d53cbb82ef54dbccff4ee38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
5cc7c7c0c0f1daa732db133a3dd35a92

SHA1
089d1dfa0220426121b227317ec9b50dda9a637c

SHA256
28aafbf8dc546a711f481771907734e545b70a6b2ae01585e54dd2ad2ac4433f

SHA512
2963fa56fe3aae9b7229d22deb464c9f6acadafbd13c892284125986233ca7b5115d5ecb32d91007d7c95f85ffa7dbbcccf1a1d3e5b9d80ffecdfcb30496193e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a864b58cb61d5da6c3037bb19a374155

SHA1
8ae69aa73ba2557801cad9a676daf0c10f0ad358

SHA256
9e97f8cff562b7ce679b43c282674baa6ed4c9bbb60b96405fb52f5ff075e106

SHA512
883d06558bf7275353c924d0e41d7d27165668c8821b8bf2da2617e74680155984c6f8f7ec2128ee91b30c0429d961323495e5e8c01ba8952adbb36caafbeffd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e47408e3b6dbbaf2d511681e90957e92

SHA1
e3ce4b2fe21ed3ff6ef10252ae6df17b52dcf700

SHA256
1faf05854141f1d0560de46e4fce2604f889d5a0691fcc4f710d44bff4d393d0

SHA512
da13275b29511076fcee277006db883904025126896fb1d1cc7ec0457c684abae4596ce68151c70f1b2c48149c9b23ab3895e264c94be86d53381047cf67caf3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
200B

MD5
ed55151430afd37c208fb91335805c8a

SHA1
ce7b4ac785c066f3e937dd16d57e7a91bf7d22fa

SHA256
05198eb9627179c2f91a0ff392263ee46bd3f3e1d4e5d0da56d6096bd3f75b12

SHA512
d882e40e1faa1b5f1754c83d94378bd221453c7d35273e1ec9cfac9aafdac3754891e61913ef3536542ae09e7811b4763bd05dd1ad840dcd21b0b08c0d363bfb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
776449f313864fd2a031327aae3e5796

SHA1
52051e58e383d5d80ce8110241a3dc8f63fd6245

SHA256
bf46243a6521e4c90834250723442843befbcaf56791d9977f577593edb58646

SHA512
2425040e05ab9ab4fb57f1531618037836a52250d0166debb57a375ae1d9a62bf3b912e6eaeeee4fb12492e784fb39af3c85ee5b686102ece5433a2b92b1c6da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b3951ffcdbfd75d91b09e5ad13b74948

SHA1
e96a9010237cc3078dad1d02a65b5cfc4e335104

SHA256
c914cabf4db270eeabc80153c5bd0a5d4e9dd7d402838c0da0d32666a54e42db

SHA512
0789c4672b1570b2c8549a958523276ffa65f8df9282eb3eb7ca61e0c69a548cf23d4ca2c62d383a21ef8ee932e207956e28403240a6bef5d7a8ef2ca19dfdf8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000008.ldb

Filesize
1KB

MD5
5e79258169918dcea78e80613d2bcc56

SHA1
352f2561aeb3b8b985d5ce176c5a9db83dd27024

SHA256
db532198623c240901528425dfb673940172cb10e9862518a6a170e38a89cadb

SHA512
fbef0eb9df756919beea33eb7720520a597c9ad9a273232e73de5808a7843ec1fbb587557a3edd632c706aab83af1b4e4211cb412a43c3d0fe0cee0a5413c32f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000009.log

Filesize
2KB

MD5
1c75fb6489d24a06602244107c4404f9

SHA1
5fd4af90a56c734a02804ea25dc2f9659bba6013

SHA256
cffdfcfb8e8bb86f23722c0547580e973e766392a1bd7d95d3d21086158a0b39

SHA512
e4f262f8d7a70c925ab675df874ee22703f620aff4ae4dabfd8780a1beb643bbafe39dfd9adc75b4dfb9734fe361e83093f7fdfc3714469bd34cf896efc5feb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f56fa11e-dad0-4b2e-b946-f4aebec70c2d.tmp

Filesize
6KB

MD5
b0b54fe58a8c8be8d0e230ad54daf077

SHA1
5af6f11d41a84bb7cf0fbcf6898567c1f7e92b8f

SHA256
75fefadd4e6d9163ecf66ede8660ca33640f75236849c81eedec30764130bd26

SHA512
cbf05a597ee3995cf88a9d8b76896f19189f4997440b0cf86519f28b3ca47cd9e78c29e6f913f37ca3b7613cd5441d6109106b966c08c831bc8cf74370014e47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
297KB

MD5
43b3c7fc105dfafd1387a459d8cabd80

SHA1
e543af7002b8e8181b88d80b60aa38184f41388d

SHA256
7daf8c8f40a537f7a68c65b930cd0186d5c9c22fe3f146bae490e160be8fc18b

SHA512
70e68a938728c69cabf5bb8fd48803a8f5486b1edcdda4abef4956357bfdf4d1490f8fd85a3969797290169fb28a7b3f0c9dba7df1e894aca9bae8bcc20320c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
91KB

MD5
3aef7e2ece5fd91513060a02defc2c63

SHA1
9b5de5f0597a2a361a8713e6ea75ee5c1fc6a115

SHA256
a7205f015a9df840fa7a9a88854dda4a931d4acd5732cc8e104bf6d1b1e8df2a

SHA512
d91c2dbb3baa443d7c66225cb7c5f1f4a152ff98e711b6174d2a457312a463fa67a7462569f9f7950e82fe62447836b19f60fce1f69a9f426962dfd32c279c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4DA5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4DD7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0b1fadb583fe9a94881cb567807cc8bb

SHA1
099112531d0a4e6614a3b4305696fc81f7923e17

SHA256
ce8206fc45ce861f02030eb894c3adb4902482b1d30aa0d42ffe89d70bd82c15

SHA512
e718d2fd3b3b188a384e29b9f057c9c313aa67ca166a3ef8c667e973a03c7739bb2e0e86c62c6956d3685f3b22c1e4cab27a8a13571f67c80834dc53756dde68

Download Submit
C:\Users\Admin\Downloads\Umbral.exe

Filesize
231KB

MD5
224637a1e182f5b76c93e023aaf59e1f

SHA1
9d5e8084253280167e347ec4c96ed8f97277d601

SHA256
78fc07d2451da0497c54530bd1855650f7b710d066f4ea4643b67995da4dc235

SHA512
be478e8a29b187036fdacab7973471af5c55a76eb3a980a31e3f4757cbaea9c975db37be4464f06e72b7b75a86a8db335d5804c4afcc76e3f3a79ce5a1ac4cb6

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
577f27e6d74bd8c5b7b0371f2b1e991c

SHA1
b334ccfe13792f82b698960cceaee2e690b85528

SHA256
0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9

SHA512
944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c

Download Submit
memory/484-1321-0x0000000000B00000-0x0000000000B40000-memory.dmp

Filesize
256KB

Download
memory/752-1225-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/752-1226-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1136-1219-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/1136-1218-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/1688-1367-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/1856-0-0x0000000001DF0000-0x0000000001DF1000-memory.dmp

Filesize
4KB

Download
memory/2252-1327-0x0000000001FD0000-0x0000000001FD8000-memory.dmp

Filesize
32KB

Download
memory/2496-1269-0x000007FEF35F0000-0x000007FEF3FDC000-memory.dmp

Filesize
9.9MB

Download
memory/2496-1134-0x000007FEF35F0000-0x000007FEF3FDC000-memory.dmp

Filesize
9.9MB

Download
memory/2496-1133-0x00000000000B0000-0x00000000000F0000-memory.dmp

Filesize
256KB

Download
memory/2496-1132-0x000007FEF35F3000-0x000007FEF35F4000-memory.dmp

Filesize
4KB

Download