umbral | 0697ab58f1b4c94620982f20ffc2e1069974a7f4c38c804e3a15a3d3f54a89d5

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dllmain.exe
Size

229KB
MD5

411156b1cc6ca8a2722edb9a9bf15991
SHA1

93441490e31783317bb8b3c2e4a9d0916eb4674d
SHA256

0697ab58f1b4c94620982f20ffc2e1069974a7f4c38c804e3a15a3d3f54a89d5
SHA512

61609bbcf4b09a5feb0ba72b531687f73bb3ee1e12dd7bda6ab2a4b5caf33f39e91df7f200184b63039cd7eee2b6b95575a89f5f03850d4841861ca3f4e377b5
SSDEEP

6144:tloZMNrIkd8g+EtXHkv/iD4vW2mmkrHMl9YW3X241b8e1mik4i:voZmL+EP8vW2mmkrHMl9YW3X2MXkB

Score

10^/10

umbral execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/2072-0-0x00000236C00B0000-0x00000236C00F0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
232	powershell.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	discord.com
29	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2576	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133642121645539076"	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
232	powershell.exe
232	powershell.exe
3272	powershell.exe
3272	powershell.exe
1304	powershell.exe
1304	powershell.exe
4348	powershell.exe
4348	powershell.exe
4336	powershell.exe
4336	powershell.exe
1756	chrome.exe
1756	chrome.exe
1468	chrome.exe
1468	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	dllmain.exe
Token: SeDebugPrivilege	232	powershell.exe
Token: SeDebugPrivilege	3272	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeIncreaseQuotaPrivilege	1712	wmic.exe
Token: SeSecurityPrivilege	1712	wmic.exe
Token: SeTakeOwnershipPrivilege	1712	wmic.exe
Token: SeLoadDriverPrivilege	1712	wmic.exe
Token: SeSystemProfilePrivilege	1712	wmic.exe
Token: SeSystemtimePrivilege	1712	wmic.exe
Token: SeProfSingleProcessPrivilege	1712	wmic.exe
Token: SeIncBasePriorityPrivilege	1712	wmic.exe
Token: SeCreatePagefilePrivilege	1712	wmic.exe
Token: SeBackupPrivilege	1712	wmic.exe
Token: SeRestorePrivilege	1712	wmic.exe
Token: SeShutdownPrivilege	1712	wmic.exe
Token: SeDebugPrivilege	1712	wmic.exe
Token: SeSystemEnvironmentPrivilege	1712	wmic.exe
Token: SeRemoteShutdownPrivilege	1712	wmic.exe
Token: SeUndockPrivilege	1712	wmic.exe
Token: SeManageVolumePrivilege	1712	wmic.exe
Token: 33	1712	wmic.exe
Token: 34	1712	wmic.exe
Token: 35	1712	wmic.exe
Token: 36	1712	wmic.exe
Token: SeIncreaseQuotaPrivilege	1712	wmic.exe
Token: SeSecurityPrivilege	1712	wmic.exe
Token: SeTakeOwnershipPrivilege	1712	wmic.exe
Token: SeLoadDriverPrivilege	1712	wmic.exe
Token: SeSystemProfilePrivilege	1712	wmic.exe
Token: SeSystemtimePrivilege	1712	wmic.exe
Token: SeProfSingleProcessPrivilege	1712	wmic.exe
Token: SeIncBasePriorityPrivilege	1712	wmic.exe
Token: SeCreatePagefilePrivilege	1712	wmic.exe
Token: SeBackupPrivilege	1712	wmic.exe
Token: SeRestorePrivilege	1712	wmic.exe
Token: SeShutdownPrivilege	1712	wmic.exe
Token: SeDebugPrivilege	1712	wmic.exe
Token: SeSystemEnvironmentPrivilege	1712	wmic.exe
Token: SeRemoteShutdownPrivilege	1712	wmic.exe
Token: SeUndockPrivilege	1712	wmic.exe
Token: SeManageVolumePrivilege	1712	wmic.exe
Token: 33	1712	wmic.exe
Token: 34	1712	wmic.exe
Token: 35	1712	wmic.exe
Token: 36	1712	wmic.exe
Token: SeIncreaseQuotaPrivilege	4476	wmic.exe
Token: SeSecurityPrivilege	4476	wmic.exe
Token: SeTakeOwnershipPrivilege	4476	wmic.exe
Token: SeLoadDriverPrivilege	4476	wmic.exe
Token: SeSystemProfilePrivilege	4476	wmic.exe
Token: SeSystemtimePrivilege	4476	wmic.exe
Token: SeProfSingleProcessPrivilege	4476	wmic.exe
Token: SeIncBasePriorityPrivilege	4476	wmic.exe
Token: SeCreatePagefilePrivilege	4476	wmic.exe
Token: SeBackupPrivilege	4476	wmic.exe
Token: SeRestorePrivilege	4476	wmic.exe
Token: SeShutdownPrivilege	4476	wmic.exe
Token: SeDebugPrivilege	4476	wmic.exe
Token: SeSystemEnvironmentPrivilege	4476	wmic.exe
Token: SeRemoteShutdownPrivilege	4476	wmic.exe
Token: SeUndockPrivilege	4476	wmic.exe
Token: SeManageVolumePrivilege	4476	wmic.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 232	2072	dllmain.exe	82
PID 2072 wrote to memory of 232	2072	dllmain.exe	82
PID 2072 wrote to memory of 3272	2072	dllmain.exe	86
PID 2072 wrote to memory of 3272	2072	dllmain.exe	86
PID 2072 wrote to memory of 1304	2072	dllmain.exe	89
PID 2072 wrote to memory of 1304	2072	dllmain.exe	89
PID 2072 wrote to memory of 4348	2072	dllmain.exe	91
PID 2072 wrote to memory of 4348	2072	dllmain.exe	91
PID 2072 wrote to memory of 1712	2072	dllmain.exe	94
PID 2072 wrote to memory of 1712	2072	dllmain.exe	94
PID 2072 wrote to memory of 4476	2072	dllmain.exe	99
PID 2072 wrote to memory of 4476	2072	dllmain.exe	99
PID 2072 wrote to memory of 3092	2072	dllmain.exe	101
PID 2072 wrote to memory of 3092	2072	dllmain.exe	101
PID 2072 wrote to memory of 4336	2072	dllmain.exe	103
PID 2072 wrote to memory of 4336	2072	dllmain.exe	103
PID 2072 wrote to memory of 2576	2072	dllmain.exe	105
PID 2072 wrote to memory of 2576	2072	dllmain.exe	105
PID 1756 wrote to memory of 1920	1756	chrome.exe	114
PID 1756 wrote to memory of 1920	1756	chrome.exe	114
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 2984	1756	chrome.exe	115
PID 1756 wrote to memory of 3136	1756	chrome.exe	116
PID 1756 wrote to memory of 3136	1756	chrome.exe	116
PID 1756 wrote to memory of 4716	1756	chrome.exe	117
PID 1756 wrote to memory of 4716	1756	chrome.exe	117
PID 1756 wrote to memory of 4716	1756	chrome.exe	117
PID 1756 wrote to memory of 4716	1756	chrome.exe	117
PID 1756 wrote to memory of 4716	1756	chrome.exe	117
PID 1756 wrote to memory of 4716	1756	chrome.exe	117
PID 1756 wrote to memory of 4716	1756	chrome.exe	117
PID 1756 wrote to memory of 4716	1756	chrome.exe	117
PID 1756 wrote to memory of 4716	1756	chrome.exe	117
PID 1756 wrote to memory of 4716	1756	chrome.exe	117
PID 1756 wrote to memory of 4716	1756	chrome.exe	117

C:\Users\Admin\AppData\Local\Temp\dllmain.exe
"C:\Users\Admin\AppData\Local\Temp\dllmain.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dllmain.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4348
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4476
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:3092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4336
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:2576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee482ab58,0x7ffee482ab68,0x7ffee482ab78
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1688,i,3664021712908138446,14965164705388144045,131072 /prefetch:2
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 --field-trial-handle=1688,i,3664021712908138446,14965164705388144045,131072 /prefetch:8
  2⤵
  PID:3136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2264 --field-trial-handle=1688,i,3664021712908138446,14965164705388144045,131072 /prefetch:8
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1688,i,3664021712908138446,14965164705388144045,131072 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=1688,i,3664021712908138446,14965164705388144045,131072 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4392 --field-trial-handle=1688,i,3664021712908138446,14965164705388144045,131072 /prefetch:1
  2⤵
  PID:508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4564 --field-trial-handle=1688,i,3664021712908138446,14965164705388144045,131072 /prefetch:8
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4672 --field-trial-handle=1688,i,3664021712908138446,14965164705388144045,131072 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 --field-trial-handle=1688,i,3664021712908138446,14965164705388144045,131072 /prefetch:8
  2⤵
  PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4952 --field-trial-handle=1688,i,3664021712908138446,14965164705388144045,131072 /prefetch:8
  2⤵
  PID:3220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 --field-trial-handle=1688,i,3664021712908138446,14965164705388144045,131072 /prefetch:8
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1688,i,3664021712908138446,14965164705388144045,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1468

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2521eb3973c5f6b2aec4ff26290feb62

SHA1
af3e347128bd411a276b0859ca2879947623f7cb

SHA256
ba7eadadbd69c195b3c94b6c2e848325797cf0d45a05b7385b95f6f704420874

SHA512
b9321bac5fee2db2ea475b6b8ff1b0ec63d6400e2b663679f8b34f2b7d9efb3822810512dd62707da38133fb5a4e413e49db9680db76403019fb9266d032d179

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
ec01a7ef342b86928270827d986728d8

SHA1
d294e7220425740bf50c778aed4ab077489ead0c

SHA256
68f302fcd5a70f12f3b97e6df4003bac3a02495b4c37dfdaf25ff81cddafde61

SHA512
6a12d6a4cfe1cbdc7e9c948968f54ca27539c3a9c48b50377b35e3100449ebb1c4f3fe16cd76f6ecf91c96f4778ff29016e0a8d7fb4e8b61aca9fde7b3da8181

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\d89d668a-04b0-4743-82e3-22c7fa07affa.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a172def4063a59d11cc666c156f78040

SHA1
f2bd71d9ff27a1ae2833b0b464120bb07657eea2

SHA256
4f0f81fba92b2bcd811e5ad112c653c0a2eb5557a85b3ebbec5d80c0ecab1cf5

SHA512
3d60467913a0242fcf19e5f0f0115488e026e3d4dc18a157b25f3a15a8d5ebb5c690b356489abb956929207e03bb9e91a7767e4568aefdc99d15b13a41662b24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
3d4f42f4976df90914e1e850574c0ad0

SHA1
68ed54508d01d304abcdd7a64c59d2cf1d195a0c

SHA256
5892e59a9cce000f77b116e07a572d2660b2e02f8e497be4f6cb99f2d58bab3d

SHA512
159b8b3e212a34d6cdb46fad746f6bc14c83d4503c9e6eca4d19ab40a0ea0f6cf9ac64724f5838eca2ad515d8a9990167dfe1048c7a70c1657576191b0853aa2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
281KB

MD5
de6613f4a1090b9b1c2a0dbc6e9556c4

SHA1
e3455bf3a22ac52a79bcc0a5feab97655ec21941

SHA256
169c12c27027af231895fb9a3e31b2d503ec94f52539821cbeeb412b617da8cc

SHA512
2ac589480b2e3224feba13d1396e749e5ff96ed60901d36597b305b1b144cc54bc5fa9d196fc8dba00e01a74a9c095191f1db90188e3c8ee441a1885be8c70f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
966914e2e771de7a4a57a95b6ecfa8a9

SHA1
7a32282fd51dd032967ed4d9a40cc57e265aeff2

SHA256
98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba

SHA512
dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88db0a141f2cd066a7c4df2b3c8f8010

SHA1
94fa00eb79992a0ded28012645a7caf8e04debe1

SHA256
0d8418bfcb5ad8ee710af1bfbed2e2a095e50d56f487372775e6cef420f1c85a

SHA512
0cc6090bf52227b8241e9f38849257de7e5c2ad2a9a9ead41f115b7492caa97c64bf2cd02640d48dc5d8593c4ae462497fe1aba87f8454a096cd174932a699bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o0cdtopt.kt4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/232-15-0x00007FFEE3D80000-0x00007FFEE4841000-memory.dmp

Filesize
10.8MB

Download
memory/232-18-0x00007FFEE3D80000-0x00007FFEE4841000-memory.dmp

Filesize
10.8MB

Download
memory/232-12-0x000001F324F40000-0x000001F324F62000-memory.dmp

Filesize
136KB

Download
memory/232-13-0x00007FFEE3D80000-0x00007FFEE4841000-memory.dmp

Filesize
10.8MB

Download
memory/232-14-0x00007FFEE3D80000-0x00007FFEE4841000-memory.dmp

Filesize
10.8MB

Download
memory/2072-71-0x00000236DA7A0000-0x00000236DA7AA000-memory.dmp

Filesize
40KB

Download
memory/2072-32-0x00000236DA870000-0x00000236DA8C0000-memory.dmp

Filesize
320KB

Download
memory/2072-0-0x00000236C00B0000-0x00000236C00F0000-memory.dmp

Filesize
256KB

Download
memory/2072-72-0x00000236DA7D0000-0x00000236DA7E2000-memory.dmp

Filesize
72KB

Download
memory/2072-33-0x00000236DA770000-0x00000236DA78E000-memory.dmp

Filesize
120KB

Download
memory/2072-92-0x00007FFEE3D80000-0x00007FFEE4841000-memory.dmp

Filesize
10.8MB

Download
memory/2072-31-0x00000236DA7F0000-0x00000236DA866000-memory.dmp

Filesize
472KB

Download
memory/2072-2-0x00007FFEE3D80000-0x00007FFEE4841000-memory.dmp

Filesize
10.8MB

Download
memory/2072-1-0x00007FFEE3D83000-0x00007FFEE3D85000-memory.dmp

Filesize
8KB

Download
memory/4348-68-0x000001E87BB40000-0x000001E87BB88000-memory.dmp

Filesize
288KB

Download