umbral | 351cba23cab65cd57d5ec9e553bfa02d35a32a8f75467a75b1c3735b87af6a3d

Resubmissions

04-07-2024 13:03

240704-qaf1tsxckj 10

04-07-2024 12:47

240704-p1mqmaxbjr 10

Analysis

max time kernel
65s
max time network
200s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SolaraB/Solara/solarabootstrapper.exe
Size

227KB
MD5

ebf1358b8496d5c895f4b8f9298f7f96
SHA1

f0136d66bf877934376858064344c2038b998fd4
SHA256

bccba62c31f689715d01f4e80edbe2fe6a816edb571c4a409fccbe2d5b789b65
SHA512

ca82e5838c7e8b292f46e5b20684b7fbb861f449678fc6283bd5c587c0958c069800e94c9f65b239609434564a394f8ca168d83d40bc27c96ade6c18744beb6d
SSDEEP

6144:eloZMLrIkd8g+EtXHkv/iD46E6TjpaC9sop7mGz3/b8e1mZJi:IoZ0L+EP86E6TjpaC9sop7mGzLt

Score

10^/10

umbral execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/2180-1-0x00000000013A0000-0x00000000013E0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2748	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	solarabootstrapper.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
9	discord.com
10	discord.com
24	discord.com
25	discord.com
26	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	ip-api.com

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1008	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2180	solarabootstrapper.exe
2748	powershell.exe
2512	powershell.exe
2420	powershell.exe
2872	powershell.exe
972	powershell.exe
1676	chrome.exe
1676	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	solarabootstrapper.exe
Token: SeIncreaseQuotaPrivilege	2696	wmic.exe
Token: SeSecurityPrivilege	2696	wmic.exe
Token: SeTakeOwnershipPrivilege	2696	wmic.exe
Token: SeLoadDriverPrivilege	2696	wmic.exe
Token: SeSystemProfilePrivilege	2696	wmic.exe
Token: SeSystemtimePrivilege	2696	wmic.exe
Token: SeProfSingleProcessPrivilege	2696	wmic.exe
Token: SeIncBasePriorityPrivilege	2696	wmic.exe
Token: SeCreatePagefilePrivilege	2696	wmic.exe
Token: SeBackupPrivilege	2696	wmic.exe
Token: SeRestorePrivilege	2696	wmic.exe
Token: SeShutdownPrivilege	2696	wmic.exe
Token: SeDebugPrivilege	2696	wmic.exe
Token: SeSystemEnvironmentPrivilege	2696	wmic.exe
Token: SeRemoteShutdownPrivilege	2696	wmic.exe
Token: SeUndockPrivilege	2696	wmic.exe
Token: SeManageVolumePrivilege	2696	wmic.exe
Token: 33	2696	wmic.exe
Token: 34	2696	wmic.exe
Token: 35	2696	wmic.exe
Token: SeIncreaseQuotaPrivilege	2696	wmic.exe
Token: SeSecurityPrivilege	2696	wmic.exe
Token: SeTakeOwnershipPrivilege	2696	wmic.exe
Token: SeLoadDriverPrivilege	2696	wmic.exe
Token: SeSystemProfilePrivilege	2696	wmic.exe
Token: SeSystemtimePrivilege	2696	wmic.exe
Token: SeProfSingleProcessPrivilege	2696	wmic.exe
Token: SeIncBasePriorityPrivilege	2696	wmic.exe
Token: SeCreatePagefilePrivilege	2696	wmic.exe
Token: SeBackupPrivilege	2696	wmic.exe
Token: SeRestorePrivilege	2696	wmic.exe
Token: SeShutdownPrivilege	2696	wmic.exe
Token: SeDebugPrivilege	2696	wmic.exe
Token: SeSystemEnvironmentPrivilege	2696	wmic.exe
Token: SeRemoteShutdownPrivilege	2696	wmic.exe
Token: SeUndockPrivilege	2696	wmic.exe
Token: SeManageVolumePrivilege	2696	wmic.exe
Token: 33	2696	wmic.exe
Token: 34	2696	wmic.exe
Token: 35	2696	wmic.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeIncreaseQuotaPrivilege	832	wmic.exe
Token: SeSecurityPrivilege	832	wmic.exe
Token: SeTakeOwnershipPrivilege	832	wmic.exe
Token: SeLoadDriverPrivilege	832	wmic.exe
Token: SeSystemProfilePrivilege	832	wmic.exe
Token: SeSystemtimePrivilege	832	wmic.exe
Token: SeProfSingleProcessPrivilege	832	wmic.exe
Token: SeIncBasePriorityPrivilege	832	wmic.exe
Token: SeCreatePagefilePrivilege	832	wmic.exe
Token: SeBackupPrivilege	832	wmic.exe
Token: SeRestorePrivilege	832	wmic.exe
Token: SeShutdownPrivilege	832	wmic.exe
Token: SeDebugPrivilege	832	wmic.exe
Token: SeSystemEnvironmentPrivilege	832	wmic.exe
Token: SeRemoteShutdownPrivilege	832	wmic.exe
Token: SeUndockPrivilege	832	wmic.exe
Token: SeManageVolumePrivilege	832	wmic.exe
Token: 33	832	wmic.exe
Token: 34	832	wmic.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe
1676	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2696	2180	solarabootstrapper.exe	28
PID 2180 wrote to memory of 2696	2180	solarabootstrapper.exe	28
PID 2180 wrote to memory of 2696	2180	solarabootstrapper.exe	28
PID 2180 wrote to memory of 2748	2180	solarabootstrapper.exe	31
PID 2180 wrote to memory of 2748	2180	solarabootstrapper.exe	31
PID 2180 wrote to memory of 2748	2180	solarabootstrapper.exe	31
PID 2180 wrote to memory of 2512	2180	solarabootstrapper.exe	33
PID 2180 wrote to memory of 2512	2180	solarabootstrapper.exe	33
PID 2180 wrote to memory of 2512	2180	solarabootstrapper.exe	33
PID 2180 wrote to memory of 2420	2180	solarabootstrapper.exe	35
PID 2180 wrote to memory of 2420	2180	solarabootstrapper.exe	35
PID 2180 wrote to memory of 2420	2180	solarabootstrapper.exe	35
PID 2180 wrote to memory of 2872	2180	solarabootstrapper.exe	37
PID 2180 wrote to memory of 2872	2180	solarabootstrapper.exe	37
PID 2180 wrote to memory of 2872	2180	solarabootstrapper.exe	37
PID 2180 wrote to memory of 832	2180	solarabootstrapper.exe	39
PID 2180 wrote to memory of 832	2180	solarabootstrapper.exe	39
PID 2180 wrote to memory of 832	2180	solarabootstrapper.exe	39
PID 2180 wrote to memory of 756	2180	solarabootstrapper.exe	41
PID 2180 wrote to memory of 756	2180	solarabootstrapper.exe	41
PID 2180 wrote to memory of 756	2180	solarabootstrapper.exe	41
PID 2180 wrote to memory of 2688	2180	solarabootstrapper.exe	43
PID 2180 wrote to memory of 2688	2180	solarabootstrapper.exe	43
PID 2180 wrote to memory of 2688	2180	solarabootstrapper.exe	43
PID 2180 wrote to memory of 972	2180	solarabootstrapper.exe	45
PID 2180 wrote to memory of 972	2180	solarabootstrapper.exe	45
PID 2180 wrote to memory of 972	2180	solarabootstrapper.exe	45
PID 2180 wrote to memory of 1008	2180	solarabootstrapper.exe	47
PID 2180 wrote to memory of 1008	2180	solarabootstrapper.exe	47
PID 2180 wrote to memory of 1008	2180	solarabootstrapper.exe	47
PID 1676 wrote to memory of 2564	1676	chrome.exe	50
PID 1676 wrote to memory of 2564	1676	chrome.exe	50
PID 1676 wrote to memory of 2564	1676	chrome.exe	50
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51
PID 1676 wrote to memory of 1292	1676	chrome.exe	51

C:\Users\Admin\AppData\Local\Temp\SolaraB\Solara\solarabootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraB\Solara\solarabootstrapper.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SolaraB\Solara\solarabootstrapper.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:832
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:756
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:2688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:972
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:1008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7829758,0x7fef7829768,0x7fef7829778
  2⤵
  PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1108 --field-trial-handle=1208,i,17740298018450942362,18320607789262085803,131072 /prefetch:2
  2⤵
  PID:1292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1208,i,17740298018450942362,18320607789262085803,131072 /prefetch:8
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1208,i,17740298018450942362,18320607789262085803,131072 /prefetch:8
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2304 --field-trial-handle=1208,i,17740298018450942362,18320607789262085803,131072 /prefetch:1
  2⤵
  PID:328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2312 --field-trial-handle=1208,i,17740298018450942362,18320607789262085803,131072 /prefetch:1
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1464 --field-trial-handle=1208,i,17740298018450942362,18320607789262085803,131072 /prefetch:2
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3208 --field-trial-handle=1208,i,17740298018450942362,18320607789262085803,131072 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3664 --field-trial-handle=1208,i,17740298018450942362,18320607789262085803,131072 /prefetch:8
  2⤵
  PID:1536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3684 --field-trial-handle=1208,i,17740298018450942362,18320607789262085803,131072 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3764 --field-trial-handle=1208,i,17740298018450942362,18320607789262085803,131072 /prefetch:8
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3848 --field-trial-handle=1208,i,17740298018450942362,18320607789262085803,131072 /prefetch:8
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2472 --field-trial-handle=1208,i,17740298018450942362,18320607789262085803,131072 /prefetch:8
  2⤵
  PID:300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2188 --field-trial-handle=1208,i,17740298018450942362,18320607789262085803,131072 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1208,i,17740298018450942362,18320607789262085803,131072 /prefetch:8
  2⤵
  PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4080 --field-trial-handle=1208,i,17740298018450942362,18320607789262085803,131072 /prefetch:1
  2⤵
  PID:1048

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
bc557efc6c1ddb7ba310173e8f6b2420

SHA1
e8d8ece3bb521d00b0d9c50123d73764fe5a56da

SHA256
203f88f676411cbb2c6e16a088236595caca298f4988467510ae77501af0be77

SHA512
d6642085198df2baff851ded842119e8e0004d0088cc6c9e71f285b70674215df29c1cb166b982d05390dee02ca75babefa2a48db1bcff3e70c078888f9c216c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
106c12c47d0183fd4a198718d0ca2a5e

SHA1
f1fb5e08b08979a68bc4a8054179054fd25cde42

SHA256
64c5ce5aa58e6c1b691f50469fc7b92a92d91e75871a2c43ed3086c3ddd9d709

SHA512
928edb00737f01b4d5ce33da6b93f5e2b7a25c4563e03e3da4521bbb10386597a43aa00bced4e464e754fc4d342a432d48080e9c8101cc79051e70a1e946861d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c69b1fa62d293167a8dce82fc82bdee

SHA1
7ca99a3b4dae8c0004e56d161d05c071b517397e

SHA256
36eecf469f49ae76bc5475358c484d70d6b438e06725c09f91dceabc9c197826

SHA512
6eb6e1f84229314c2da4651f43e86eb097a4ae2cdc2b5a4ae2fe47d0a867e8eb6e70b103eae9e28709e49e87caf126dc816dcedc63939f8c60923ebd1e1b694c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8dd540e10a9f8123a2a7f7c0450a3aa5

SHA1
76451533b585eed2af643433c7cba408de2b2e26

SHA256
7d15b1a7b4a12eab5cdad0cf4cddc8c5b135a299c9605aff30a82e38b77dd51c

SHA512
581d026d4100deec88e997c31a5289315c195e70c96dd81c7ef3156ba52e4dacc70677033e7193f312e17e02a01b253d06416784d0dd1f661d80aa7363a1daac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae1900533bec81d0a6256f95e04f0900

SHA1
f9794fc585bcdf7c5782b310138c052223323347

SHA256
d00271b85d27c0cde67bac2007b8a227eba0138dbb5fdd0f15a3688034a20cca

SHA512
682f163a44581de948c9ffaaa5e534b41dd8cf68446464c0914e666589bb5e6db30f3e5e529100c09ff0ef6aae01eb1b41c0212d4e73023490b3b195fa6ef124

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ddb48bf4c7e50348a0dc16aa8a833e5c

SHA1
a827877569b2afa6114aff46c6e8ce50ad149bd5

SHA256
7b2eab08dd5bb31530432d598dfd05942724000206571042e3b7e89869d4da18

SHA512
15e88fef6a988df5a23e304a4303346275a84d01c6d6dfd35292b7b6bfdf990f512abac339947d4ded9d68a43a24eb2beb7de3ff756e2978ae3f68ee3f04e404

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed5c477ece560ddd2b669c7634640834

SHA1
651746d0c0b244e8375a6ae83feb6a9d9afb98b5

SHA256
3004d417d496710a454316fb59b5571cbeb15e1a8f5b6afa0b7c3d8fe1865340

SHA512
63e268cae113e71c9e94a6d46a241ae2187ee421f0d09723e1cd4cba2efe6cbe780d569f476600a9a3b1e4c9214f04aed489557d1ad41502a97d61e02af70aaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a0bf0e4ee6a777ed94d18e057d1d567

SHA1
651747e0793e31a823d4181520135b3114a82cc5

SHA256
7e8764784f2983aa6813117fbdcc0857093968df33cd07f8bcb35ab6aa2b783a

SHA512
ff904c03b5b2700d5a6c8157360c3c32510017d5fdb04cbe7e886849361b2c84771b24ce1e10db3eba68da1397ee8206e119f8423a69b212f8c826ad0c44d75b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
4e2b557af40f0a6f30fb81a5e8313e45

SHA1
0b1ed7c2260a0aa432dcacff0011c1b94c96d8d0

SHA256
10f775e4ef243277f35f6cdcbd51ca06d0ae1ed911f1eca84c81edc29bdc7458

SHA512
bff362befb9b5f3ff255dded8300d9908ff3675bc8c4049a54c6c2c9d03c6badb134cebb58efae0a34ba604ebc803132c5a81962ea630f80928486403a969918

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3b5cbb01ed7e31e87502dd1235689270

SHA1
6c69358de2dc620b12f7316a6a7df7e135dd8f06

SHA256
d08647d571153e593379167bb9ad601a1c91420fd81fcd16a024ceeda9a994c4

SHA512
c650c404d8fbc99014823266f139b9cea906f94ee5c3acf00b5957b24b03b0334b19e885ffe30979ed804f717607c6cb46c8b252d95971879a685e562c01a340

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c84c062f1772a6c94e127b7ac690ff30

SHA1
571d5dd43b92f2ca6d87ec63b183d5d80e99578f

SHA256
a184daf5be3ea2311b620ff3d28982e36cb9e2b4d94da010381e04cbfe448d30

SHA512
07caa5d4126467cf6cc2fb2790830328f0d1671b3fd4e7d5579b839fe10c2b0d42912531e0d6e29e19175900a29594e929ec30c6b08842868eeb1a504f9f3b14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
87ea71c7c9abd17b71224c20edcad3fc

SHA1
8313a8c9b744a913a4ec0e742982c2078ab09c71

SHA256
ea70b472483e6e1b58f7e61d8c1e2f5960ee891624a7350f09bb53ef8aaa9018

SHA512
4b16aa532ac528d2a4ea0453a729e537a59f7048f779a997a97de89fd9f6361647b44ffc48c395bd1a0b31c1b9bd791bb916bdb2509fcbd057faaf34cdf41c4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
1a1c5c9e3876a1194078c89f9df44fb9

SHA1
e1f8e83a85de1037fe5d7287be09bcdd0828e03b

SHA256
81cb6dbfb8828cf399125446a657b90df248ef2159fef960fca918c0f6c4c051

SHA512
879cad41889fe01fb159fc61a22033fa764f8eb223a3c0dfc33779687805a7925d5397eece5784e32578e749cd5a5c018c2534366e1259b289b83a551750e9c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
59f417bcf2583a1aff2a61be100c17a2

SHA1
12e6b29f104836fdee9153ba79462bd25cbf9071

SHA256
a449f872b739d0ef90ee5fdb8edc95e7ba57df956124c0355a439f164547c2ee

SHA512
c245e363be544ca4362ab0e226e206aecaab2c19a68702173cffe80867141dc92b15a6d5e40e4458335a55b025c9b461c0bf4b07033df9b217295b6efa05b227

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
c4a568ce446f479d6d08efc32499e0df

SHA1
9a73526e95c8d70e08ed051dfd63b9beeea97fbf

SHA256
0b5fef552deef3cb3bee52ee4eb740ac0f78687a435fb7c0a751e9cb4b54c8c0

SHA512
b7123fbba30b06dd37d4cbb6a7723183c79ac69d0ac33c544869519a99d7980d0aa210e721aa8992b1772135fd71f94a397973a9379f99841f5c1430a8c1253c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8cee40b44877d8182dae09c3642a8832

SHA1
2a2f30b795009cd038f5a15be65b7f8e94f8312e

SHA256
17ad40cccc5ebe0fa5e170941fe71c8b1bac633272b2b2b4831d3c6e48ea3c65

SHA512
7e51641c28517892c38829fcfa432ffc15c2cfcfd93f0552f74ca3a47ac24ed5dcbc594ec7d4a1c235abd44a942809f62a741e28eacdd81ce04f3e8bd01f0f00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
021efea8c31156388414347d282a3a39

SHA1
d83dd03abf91780d5ad556add20e8707abd7e8a3

SHA256
1e9b52a277c648a82fc15415b2da1a911cf6893eed9a37210e2c9b92fe2a9144

SHA512
17a3585c0552c667169066901ec4e6eae3caaa05773dfcf60ca1252de99fd4d429aec8f94e6b81a1051f0fb2c883a20c0ed796dcfa419d08f3adea275dad1202

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
291KB

MD5
1b854a62140754660dd676d668f9c764

SHA1
2df639162ec825f350090aec8c98684e1aa8116e

SHA256
32aa3fea7a5574f854245bfd66424226f38e8364ff23352e07ca4eed7037930d

SHA512
b747fd0bb184fd72980658d876beb9353f3579f07754b058a90af1892fe9844ed10c8ef9620c62911e596171b16584394e3d887f54a9535da01b734fdc74ea19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
77KB

MD5
013374897a661605847970eb4b51c699

SHA1
1ce1608554eeb6550d2c2f944a053096c6284618

SHA256
a59d49a324d827e55c61319e272db882a45e38d95377059a776cbbb3b9d2ec13

SHA512
45b6e95cb25552160b1f70fc52487646321371b2047aef5ab54ed7503d685d401db07ec6c229153b021c1d64eb42d312f9397d0fb81a6c73bceb016113dcb382

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9C56.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b948e958675e1a13c81a04cb14cc7556

SHA1
8393d9ee9fe4e24069ef39055f02dfd636ef24dc

SHA256
c387d80cc0d74f0c449d03a8344997f40012fdd30adabf6470ab6915f06bb46d

SHA512
4791ad78222c7d9089a9c6d909572c770f51e2acd33fcee065857a703d6f0371054bf65ab76c9a49f45fd60d063b5af84522887783082596c7effba449b439ad

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
577f27e6d74bd8c5b7b0371f2b1e991c

SHA1
b334ccfe13792f82b698960cceaee2e690b85528

SHA256
0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9

SHA512
944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c

Download Submit
memory/972-43-0x00000000029E0000-0x00000000029E8000-memory.dmp

Filesize
32KB

Download
memory/2180-47-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2180-0-0x000007FEF5C43000-0x000007FEF5C44000-memory.dmp

Filesize
4KB

Download
memory/2180-2-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/2180-1-0x00000000013A0000-0x00000000013E0000-memory.dmp

Filesize
256KB

Download
memory/2512-14-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2512-15-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2748-8-0x0000000002820000-0x0000000002828000-memory.dmp

Filesize
32KB

Download
memory/2748-7-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download