umbral | hxxps://gofile[.]io/d/UMIu1A

Analysis

max time kernel
72s
max time network
72s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/UMIu1A

Score

10^/10

umbral credential_access discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1282641542556811284/XhP2lBGmy2WSxK1y0l23RHuQqEin2SHIJODdzqGhEFoaXh5jRVDNcIXTEi8GEfBNxtlo

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000234b7-229.dat	family_umbral
behavioral1/memory/5492-231-0x000001A628E60000-0x000001A628EA0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5800	powershell.exe
5964	powershell.exe
464	powershell.exe
1952	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Emerald.exe

Executes dropped EXE 1 IoCs

pid	Process
5492	Emerald.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
69	discord.com
70	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
61	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5796	cmd.exe
5912	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5704	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	OpenWith.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5912	PING.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3352	msedge.exe
3352	msedge.exe
5068	msedge.exe
5068	msedge.exe
2908	identity_helper.exe
2908	identity_helper.exe
2180	msedge.exe
2180	msedge.exe
5492	Emerald.exe
5492	Emerald.exe
5800	powershell.exe
5800	powershell.exe
5800	powershell.exe
5964	powershell.exe
5964	powershell.exe
5964	powershell.exe
464	powershell.exe
464	powershell.exe
464	powershell.exe
5176	powershell.exe
5176	powershell.exe
5176	powershell.exe
1952	powershell.exe
1952	powershell.exe
1952	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5804	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3216	7zG.exe
Token: 35	3216	7zG.exe
Token: SeSecurityPrivilege	3216	7zG.exe
Token: SeSecurityPrivilege	3216	7zG.exe
Token: SeDebugPrivilege	5492	Emerald.exe
Token: SeIncreaseQuotaPrivilege	5688	wmic.exe
Token: SeSecurityPrivilege	5688	wmic.exe
Token: SeTakeOwnershipPrivilege	5688	wmic.exe
Token: SeLoadDriverPrivilege	5688	wmic.exe
Token: SeSystemProfilePrivilege	5688	wmic.exe
Token: SeSystemtimePrivilege	5688	wmic.exe
Token: SeProfSingleProcessPrivilege	5688	wmic.exe
Token: SeIncBasePriorityPrivilege	5688	wmic.exe
Token: SeCreatePagefilePrivilege	5688	wmic.exe
Token: SeBackupPrivilege	5688	wmic.exe
Token: SeRestorePrivilege	5688	wmic.exe
Token: SeShutdownPrivilege	5688	wmic.exe
Token: SeDebugPrivilege	5688	wmic.exe
Token: SeSystemEnvironmentPrivilege	5688	wmic.exe
Token: SeRemoteShutdownPrivilege	5688	wmic.exe
Token: SeUndockPrivilege	5688	wmic.exe
Token: SeManageVolumePrivilege	5688	wmic.exe
Token: 33	5688	wmic.exe
Token: 34	5688	wmic.exe
Token: 35	5688	wmic.exe
Token: 36	5688	wmic.exe
Token: SeIncreaseQuotaPrivilege	5688	wmic.exe
Token: SeSecurityPrivilege	5688	wmic.exe
Token: SeTakeOwnershipPrivilege	5688	wmic.exe
Token: SeLoadDriverPrivilege	5688	wmic.exe
Token: SeSystemProfilePrivilege	5688	wmic.exe
Token: SeSystemtimePrivilege	5688	wmic.exe
Token: SeProfSingleProcessPrivilege	5688	wmic.exe
Token: SeIncBasePriorityPrivilege	5688	wmic.exe
Token: SeCreatePagefilePrivilege	5688	wmic.exe
Token: SeBackupPrivilege	5688	wmic.exe
Token: SeRestorePrivilege	5688	wmic.exe
Token: SeShutdownPrivilege	5688	wmic.exe
Token: SeDebugPrivilege	5688	wmic.exe
Token: SeSystemEnvironmentPrivilege	5688	wmic.exe
Token: SeRemoteShutdownPrivilege	5688	wmic.exe
Token: SeUndockPrivilege	5688	wmic.exe
Token: SeManageVolumePrivilege	5688	wmic.exe
Token: 33	5688	wmic.exe
Token: 34	5688	wmic.exe
Token: 35	5688	wmic.exe
Token: 36	5688	wmic.exe
Token: SeDebugPrivilege	5800	powershell.exe
Token: SeDebugPrivilege	5964	powershell.exe
Token: SeDebugPrivilege	464	powershell.exe
Token: SeDebugPrivilege	5176	powershell.exe
Token: SeIncreaseQuotaPrivilege	1752	wmic.exe
Token: SeSecurityPrivilege	1752	wmic.exe
Token: SeTakeOwnershipPrivilege	1752	wmic.exe
Token: SeLoadDriverPrivilege	1752	wmic.exe
Token: SeSystemProfilePrivilege	1752	wmic.exe
Token: SeSystemtimePrivilege	1752	wmic.exe
Token: SeProfSingleProcessPrivilege	1752	wmic.exe
Token: SeIncBasePriorityPrivilege	1752	wmic.exe
Token: SeCreatePagefilePrivilege	1752	wmic.exe
Token: SeBackupPrivilege	1752	wmic.exe
Token: SeRestorePrivilege	1752	wmic.exe
Token: SeShutdownPrivilege	1752	wmic.exe
Token: SeDebugPrivilege	1752	wmic.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
3216	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe
5068	msedge.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
5804	OpenWith.exe
5804	OpenWith.exe
5804	OpenWith.exe
5804	OpenWith.exe
5804	OpenWith.exe
5804	OpenWith.exe
5804	OpenWith.exe
5804	OpenWith.exe
5804	OpenWith.exe
5804	OpenWith.exe
5804	OpenWith.exe
5804	OpenWith.exe
5804	OpenWith.exe
5804	OpenWith.exe
5804	OpenWith.exe
5804	OpenWith.exe
5804	OpenWith.exe
5804	OpenWith.exe
5804	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 4460	5068	msedge.exe	84
PID 5068 wrote to memory of 4460	5068	msedge.exe	84
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 1164	5068	msedge.exe	85
PID 5068 wrote to memory of 3352	5068	msedge.exe	86
PID 5068 wrote to memory of 3352	5068	msedge.exe	86
PID 5068 wrote to memory of 1800	5068	msedge.exe	87
PID 5068 wrote to memory of 1800	5068	msedge.exe	87
PID 5068 wrote to memory of 1800	5068	msedge.exe	87
PID 5068 wrote to memory of 1800	5068	msedge.exe	87
PID 5068 wrote to memory of 1800	5068	msedge.exe	87
PID 5068 wrote to memory of 1800	5068	msedge.exe	87
PID 5068 wrote to memory of 1800	5068	msedge.exe	87
PID 5068 wrote to memory of 1800	5068	msedge.exe	87
PID 5068 wrote to memory of 1800	5068	msedge.exe	87
PID 5068 wrote to memory of 1800	5068	msedge.exe	87
PID 5068 wrote to memory of 1800	5068	msedge.exe	87
PID 5068 wrote to memory of 1800	5068	msedge.exe	87
PID 5068 wrote to memory of 1800	5068	msedge.exe	87
PID 5068 wrote to memory of 1800	5068	msedge.exe	87
PID 5068 wrote to memory of 1800	5068	msedge.exe	87
PID 5068 wrote to memory of 1800	5068	msedge.exe	87
PID 5068 wrote to memory of 1800	5068	msedge.exe	87
PID 5068 wrote to memory of 1800	5068	msedge.exe	87
PID 5068 wrote to memory of 1800	5068	msedge.exe	87
PID 5068 wrote to memory of 1800	5068	msedge.exe	87

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5752	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/UMIu1A
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99b1146f8,0x7ff99b114708,0x7ff99b114718
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,7931722009615676511,11641642523305514161,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:1164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,7931722009615676511,11641642523305514161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,7931722009615676511,11641642523305514161,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7931722009615676511,11641642523305514161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7931722009615676511,11641642523305514161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7931722009615676511,11641642523305514161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,7931722009615676511,11641642523305514161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4196 /prefetch:8
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,7931722009615676511,11641642523305514161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4196 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7931722009615676511,11641642523305514161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7931722009615676511,11641642523305514161,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7931722009615676511,11641642523305514161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7931722009615676511,11641642523305514161,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7931722009615676511,11641642523305514161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,7931722009615676511,11641642523305514161,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7931722009615676511,11641642523305514161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,7931722009615676511,11641642523305514161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5920 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1540

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2752

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Emerald X\" -spe -an -ai#7zMap24562:80:7zEvent19194
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3216

C:\Users\Admin\Downloads\Emerald X\Emerald.exe
"C:\Users\Admin\Downloads\Emerald X\Emerald.exe"
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5492
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5688
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\Emerald X\Emerald.exe"
  2⤵
  - Views/modifies file attributes
  PID:5752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Emerald X\Emerald.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5176
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:4232
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:5424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1952
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:5704
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\Emerald X\Emerald.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5796
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5912

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5804
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Emerald X\autoexec\autoexec.lua
  2⤵
  PID:4312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
ba39262b75d11c404140ee367cc4d8bb

SHA1
591afaba741abfc280ef04ddc69af8c206dfa519

SHA256
37c2ad1951070f5f40cd9a9e9abd2146f1579a27be34b358fdd39e573f68f168

SHA512
45b7db2ff29a0be33c29b3c26cc037322b89a6cefbb9a1f460636251dfd0fd21c8f2ca53c83c72766053f45931021ed50cb4b13edc336d3312476e8b1846b2df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
cac38d9594a7953cfcf53053cc040705

SHA1
81b82d1fe834ab4d5068b17e532dff4d246332ef

SHA256
56954411a093c62f789ab5cd02222dc32780e2a4785537542356b64aea085d29

SHA512
b192b7bdba9c5263c8e6e32cefdae5e4ef0d680d92a1c608ff13454c2c34bd6f2970feb5b417c00481c53eb9a0ff98d3b4ef8cedc4bbae4c0e056283d288fb72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
462B

MD5
55cd5735c48ae0a20dba244439977364

SHA1
896a23e27671d7cc40852c14b0bc4f7b7991d340

SHA256
de216feb514f2a41b1d6dad653b6bfa63b5d040321110e85b8fa4848d8a060b2

SHA512
919a52fbfba52be057b7474c653895165931615e98bba13f2759eda4ca836bb6a89a03f9d1b95b1a15de571f248793e51591a7bd9e67b356cbfaa0e8548119b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
390B

MD5
9946e95abe11ffd34f0453e4fcab7bde

SHA1
bd9a25555c74849776d283c7919452d57fe63146

SHA256
a1201e93885eaf1d4410965bd9904ac2cf2270d213a3af0e116860692757b7dd

SHA512
e7a2e35804fd70a8b8bf48cc32b473094670dff4b969365b05bbbd653eeb63ddbb8632aa5a0fe67825648c9f01d29de0a4a323d269b12aac4cbc9d33cedbca3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0f4ff8f4bf38922f662090b962b344de

SHA1
c495fa9fdfab2a7a1ce58823e9792130c05c3b43

SHA256
28aff2999519ba44a382aec6cfdd73f8311a07225276e17425e80733a5782179

SHA512
97964d7120e22327b67e53cc52f4fb351f72f7fe8ccd2f9dc239880e41cd2be312d72cbeacc40ae618eca73e9158eca393d1354ff79d39f829be1125feaaa974

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
071e694e486d75e5daffae2e49067625

SHA1
e40cbcbeb962ead4ec98a0614362d15a7cbe34a4

SHA256
22b0717dd678ddb1a1ad425363ad4be8884f2ae35cf75593133228ba9d1a7438

SHA512
d5e9dc7bd4321728449d933cd95159f73622d9ace9d117a61e12a6e8bba7256b6ba26641371ee64eeaef0329420a769853b3db2f2104858cf7b29e19b0b403fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
02cda0e952add7d1412a5ec8fcdd81d9

SHA1
51595954515e01be03c06634e7fe9c3de4cc88e4

SHA256
e31775cf71faa2553bbaab2117d389c1ec938af4bf3b25fcd0261000d51b6346

SHA512
7761a55f3faefa731db654744043082c05886bf8e8f01678454da285f381813065d1c05b68ef56877b57e57ef651877cc8cdaedf7bd6f6eefcfa9af787e972cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d8a9030dec5523755b624f787e6a063c

SHA1
d7e362e9a929114cf01005bb93350360b2d740cb

SHA256
3a6bdb346d51a9d17728e3df7bf5893dfe027cbb6b83839a46b7eb7eff187c3a

SHA512
601180f76195ea715877dbe5cec620b9235186786175c2fbc0aa3d731533621c2683ba62f0c7bebd96973df5f6334f5b1e23e37a094ef3dae84a3ceee7820a4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a42c7b93630715330aeb88b59d9bd8e7

SHA1
93bde5e121b396354c325be108826143e9136d18

SHA256
c8815be5929d78f7e62fe5b777cf815462efc2f294ff583da92928a4de1a781e

SHA512
1755d46ca804bc5a69e44498d3b94ec11e2cb75c654a096d0dee1a9c756c1d788f93fa79b0a7bfd7f9a2c16aede3427592bab918c6d6820a603293bb14cfa031

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
1a58f982c18490e622e00d4eb75ace5a

SHA1
60c30527b74659ecf09089a5a7c02a1df9a71b65

SHA256
4b7f800c0dea209162cc86627983993127eb20e3f8616646c41cb3ce15d9b39d

SHA512
ddab516a967783c5951717853aa5b3ef6dd5b442db50092888b2e7f3179fc68120fcde69a08d6ab280740eaadb6eadfc758c3118b52706f869e48ac1aebda480

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
107102102e02e48f37f5318c7e113c43

SHA1
7fb10fc65c85fb4c050309f0872bc9389dcccc0d

SHA256
3c3f49948c1e832c86b959c32bc288ddedb500534b74df082f8967fc7f9976f7

SHA512
b108a47d7c3dd154cad44362b6cd557b7064096383d100e6cd64bfb19c4e2ad878ed4ee800776322ad3cc4bb721fb675b0ecab8f5661024188fa3aa19561841b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qofev2c1.rrl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Emerald X.zip

Filesize
2.9MB

MD5
6d5e6bb315019834ad58da276fb2b4ee

SHA1
c3dfebcf3caf961c745a070c58a78dd5c30bd368

SHA256
6b3fb6fce70e0a6cbe4dec6627f76ff70414048360f03c7d72099fbd059591ed

SHA512
6619981ecb97ec806c3a0c57cab618f17f214a0e96c26ff7f31f26362ba7facf0667e874269d51ee38e2705c0eaed4cbb0eacf8ea92aae150271f635f2ccf213

Download Submit
C:\Users\Admin\Downloads\Emerald X\Emerald.exe

Filesize
229KB

MD5
f50a9b0c2670af5b0e3371ecdcebed27

SHA1
e114834c05d2e86db3c3d45ccbd46a7c32950167

SHA256
abbf1cd65c8d762019873c47b45e374d0c75cb28ddf754a8ddb35501f3cb63b2

SHA512
21784568e5f27bbd0235fb37d7a7381055da13f27c00b6399bbb09b286bc58a965f00bb925950855392aad57678d34ccd0de4d13b10f9ae7503bc192143a90c6

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/5492-259-0x000001A643650000-0x000001A6436C6000-memory.dmp

Filesize
472KB

Download
memory/5492-261-0x000001A62AC40000-0x000001A62AC90000-memory.dmp

Filesize
320KB

Download
memory/5492-263-0x000001A62ABF0000-0x000001A62AC0E000-memory.dmp

Filesize
120KB

Download
memory/5492-231-0x000001A628E60000-0x000001A628EA0000-memory.dmp

Filesize
256KB

Download
memory/5492-301-0x000001A62AC20000-0x000001A62AC2A000-memory.dmp

Filesize
40KB

Download
memory/5492-302-0x000001A62AE10000-0x000001A62AE22000-memory.dmp

Filesize
72KB

Download
memory/5800-232-0x000001EA99E20000-0x000001EA99E42000-memory.dmp

Filesize
136KB

Download