umbral | hxxps://gofile[.]io/d/UMIu1A

Resubmissions

16-09-2024 13:22

240916-ql7b6azdln 10

14-09-2024 22:09

240914-126exazakk 10

Analysis

max time kernel
70s
max time network
75s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/UMIu1A

Score

10^/10

umbral credential_access discovery execution stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/3684-136-0x000001881E770000-0x000001881E7B0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5260	powershell.exe
5164	powershell.exe
5420	powershell.exe
5612	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Emerald.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
85	discord.com
83	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
66	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5460	cmd.exe
5452	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5384	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5452	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3480	msedge.exe
3480	msedge.exe
1276	msedge.exe
1276	msedge.exe
3824	identity_helper.exe
3824	identity_helper.exe
4940	msedge.exe
4940	msedge.exe
3684	Emerald.exe
3684	Emerald.exe
5260	powershell.exe
5260	powershell.exe
5260	powershell.exe
5420	powershell.exe
5420	powershell.exe
5420	powershell.exe
5612	powershell.exe
5612	powershell.exe
5612	powershell.exe
5812	powershell.exe
5812	powershell.exe
5812	powershell.exe
5164	powershell.exe
5164	powershell.exe
5164	powershell.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe
5768	Injector.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3684	Emerald.exe
Token: SeIncreaseQuotaPrivilege	5140	wmic.exe
Token: SeSecurityPrivilege	5140	wmic.exe
Token: SeTakeOwnershipPrivilege	5140	wmic.exe
Token: SeLoadDriverPrivilege	5140	wmic.exe
Token: SeSystemProfilePrivilege	5140	wmic.exe
Token: SeSystemtimePrivilege	5140	wmic.exe
Token: SeProfSingleProcessPrivilege	5140	wmic.exe
Token: SeIncBasePriorityPrivilege	5140	wmic.exe
Token: SeCreatePagefilePrivilege	5140	wmic.exe
Token: SeBackupPrivilege	5140	wmic.exe
Token: SeRestorePrivilege	5140	wmic.exe
Token: SeShutdownPrivilege	5140	wmic.exe
Token: SeDebugPrivilege	5140	wmic.exe
Token: SeSystemEnvironmentPrivilege	5140	wmic.exe
Token: SeRemoteShutdownPrivilege	5140	wmic.exe
Token: SeUndockPrivilege	5140	wmic.exe
Token: SeManageVolumePrivilege	5140	wmic.exe
Token: 33	5140	wmic.exe
Token: 34	5140	wmic.exe
Token: 35	5140	wmic.exe
Token: 36	5140	wmic.exe
Token: SeIncreaseQuotaPrivilege	5140	wmic.exe
Token: SeSecurityPrivilege	5140	wmic.exe
Token: SeTakeOwnershipPrivilege	5140	wmic.exe
Token: SeLoadDriverPrivilege	5140	wmic.exe
Token: SeSystemProfilePrivilege	5140	wmic.exe
Token: SeSystemtimePrivilege	5140	wmic.exe
Token: SeProfSingleProcessPrivilege	5140	wmic.exe
Token: SeIncBasePriorityPrivilege	5140	wmic.exe
Token: SeCreatePagefilePrivilege	5140	wmic.exe
Token: SeBackupPrivilege	5140	wmic.exe
Token: SeRestorePrivilege	5140	wmic.exe
Token: SeShutdownPrivilege	5140	wmic.exe
Token: SeDebugPrivilege	5140	wmic.exe
Token: SeSystemEnvironmentPrivilege	5140	wmic.exe
Token: SeRemoteShutdownPrivilege	5140	wmic.exe
Token: SeUndockPrivilege	5140	wmic.exe
Token: SeManageVolumePrivilege	5140	wmic.exe
Token: 33	5140	wmic.exe
Token: 34	5140	wmic.exe
Token: 35	5140	wmic.exe
Token: 36	5140	wmic.exe
Token: SeDebugPrivilege	5260	powershell.exe
Token: SeDebugPrivilege	5420	powershell.exe
Token: SeDebugPrivilege	5612	powershell.exe
Token: SeDebugPrivilege	5812	powershell.exe
Token: SeIncreaseQuotaPrivilege	5996	wmic.exe
Token: SeSecurityPrivilege	5996	wmic.exe
Token: SeTakeOwnershipPrivilege	5996	wmic.exe
Token: SeLoadDriverPrivilege	5996	wmic.exe
Token: SeSystemProfilePrivilege	5996	wmic.exe
Token: SeSystemtimePrivilege	5996	wmic.exe
Token: SeProfSingleProcessPrivilege	5996	wmic.exe
Token: SeIncBasePriorityPrivilege	5996	wmic.exe
Token: SeCreatePagefilePrivilege	5996	wmic.exe
Token: SeBackupPrivilege	5996	wmic.exe
Token: SeRestorePrivilege	5996	wmic.exe
Token: SeShutdownPrivilege	5996	wmic.exe
Token: SeDebugPrivilege	5996	wmic.exe
Token: SeSystemEnvironmentPrivilege	5996	wmic.exe
Token: SeRemoteShutdownPrivilege	5996	wmic.exe
Token: SeUndockPrivilege	5996	wmic.exe
Token: SeManageVolumePrivilege	5996	wmic.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe
1276	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 3308	1276	msedge.exe	82
PID 1276 wrote to memory of 3308	1276	msedge.exe	82
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 2056	1276	msedge.exe	83
PID 1276 wrote to memory of 3480	1276	msedge.exe	84
PID 1276 wrote to memory of 3480	1276	msedge.exe	84
PID 1276 wrote to memory of 4892	1276	msedge.exe	85
PID 1276 wrote to memory of 4892	1276	msedge.exe	85
PID 1276 wrote to memory of 4892	1276	msedge.exe	85
PID 1276 wrote to memory of 4892	1276	msedge.exe	85
PID 1276 wrote to memory of 4892	1276	msedge.exe	85
PID 1276 wrote to memory of 4892	1276	msedge.exe	85
PID 1276 wrote to memory of 4892	1276	msedge.exe	85
PID 1276 wrote to memory of 4892	1276	msedge.exe	85
PID 1276 wrote to memory of 4892	1276	msedge.exe	85
PID 1276 wrote to memory of 4892	1276	msedge.exe	85
PID 1276 wrote to memory of 4892	1276	msedge.exe	85
PID 1276 wrote to memory of 4892	1276	msedge.exe	85
PID 1276 wrote to memory of 4892	1276	msedge.exe	85
PID 1276 wrote to memory of 4892	1276	msedge.exe	85
PID 1276 wrote to memory of 4892	1276	msedge.exe	85
PID 1276 wrote to memory of 4892	1276	msedge.exe	85
PID 1276 wrote to memory of 4892	1276	msedge.exe	85
PID 1276 wrote to memory of 4892	1276	msedge.exe	85
PID 1276 wrote to memory of 4892	1276	msedge.exe	85
PID 1276 wrote to memory of 4892	1276	msedge.exe	85

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5212	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/UMIu1A
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee21a46f8,0x7ffee21a4708,0x7ffee21a4718
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,2074127926564408567,5548648169269314460,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,2074127926564408567,5548648169269314460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,2074127926564408567,5548648169269314460,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2074127926564408567,5548648169269314460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2074127926564408567,5548648169269314460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2074127926564408567,5548648169269314460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2074127926564408567,5548648169269314460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2074127926564408567,5548648169269314460,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,2074127926564408567,5548648169269314460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,2074127926564408567,5548648169269314460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2074127926564408567,5548648169269314460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2074127926564408567,5548648169269314460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2074127926564408567,5548648169269314460,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2074127926564408567,5548648169269314460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,2074127926564408567,5548648169269314460,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,2074127926564408567,5548648169269314460,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,2074127926564408567,5548648169269314460,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2724

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4856

C:\Users\Admin\Downloads\Emerald X\Emerald X\Emerald.exe
"C:\Users\Admin\Downloads\Emerald X\Emerald X\Emerald.exe"
1⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3684
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5140
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\Downloads\Emerald X\Emerald X\Emerald.exe"
  2⤵
  - Views/modifies file attributes
  PID:5212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Emerald X\Emerald X\Emerald.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5812
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5996
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  PID:6064
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:6120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5164
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:5384
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\Emerald X\Emerald X\Emerald.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5460
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5452

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Emerald X\Emerald X\logs\log2024-09-04_13-01-28.txt
1⤵
PID:1908

C:\Users\Admin\Downloads\Emerald X\Emerald X\Injector.exe
"C:\Users\Admin\Downloads\Emerald X\Emerald X\Injector.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
ddda3e3b0f47ae500ace3c72b6fd770b

SHA1
99d89021b14129449cc5cf9e7f6a79d632ad6aa8

SHA256
01a45767f9f9242aa26728167d8c1cff39e2815b8f916626d0423502fa8321f4

SHA512
f86cf88eda3e9e025c6662d400d7146ae134e427eedc564fc07c327a6eeae551051175b2c2f23cbb1b76e6bbebbd31af5f711a048fc79b25da0f078d40ee3849

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
509B

MD5
ff2a5b98b39810866e2ab861800ac073

SHA1
55b1474967d24019a753bf9e233a3bba41c7376e

SHA256
d311c0e2f2667ec36f18fa65855cc5604b722a1c3d90b8b098abace677b5ded3

SHA512
366899e6ca57c84ab3c1e0b17c4ed54e026bbfda1050e2bd90188564131b358f9fe67cd8ea2d8736575d50184fb4b238b180b6b7aa65774b9029e32ce9a02035

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
929B

MD5
69ee320df071e39e625074cb376245fa

SHA1
cad864fc95eb01f74692d5f9e066d581c7af5af1

SHA256
5cef045dceefae43bd75d5345f85b9fda3d82826a64d9831ef3680146a8c713b

SHA512
bbd9f4ccd7b5efa0c3d6dd54c71ad4a38dbe8b603d5a28a35cef587f9bbb4aa4464eab0a70ce31bec5b483d3b5e055d7744f7f96e8e04bcc1053121c3e1ad4d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1d09c2a60d3a49a7924b4df4dc1e2dc9

SHA1
f9e3183ab8103f85b709019614b357703fc7bd91

SHA256
6695389fafe72644565611c12195e6cdc41ff75203e1df136d5a950bf2f85d28

SHA512
817e60f3dd87785bed939823081faa09ac61135e06a4614ffcaf5ee842ea5ca9b96f936d562efa8ae240235027df19930f5ec84ced41d3eaf1ff31b839b047cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2a3559a9c93e5685702ade9e83d1de3a

SHA1
528cf77a4ebca52afcffdc6745cda9e9370f9fe1

SHA256
8c22c00faa42a01b04c5b61f3ae048ebde0996fcc7fe9ba79cef05031ff39ef5

SHA512
f74933c1aa661656dffade747aa64403fb40d7149f0a245f6322874cdbc50302c21464f0d0c8aa9edc0aeb7a07892ff27e56c667b70c242c65c3d1dc3880f1d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ccfc8d60b80cf8849d506b98c4259d6a

SHA1
ca1206d531e8f9b3118da4bdecb262f39765208f

SHA256
5097517b256760ddd08b3582675a8b2e00e0309225b192401bff638cab71bcfb

SHA512
d5621047cd71538fd86230840a6c0c487f32876991b266a55329f4c376608ba9392f78876ae215e31445045a4158d37aab48057800c25ae45d69285ffed94fda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cfa54a7c12954544f8154eca2bd6f2d7

SHA1
81f124256a0f7c6f15d43e98760360287c1bda32

SHA256
50e341b9d27f13e46b849a65a386e48e9405711c0c405a9a936db0a61f3469c7

SHA512
82ff39951a0f29ab5985b2f5c7d6956176ab16ed5df93998856b8e7cba6c0a7ab11900c95086e9bf839e972966922155dba40999e9925393e3df5d7c8e5efeb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2204009573444cad071397eef8a2b5c0

SHA1
b01d882a490213993fb327eaa93437dcd8b82906

SHA256
43e0f62dbbe6949a0c13a7203f35830d0c602e32c78c2d8e863ab39b5e978694

SHA512
06bef5f92b0479e272d06d134c2ca58a9a4947dd8493f96908020978b597af7e22ffdc89911ff659ec7fbaeeadd7fdc83a1d71eb6d79240a23c0ddd4abd952af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c9b6705519e1eef08f86c4ba5f4286f3

SHA1
6c6b179e452ecee2673a1d4fe128f1c06f70577f

SHA256
0f9cad44a79126871580e19b01dc3f880c5173b1faaf8b9018d5d1f829714705

SHA512
6d8f85a7a8b0b124530f36a157cd0441b5c1eacdc35e274af9fbf0569d03d1d5e468651a5b2425f0215c282ecfa7b1ffeaeeaf18612822f00bd14306d30640c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ec79fae4e7c09310ebf4f2d85a33a638

SHA1
f2bdd995b12e65e7ed437d228f22223b59e76efb

SHA256
e9c4723a5fe34e081c3d2f548a1d472394cc7aa58056fcf44ca542061381243a

SHA512
af9dda12f6bb388d826fe03a4a8beed9bda23a978aa55a2af6a43271660ee896a7ee3bcf2c4d2f1e6180902791d8c23560f1c2ec097a501d8c6f4f6c49075625

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gwvsvioi.c5g.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 468214.crdownload

Filesize
2.9MB

MD5
6d5e6bb315019834ad58da276fb2b4ee

SHA1
c3dfebcf3caf961c745a070c58a78dd5c30bd368

SHA256
6b3fb6fce70e0a6cbe4dec6627f76ff70414048360f03c7d72099fbd059591ed

SHA512
6619981ecb97ec806c3a0c57cab618f17f214a0e96c26ff7f31f26362ba7facf0667e874269d51ee38e2705c0eaed4cbb0eacf8ea92aae150271f635f2ccf213

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/3684-164-0x0000018838F10000-0x0000018838F86000-memory.dmp

Filesize
472KB

Download
memory/3684-168-0x00000188203F0000-0x000001882040E000-memory.dmp

Filesize
120KB

Download
memory/3684-166-0x0000018838F90000-0x0000018838FE0000-memory.dmp

Filesize
320KB

Download
memory/3684-204-0x0000018820430000-0x000001882043A000-memory.dmp

Filesize
40KB

Download
memory/3684-205-0x0000018820460000-0x0000018820472000-memory.dmp

Filesize
72KB

Download
memory/3684-136-0x000001881E770000-0x000001881E7B0000-memory.dmp

Filesize
256KB

Download
memory/5260-142-0x000001C251890000-0x000001C2518B2000-memory.dmp

Filesize
136KB

Download