umbral | 8a9330937d476297cf95bed9cb50f4cb82ee90c8fd538e89090727538e2a50dc

Analysis

max time kernel
18s
max time network
16s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xworm.exe
Size

229KB
MD5

c176d2ad8aae3ae3421647059931c8d9
SHA1

46cc2ff92c42f531cf2d41460031da365fd69a24
SHA256

8a9330937d476297cf95bed9cb50f4cb82ee90c8fd538e89090727538e2a50dc
SHA512

0739349b1a93f48d3600eb4d59ef4465e291270eaa7fb3c929c69ffd9d0f282c3305f1beec86e40f4a55ec13feb944fdf9ad4e0bdb2a2ad6a790dc6116386825
SSDEEP

6144:9loZM9rIkd8g+EtXHkv/iD4yeRV2U7X8ktoGnnGbBeb8e1mWbVi:foZOL+EP8yeRV2U7X8ktoGnnGbUE

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/856-1-0x00000248F5F90000-0x00000248F5FD0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2884	powershell.exe
2196	powershell.exe
4988	powershell.exe
2696	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	xworm.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
27	discord.com
26	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1404	cmd.exe
976	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4588	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133729816602191248"	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
976	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2696	powershell.exe
2696	powershell.exe
2884	powershell.exe
2884	powershell.exe
2196	powershell.exe
2196	powershell.exe
3668	powershell.exe
3668	powershell.exe
4988	powershell.exe
4988	powershell.exe
3928	chrome.exe
3928	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	856	xworm.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	3668	powershell.exe
Token: SeIncreaseQuotaPrivilege	212	wmic.exe
Token: SeSecurityPrivilege	212	wmic.exe
Token: SeTakeOwnershipPrivilege	212	wmic.exe
Token: SeLoadDriverPrivilege	212	wmic.exe
Token: SeSystemProfilePrivilege	212	wmic.exe
Token: SeSystemtimePrivilege	212	wmic.exe
Token: SeProfSingleProcessPrivilege	212	wmic.exe
Token: SeIncBasePriorityPrivilege	212	wmic.exe
Token: SeCreatePagefilePrivilege	212	wmic.exe
Token: SeBackupPrivilege	212	wmic.exe
Token: SeRestorePrivilege	212	wmic.exe
Token: SeShutdownPrivilege	212	wmic.exe
Token: SeDebugPrivilege	212	wmic.exe
Token: SeSystemEnvironmentPrivilege	212	wmic.exe
Token: SeRemoteShutdownPrivilege	212	wmic.exe
Token: SeUndockPrivilege	212	wmic.exe
Token: SeManageVolumePrivilege	212	wmic.exe
Token: 33	212	wmic.exe
Token: 34	212	wmic.exe
Token: 35	212	wmic.exe
Token: 36	212	wmic.exe
Token: SeIncreaseQuotaPrivilege	212	wmic.exe
Token: SeSecurityPrivilege	212	wmic.exe
Token: SeTakeOwnershipPrivilege	212	wmic.exe
Token: SeLoadDriverPrivilege	212	wmic.exe
Token: SeSystemProfilePrivilege	212	wmic.exe
Token: SeSystemtimePrivilege	212	wmic.exe
Token: SeProfSingleProcessPrivilege	212	wmic.exe
Token: SeIncBasePriorityPrivilege	212	wmic.exe
Token: SeCreatePagefilePrivilege	212	wmic.exe
Token: SeBackupPrivilege	212	wmic.exe
Token: SeRestorePrivilege	212	wmic.exe
Token: SeShutdownPrivilege	212	wmic.exe
Token: SeDebugPrivilege	212	wmic.exe
Token: SeSystemEnvironmentPrivilege	212	wmic.exe
Token: SeRemoteShutdownPrivilege	212	wmic.exe
Token: SeUndockPrivilege	212	wmic.exe
Token: SeManageVolumePrivilege	212	wmic.exe
Token: 33	212	wmic.exe
Token: 34	212	wmic.exe
Token: 35	212	wmic.exe
Token: 36	212	wmic.exe
Token: SeIncreaseQuotaPrivilege	2248	wmic.exe
Token: SeSecurityPrivilege	2248	wmic.exe
Token: SeTakeOwnershipPrivilege	2248	wmic.exe
Token: SeLoadDriverPrivilege	2248	wmic.exe
Token: SeSystemProfilePrivilege	2248	wmic.exe
Token: SeSystemtimePrivilege	2248	wmic.exe
Token: SeProfSingleProcessPrivilege	2248	wmic.exe
Token: SeIncBasePriorityPrivilege	2248	wmic.exe
Token: SeCreatePagefilePrivilege	2248	wmic.exe
Token: SeBackupPrivilege	2248	wmic.exe
Token: SeRestorePrivilege	2248	wmic.exe
Token: SeShutdownPrivilege	2248	wmic.exe
Token: SeDebugPrivilege	2248	wmic.exe
Token: SeSystemEnvironmentPrivilege	2248	wmic.exe
Token: SeRemoteShutdownPrivilege	2248	wmic.exe
Token: SeUndockPrivilege	2248	wmic.exe
Token: SeManageVolumePrivilege	2248	wmic.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 4036	856	xworm.exe	86
PID 856 wrote to memory of 4036	856	xworm.exe	86
PID 856 wrote to memory of 2696	856	xworm.exe	88
PID 856 wrote to memory of 2696	856	xworm.exe	88
PID 856 wrote to memory of 2884	856	xworm.exe	90
PID 856 wrote to memory of 2884	856	xworm.exe	90
PID 856 wrote to memory of 2196	856	xworm.exe	92
PID 856 wrote to memory of 2196	856	xworm.exe	92
PID 856 wrote to memory of 3668	856	xworm.exe	94
PID 856 wrote to memory of 3668	856	xworm.exe	94
PID 856 wrote to memory of 212	856	xworm.exe	96
PID 856 wrote to memory of 212	856	xworm.exe	96
PID 856 wrote to memory of 2248	856	xworm.exe	99
PID 856 wrote to memory of 2248	856	xworm.exe	99
PID 856 wrote to memory of 400	856	xworm.exe	101
PID 856 wrote to memory of 400	856	xworm.exe	101
PID 856 wrote to memory of 4988	856	xworm.exe	103
PID 856 wrote to memory of 4988	856	xworm.exe	103
PID 856 wrote to memory of 4588	856	xworm.exe	105
PID 856 wrote to memory of 4588	856	xworm.exe	105
PID 856 wrote to memory of 1404	856	xworm.exe	108
PID 856 wrote to memory of 1404	856	xworm.exe	108
PID 1404 wrote to memory of 976	1404	cmd.exe	110
PID 1404 wrote to memory of 976	1404	cmd.exe	110
PID 3928 wrote to memory of 3788	3928	chrome.exe	113
PID 3928 wrote to memory of 3788	3928	chrome.exe	113
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 5028	3928	chrome.exe	114
PID 3928 wrote to memory of 1548	3928	chrome.exe	115
PID 3928 wrote to memory of 1548	3928	chrome.exe	115
PID 3928 wrote to memory of 3260	3928	chrome.exe	116
PID 3928 wrote to memory of 3260	3928	chrome.exe	116
PID 3928 wrote to memory of 3260	3928	chrome.exe	116
PID 3928 wrote to memory of 3260	3928	chrome.exe	116
PID 3928 wrote to memory of 3260	3928	chrome.exe	116
PID 3928 wrote to memory of 3260	3928	chrome.exe	116

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4036	attrib.exe

C:\Users\Admin\AppData\Local\Temp\xworm.exe
"C:\Users\Admin\AppData\Local\Temp\xworm.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\xworm.exe"
  2⤵
  - Views/modifies file attributes
  PID:4036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\xworm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3668
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:212
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  PID:400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4988
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  PID:4588
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\xworm.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff9dd37cc40,0x7ff9dd37cc4c,0x7ff9dd37cc58
  2⤵
  PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1848,i,863958358500267597,1172516722188711379,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1832 /prefetch:2
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2084,i,863958358500267597,1172516722188711379,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2296,i,863958358500267597,1172516722188711379,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2308 /prefetch:8
  2⤵
  PID:3260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,863958358500267597,1172516722188711379,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3280,i,863958358500267597,1172516722188711379,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4032,i,863958358500267597,1172516722188711379,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4712,i,863958358500267597,1172516722188711379,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  PID:4196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,863958358500267597,1172516722188711379,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4976,i,863958358500267597,1172516722188711379,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  PID:1000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5132,i,863958358500267597,1172516722188711379,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5144 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5148,i,863958358500267597,1172516722188711379,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3372,i,863958358500267597,1172516722188711379,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3376 /prefetch:8
  2⤵
  PID:788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4816,i,863958358500267597,1172516722188711379,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4680,i,863958358500267597,1172516722188711379,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  PID:3460

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3884

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x478 0x470
1⤵
PID:4288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a9a585dc9124b3209a2c605f99612f5c

SHA1
0593d659bbe93b1c5a5dc0dd4d39bea31b4128bb

SHA256
8f021b9c56fa8b355b0f5f4a96ea8634796a07f2c68ba7474b3ebb6ca9b6df6c

SHA512
e462f02535ba802dabc767ab3a1eb4babc26ee2e978d7daf3a81ed902de5191cc815ed770c11667d3e88a39d54af7fa90e79491bce56c3aece8eb0ec9b11c9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e4de4416a0e57c42fe8855203c135d27

SHA1
382c9400bd2d532a1b179def0f95eb426a076683

SHA256
9639691adcc49e79f375810405b9bb44b2429aa61d9354fe75d5e954d1ea210a

SHA512
137b9466a5ea130555f5442b3a482444eaf6c75643697c426a53e298d4321330d90edb691d0bbb806f7d239b76bee8645d2237efe81ea349e892e3effea69f86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
227KB

MD5
a145cca963d18defc1cb748662eb1b66

SHA1
38f39c7049fc9986783dd5428f1d9f514b1b2ecc

SHA256
604dd38d6ff74f959ffddd3bc2031ae348adde3b6b6124b71a545d3de4ea376e

SHA512
ab7abfe9b05f189b34002f9e7e4e62242dead79608d65428efd16d61c50ee6fe1eafb97a995084bd1781214dfb7a16804f1bcb314c1f75bd99b0de9bf376901d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
ff7800e11fcec12dd24919051e96dbb6

SHA1
b3f2085edef36c9c442524cd69717509409be334

SHA256
12f67490691a1f4b42534fa2b1556bebb817585701bd236f12148020c9142094

SHA512
42888747da14fb4ee6b3005e3617146546180313244f940f26edb9615ffe44e87b4e5bf4910eeddbae1926e2709d83330cc61a1c10d16cb27a98b2c30cb9aad3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6317adf4fbc43ea2fd68861fafd57155

SHA1
6b87c718893c83c6eed2767e8d9cbc6443e31913

SHA256
c1ead17eef37b4b461cedc276504a441489e819c7f943037f2001966aeec90af

SHA512
17229aae8622e4bfc3caaac55684f7d4ccd3162af5919c851b1d8ac4060b6bb7b75044ecee116523d05acb55197dcb60780958f629450edef386f1e6f65f49f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ibjvce0o.5bs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/856-34-0x00000248F87D0000-0x00000248F8820000-memory.dmp

Filesize
320KB

Download
memory/856-93-0x00007FF9DC8D0000-0x00007FF9DD391000-memory.dmp

Filesize
10.8MB

Download
memory/856-0-0x00007FF9DC8D3000-0x00007FF9DC8D5000-memory.dmp

Filesize
8KB

Download
memory/856-33-0x00000248F8700000-0x00000248F8776000-memory.dmp

Filesize
472KB

Download
memory/856-72-0x00000248F7FF0000-0x00000248F7FFA000-memory.dmp

Filesize
40KB

Download
memory/856-73-0x00000248F8780000-0x00000248F8792000-memory.dmp

Filesize
72KB

Download
memory/856-1-0x00000248F5F90000-0x00000248F5FD0000-memory.dmp

Filesize
256KB

Download
memory/856-35-0x00000248F7FC0000-0x00000248F7FDE000-memory.dmp

Filesize
120KB

Download
memory/856-2-0x00007FF9DC8D0000-0x00007FF9DD391000-memory.dmp

Filesize
10.8MB

Download
memory/2696-14-0x00007FF9DC8D0000-0x00007FF9DD391000-memory.dmp

Filesize
10.8MB

Download
memory/2696-13-0x000002D2E7EF0000-0x000002D2E7F12000-memory.dmp

Filesize
136KB

Download
memory/2696-12-0x00007FF9DC8D0000-0x00007FF9DD391000-memory.dmp

Filesize
10.8MB

Download
memory/2696-15-0x00007FF9DC8D0000-0x00007FF9DD391000-memory.dmp

Filesize
10.8MB

Download
memory/2696-18-0x00007FF9DC8D0000-0x00007FF9DD391000-memory.dmp

Filesize
10.8MB

Download