umbral | 864825be054e1dd6ff62defe866c25c03961ef221975f386fe5385c8de6f8ce6

Analysis

max time kernel
529s
max time network
533s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
30-11-2024 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

selfbott.exe
Size

227KB
MD5

e8bf31ef50755a97e720a2272bc2d982
SHA1

7d99287c32962fcb643916817a1f97dde5eeb13b
SHA256

864825be054e1dd6ff62defe866c25c03961ef221975f386fe5385c8de6f8ce6
SHA512

27cf74d9f73677f449cc9bd80d3edaa99b12d8a225e067237caa616aaf85012925a13da3eb6512fbf762e0dc765f85fb76dc5fffe9eff9f7a3aab4733cd35d94
SSDEEP

6144:eloZM9rIkd8g+EtXHkv/iD49gXDR/k4XKG/BcoNgdb8e1m9i:IoZOL+EP89gXDR/k4XKG/BcoNAH

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral1/memory/3660-1-0x000001B4EC350000-0x000001B4EC390000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
8	powershell.exe
328	powershell.exe
3764	powershell.exe
1648	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	selfbott.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	discord.com
19	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4572	cmd.exe
440	PING.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2992	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133774465872344437"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
440	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1648	powershell.exe
1648	powershell.exe
8	powershell.exe
8	powershell.exe
328	powershell.exe
328	powershell.exe
4272	powershell.exe
4272	powershell.exe
2248	wmic.exe
2248	wmic.exe
2248	wmic.exe
2248	wmic.exe
2932	wmic.exe
2932	wmic.exe
2932	wmic.exe
2932	wmic.exe
1136	wmic.exe
1136	wmic.exe
1136	wmic.exe
1136	wmic.exe
3764	powershell.exe
3764	powershell.exe
2992	wmic.exe
2992	wmic.exe
2992	wmic.exe
2992	wmic.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
112	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3660	selfbott.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeIncreaseQuotaPrivilege	1648	powershell.exe
Token: SeSecurityPrivilege	1648	powershell.exe
Token: SeTakeOwnershipPrivilege	1648	powershell.exe
Token: SeLoadDriverPrivilege	1648	powershell.exe
Token: SeSystemProfilePrivilege	1648	powershell.exe
Token: SeSystemtimePrivilege	1648	powershell.exe
Token: SeProfSingleProcessPrivilege	1648	powershell.exe
Token: SeIncBasePriorityPrivilege	1648	powershell.exe
Token: SeCreatePagefilePrivilege	1648	powershell.exe
Token: SeBackupPrivilege	1648	powershell.exe
Token: SeRestorePrivilege	1648	powershell.exe
Token: SeShutdownPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeSystemEnvironmentPrivilege	1648	powershell.exe
Token: SeRemoteShutdownPrivilege	1648	powershell.exe
Token: SeUndockPrivilege	1648	powershell.exe
Token: SeManageVolumePrivilege	1648	powershell.exe
Token: 33	1648	powershell.exe
Token: 34	1648	powershell.exe
Token: 35	1648	powershell.exe
Token: 36	1648	powershell.exe
Token: SeDebugPrivilege	8	powershell.exe
Token: SeDebugPrivilege	328	powershell.exe
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeIncreaseQuotaPrivilege	2248	wmic.exe
Token: SeSecurityPrivilege	2248	wmic.exe
Token: SeTakeOwnershipPrivilege	2248	wmic.exe
Token: SeLoadDriverPrivilege	2248	wmic.exe
Token: SeSystemProfilePrivilege	2248	wmic.exe
Token: SeSystemtimePrivilege	2248	wmic.exe
Token: SeProfSingleProcessPrivilege	2248	wmic.exe
Token: SeIncBasePriorityPrivilege	2248	wmic.exe
Token: SeCreatePagefilePrivilege	2248	wmic.exe
Token: SeBackupPrivilege	2248	wmic.exe
Token: SeRestorePrivilege	2248	wmic.exe
Token: SeShutdownPrivilege	2248	wmic.exe
Token: SeDebugPrivilege	2248	wmic.exe
Token: SeSystemEnvironmentPrivilege	2248	wmic.exe
Token: SeRemoteShutdownPrivilege	2248	wmic.exe
Token: SeUndockPrivilege	2248	wmic.exe
Token: SeManageVolumePrivilege	2248	wmic.exe
Token: 33	2248	wmic.exe
Token: 34	2248	wmic.exe
Token: 35	2248	wmic.exe
Token: 36	2248	wmic.exe
Token: SeIncreaseQuotaPrivilege	2248	wmic.exe
Token: SeSecurityPrivilege	2248	wmic.exe
Token: SeTakeOwnershipPrivilege	2248	wmic.exe
Token: SeLoadDriverPrivilege	2248	wmic.exe
Token: SeSystemProfilePrivilege	2248	wmic.exe
Token: SeSystemtimePrivilege	2248	wmic.exe
Token: SeProfSingleProcessPrivilege	2248	wmic.exe
Token: SeIncBasePriorityPrivilege	2248	wmic.exe
Token: SeCreatePagefilePrivilege	2248	wmic.exe
Token: SeBackupPrivilege	2248	wmic.exe
Token: SeRestorePrivilege	2248	wmic.exe
Token: SeShutdownPrivilege	2248	wmic.exe
Token: SeDebugPrivilege	2248	wmic.exe
Token: SeSystemEnvironmentPrivilege	2248	wmic.exe
Token: SeRemoteShutdownPrivilege	2248	wmic.exe
Token: SeUndockPrivilege	2248	wmic.exe
Token: SeManageVolumePrivilege	2248	wmic.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe
112	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 1772	3660	selfbott.exe	83
PID 3660 wrote to memory of 1772	3660	selfbott.exe	83
PID 3660 wrote to memory of 1648	3660	selfbott.exe	85
PID 3660 wrote to memory of 1648	3660	selfbott.exe	85
PID 3660 wrote to memory of 8	3660	selfbott.exe	88
PID 3660 wrote to memory of 8	3660	selfbott.exe	88
PID 3660 wrote to memory of 328	3660	selfbott.exe	90
PID 3660 wrote to memory of 328	3660	selfbott.exe	90
PID 3660 wrote to memory of 4272	3660	selfbott.exe	92
PID 3660 wrote to memory of 4272	3660	selfbott.exe	92
PID 3660 wrote to memory of 2248	3660	selfbott.exe	96
PID 3660 wrote to memory of 2248	3660	selfbott.exe	96
PID 3660 wrote to memory of 2932	3660	selfbott.exe	99
PID 3660 wrote to memory of 2932	3660	selfbott.exe	99
PID 3660 wrote to memory of 1136	3660	selfbott.exe	102
PID 3660 wrote to memory of 1136	3660	selfbott.exe	102
PID 3660 wrote to memory of 3764	3660	selfbott.exe	104
PID 3660 wrote to memory of 3764	3660	selfbott.exe	104
PID 3660 wrote to memory of 2992	3660	selfbott.exe	106
PID 3660 wrote to memory of 2992	3660	selfbott.exe	106
PID 3660 wrote to memory of 4572	3660	selfbott.exe	108
PID 3660 wrote to memory of 4572	3660	selfbott.exe	108
PID 4572 wrote to memory of 440	4572	cmd.exe	110
PID 4572 wrote to memory of 440	4572	cmd.exe	110
PID 1668 wrote to memory of 1944	1668	chrome.exe	122
PID 1668 wrote to memory of 1944	1668	chrome.exe	122
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 748	1668	chrome.exe	123
PID 1668 wrote to memory of 1448	1668	chrome.exe	124
PID 1668 wrote to memory of 1448	1668	chrome.exe	124
PID 1668 wrote to memory of 1612	1668	chrome.exe	125
PID 1668 wrote to memory of 1612	1668	chrome.exe	125
PID 1668 wrote to memory of 1612	1668	chrome.exe	125
PID 1668 wrote to memory of 1612	1668	chrome.exe	125
PID 1668 wrote to memory of 1612	1668	chrome.exe	125
PID 1668 wrote to memory of 1612	1668	chrome.exe	125

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1772	attrib.exe

C:\Users\Admin\AppData\Local\Temp\selfbott.exe
"C:\Users\Admin\AppData\Local\Temp\selfbott.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3660
- C:\Windows\SYSTEM32\attrib.exe
  "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\selfbott.exe"
  2⤵
  - Views/modifies file attributes
  PID:1772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\selfbott.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:8
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4272
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" os get Caption
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" computersystem get totalphysicalmemory
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2932
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3764
- C:\Windows\System32\Wbem\wmic.exe
  "wmic" path win32_VideoController get name
  2⤵
  - Detects videocard installed
  - Suspicious behavior: EnumeratesProcesses
  PID:2992
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\selfbott.exe" && pause
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\system32\PING.EXE
    ping localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:440

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7fff236acc40,0x7fff236acc4c,0x7fff236acc58
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1924,i,1144019814482044457,14064743552458856910,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2096,i,1144019814482044457,14064743552458856910,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2044 /prefetch:3
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,1144019814482044457,14064743552458856910,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2484 /prefetch:8
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3184,i,1144019814482044457,14064743552458856910,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,1144019814482044457,14064743552458856910,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4596,i,1144019814482044457,14064743552458856910,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3744 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4840,i,1144019814482044457,14064743552458856910,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,1144019814482044457,14064743552458856910,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:4408
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x7ff6dc944698,0x7ff6dc9446a4,0x7ff6dc9446b0
    3⤵
    - Drops file in Windows directory
    PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4960,i,1144019814482044457,14064743552458856910,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:2120

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
14b6d1b1b2260e4d8136ca1fb52487b8

SHA1
ec74ca71008e83b0b429f0262d971f031b37e1c4

SHA256
2b81a57260803a2399c6fb2d085377dbad31bb9001b9939ed90f51fd947ca0a4

SHA512
4eec45debb0d571c5c437e6d42996afdaaa9a0c1e8a69e46b357ccfe430f86dd631ca11b58d5930e91d6402ed3fab966f561e57d666278e36b7d1e2917aec357

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
7707ba87fc62ff99c1dfadc3805ac5c5

SHA1
c5bf09cc19a528e889db40693ab6ced4797c1c86

SHA256
bac405b9ad7e28f8aa498787967a3e700c53157cc64d5d9179b70dc69509e42a

SHA512
b43cb46dcaae1a60ef9647d00070d74752de30f85938be41148cc013a5a46470d476ee656257f192cab57f22a0873aeb20d3b941d10dae31436c28f84e2df2f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
20b35090018f2ce146904732f8c6a8ca

SHA1
f9c58ab35a76e9c23e007735f80bf334ec38883e

SHA256
d5787b755a93dcd5e596c304ff50e4d35143bcbb24d2280721c22b91d2f379d2

SHA512
8ffa272cc44f636a429123d2e27d8f8ce6a1fbbc85b3be52382a231f2fd641d65ecc901298aee78d35b08b268627addb30bbcf6ccfdb22092a491a62261460e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b61d632ed8e7f21f99653b44daabdba0

SHA1
8e2e97e116c17a0805f4e34122fadaafc9b56447

SHA256
4a075645e752cedcb12353093afe1d76213ea2a4660a090d59b0ae5fb78d35bb

SHA512
ca476fc6926c94ae159e501dfef1b68aec11b318bf70c7ab7820f1ef0ac53c0b01e6175b71686c3b9e2f67df9a66ba36d83cc604bcd675f879946874c93250ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ca26a7aedd0415d65312d809e0830238

SHA1
ced2fe36e96fd934d521bb126ed6bbb01111b84b

SHA256
90fdea2a8488dd0f6fbf78f58af7547f6598820421f4cca0fef71c6d61f7d4c1

SHA512
eb93b3c13aa16a95062a6382778f8201d46f42b5ad81c7ee0c82be8027b603babf431efeb77b9866c1a89645cddf647313a0ae47295aac5117314ee256695c91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
758274b6b9d057c29e53abbb28a65539

SHA1
31c61dbe36882eb82f277cf91ca0c3d5c778ac62

SHA256
a99416e5db8b31e12c924caba16ef3bb7ab5fba3a5ffe69a1004ab198276921c

SHA512
afb1df557bcae14246b461bc8f231aec29b7b3c3d1aeac4ae851063612dc5f51ac8b1baa2b239aa56b084a2741d60ebe872d303e3998963b03324fb95c832902

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a3c9d038118f3b800cd0a9c6e44bc6ee

SHA1
09b6b6878aab9ad24326b9f897946914aed49a11

SHA256
51e44f86467dc4c37b09458c7104e7e69a98d11e286d1d7772ec8d69c6f06af0

SHA512
312088ac5819efa80601023c92f8aa1b712e6d19af0a7a060d3ebb878fba98b174a4024e6a0f6b5ad55c60d92025a4d3ee28191189221b36164321b107f9d7c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ebf858816cb4ea03c9549e91b281d90f

SHA1
a7cb6eb5086e941b421181f99250dc4b2982cdad

SHA256
00ba9a79cd5ae706ede971b30d1d7597835930c92f7128ec0b3561741e79728c

SHA512
22483ae42a0d72176febd796d6ecb9ffd1d8a4d0237cec2266e7ec94f9676b3acbb0fda2331a8769c1dd1323d4a4e6327eaf7ea383f0e46028052dc8fb35d685

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
5789c93e17beba3c2af970a905b90da9

SHA1
2b044943671852bfe6c14440447c22e429d7cce9

SHA256
a19eee4b47a723312277309e2b0e0a02ab564605839a71c8d893a2c800ec3ab2

SHA512
695cfe4445db15e78e09b0266a7faf10c2ad78f4eaac1c92a429a03e1c9d9486ba4e14ee03eff941bef51725c7ccb8cea11cd66e03f256c78adf36e4d895e9c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
236KB

MD5
7082398cb56a2dff01d9a92e551eb6db

SHA1
9a33210919337c202cf1106ba3765bb28899150e

SHA256
70d7c5fdf1852dcfb2a6fbd70802de02d19bc01d53a40278f82396c5daa1ac98

SHA512
28da0c8ac5b82d558b0689ad56ad830ef8c1d827e40fd6ed0c5fce98a030edfe9a969fa5b830752cb42f3ce89f4cc08aefc77a8e5386603ebfd96e1ffe23101b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
339ac34446385f01a55ea0a463d08466

SHA1
d4afd1e140b45d4a2954ee43b09d45206909bc21

SHA256
03371a29e763812f83c63bc5eacefd760ecb4bb60db6c5324d76fe4b0f055e08

SHA512
3c5604adac3855a59670a5006ff8a1b23beb0ee117c69b607e6716dd60cd38f26b46309db793c26fc6ae1424a36c462a0751f56fb42f197c61de3742b892be41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f0f59cccd39a3694e0e6dfd44d0fa76d

SHA1
fccd7911d463041e1168431df8823e4c4ea387c1

SHA256
70466c7f3a911368d653396fdd68f993322c69e1797b492ca00f8be34b7f3401

SHA512
5c726e1e28cb9c0c3ab963fbfbf471c6033839f3e535a3811581fdaa4da17175e5a8a8be84a4fccd99b81e048058e51d230ff3836e3ec920057a1b1676110bee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
a3e1909058a1fccdfb3f76893321a009

SHA1
1122ded6cb848f0bcb7ef68bf41a283a6160747d

SHA256
1da9e37479bb87ebfe793443c9aa88096a7c4125c0361f225a14e94a6c2c9227

SHA512
ad887da96acdfd0446686587a692eb6c3d7332a08389b75993b3b56df1d815a28ea95ae93ca4dd83b01b1706bf8ac130aef65e1635dc4b3a40f9375cf277f7fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8e1fdd1b66d2fee9f6a052524d4ddca5

SHA1
0a9d0994559d1be2eecd8b0d6960540ca627bdb6

SHA256
4cc7c1b79d1b48582d4dc27ca8c31457b9bf2441deb7914399bb9e6863f18b13

SHA512
5a5494b878b08e8515811ab7a3d68780dac7423f5562477d98249a8bedf7ec98567b7cd5d4c6967d6bc63f2d6d9b7da9a65e0eb29d4b955026b469b5b598d1f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8ae6614b97962d6418ba5e9c815931cd

SHA1
23d0d0d904216fe22e7bb6a9acc3a9a230d3a66d

SHA256
b7e3620f07b1b09da8d9b4a882c34df756cc862dfa4986c325602e988ae65438

SHA512
6a1310e3b5684ec685eb58ad7daf9e7d7f90b727c549f4517ee1218baeab736533adf13cf132c0082f912ff3a354eea511824847a3b741c2dbb1f6bbb27f9d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wdc2rund.r2o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/112-92-0x000001E2505B0000-0x000001E2505B1000-memory.dmp

Filesize
4KB

Download
memory/112-91-0x000001E2505B0000-0x000001E2505B1000-memory.dmp

Filesize
4KB

Download
memory/112-93-0x000001E2505B0000-0x000001E2505B1000-memory.dmp

Filesize
4KB

Download
memory/112-85-0x000001E2505B0000-0x000001E2505B1000-memory.dmp

Filesize
4KB

Download
memory/112-86-0x000001E2505B0000-0x000001E2505B1000-memory.dmp

Filesize
4KB

Download
memory/112-87-0x000001E2505B0000-0x000001E2505B1000-memory.dmp

Filesize
4KB

Download
memory/112-97-0x000001E2505B0000-0x000001E2505B1000-memory.dmp

Filesize
4KB

Download
memory/112-96-0x000001E2505B0000-0x000001E2505B1000-memory.dmp

Filesize
4KB

Download
memory/112-95-0x000001E2505B0000-0x000001E2505B1000-memory.dmp

Filesize
4KB

Download
memory/112-94-0x000001E2505B0000-0x000001E2505B1000-memory.dmp

Filesize
4KB

Download
memory/1648-20-0x00007FFF14F60000-0x00007FFF15A22000-memory.dmp

Filesize
10.8MB

Download
memory/1648-13-0x00007FFF14F60000-0x00007FFF15A22000-memory.dmp

Filesize
10.8MB

Download
memory/1648-12-0x00000229F1F20000-0x00000229F1F42000-memory.dmp

Filesize
136KB

Download
memory/1648-14-0x00007FFF14F60000-0x00007FFF15A22000-memory.dmp

Filesize
10.8MB

Download
memory/1648-15-0x00007FFF14F60000-0x00007FFF15A22000-memory.dmp

Filesize
10.8MB

Download
memory/1648-16-0x00007FFF14F60000-0x00007FFF15A22000-memory.dmp

Filesize
10.8MB

Download
memory/1648-17-0x00007FFF14F60000-0x00007FFF15A22000-memory.dmp

Filesize
10.8MB

Download
memory/3660-0-0x00007FFF14F63000-0x00007FFF14F65000-memory.dmp

Filesize
8KB

Download
memory/3660-36-0x000001B4EE9F0000-0x000001B4EEA0E000-memory.dmp

Filesize
120KB

Download
memory/3660-34-0x000001B4EEA70000-0x000001B4EEAE6000-memory.dmp

Filesize
472KB

Download
memory/3660-35-0x000001B4EEA20000-0x000001B4EEA70000-memory.dmp

Filesize
320KB

Download
memory/3660-62-0x000001B4EF910000-0x000001B4EF922000-memory.dmp

Filesize
72KB

Download
memory/3660-78-0x00007FFF14F63000-0x00007FFF14F65000-memory.dmp

Filesize
8KB

Download
memory/3660-84-0x00007FFF14F60000-0x00007FFF15A22000-memory.dmp

Filesize
10.8MB

Download
memory/3660-79-0x00007FFF14F60000-0x00007FFF15A22000-memory.dmp

Filesize
10.8MB

Download
memory/3660-61-0x000001B4EEC10000-0x000001B4EEC1A000-memory.dmp

Filesize
40KB

Download
memory/3660-2-0x00007FFF14F60000-0x00007FFF15A22000-memory.dmp

Filesize
10.8MB

Download
memory/3660-1-0x000001B4EC350000-0x000001B4EC390000-memory.dmp

Filesize
256KB

Download