umbral | ad63c13c9f488c90efaa2a271d210f84f39e723ce2a2879c3cb5c444ee1a40aa

Analysis

max time kernel
123s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-01-2025 02:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

instagram_dm.png
Size

32KB
MD5

7f4f027e0e09752664b12d5561e7f768
SHA1

41d801d8c17e7973f3acf67d516e28735797e1eb
SHA256

ad63c13c9f488c90efaa2a271d210f84f39e723ce2a2879c3cb5c444ee1a40aa
SHA512

bd3a83ef7de3facf55a17b63e8c0520242ee348dfaddd2703a62656acd7c39d13e444c185af4506e4a60b020b168f6dc1937099d2d6a81ce8815f7131146baec
SSDEEP

768:EwQIrguKvrsEJI+RPLSR2CMpH663vIn1QBbMXrYkQZ:EwNgbrsEPe7IHfnBbyrYkQZ

Score

10^/10

umbral discovery execution stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00070000000194ad-139.dat	family_umbral
behavioral1/memory/2928-179-0x0000000000D80000-0x0000000000DC0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2984	powershell.exe
476	powershell.exe
2604	powershell.exe
1864	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
29	664	chrome.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
42	discord.com
43	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
38	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2788	cmd.exe
2744	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
112	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2744	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2628	chrome.exe
2628	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe
Token: SeShutdownPrivilege	2628	chrome.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
2336	rundll32.exe
2336	rundll32.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe
2628	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2336	rundll32.exe
2336	rundll32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 3068	2628	chrome.exe	33
PID 2628 wrote to memory of 3068	2628	chrome.exe	33
PID 2628 wrote to memory of 3068	2628	chrome.exe	33
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 2892	2628	chrome.exe	35
PID 2628 wrote to memory of 664	2628	chrome.exe	36
PID 2628 wrote to memory of 664	2628	chrome.exe	36
PID 2628 wrote to memory of 664	2628	chrome.exe	36
PID 2628 wrote to memory of 1016	2628	chrome.exe	37
PID 2628 wrote to memory of 1016	2628	chrome.exe	37
PID 2628 wrote to memory of 1016	2628	chrome.exe	37
PID 2628 wrote to memory of 1016	2628	chrome.exe	37
PID 2628 wrote to memory of 1016	2628	chrome.exe	37
PID 2628 wrote to memory of 1016	2628	chrome.exe	37
PID 2628 wrote to memory of 1016	2628	chrome.exe	37
PID 2628 wrote to memory of 1016	2628	chrome.exe	37
PID 2628 wrote to memory of 1016	2628	chrome.exe	37
PID 2628 wrote to memory of 1016	2628	chrome.exe	37
PID 2628 wrote to memory of 1016	2628	chrome.exe	37
PID 2628 wrote to memory of 1016	2628	chrome.exe	37
PID 2628 wrote to memory of 1016	2628	chrome.exe	37
PID 2628 wrote to memory of 1016	2628	chrome.exe	37
PID 2628 wrote to memory of 1016	2628	chrome.exe	37
PID 2628 wrote to memory of 1016	2628	chrome.exe	37
PID 2628 wrote to memory of 1016	2628	chrome.exe	37
PID 2628 wrote to memory of 1016	2628	chrome.exe	37
PID 2628 wrote to memory of 1016	2628	chrome.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2144	attrib.exe

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\instagram_dm.png
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7379758,0x7fef7379768,0x7fef7379778
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1116 --field-trial-handle=1300,i,13963714306036328745,1561124852240489728,131072 /prefetch:2
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1300,i,13963714306036328745,1561124852240489728,131072 /prefetch:8
  2⤵
  - Downloads MZ/PE file
  PID:664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1300,i,13963714306036328745,1561124852240489728,131072 /prefetch:8
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2320 --field-trial-handle=1300,i,13963714306036328745,1561124852240489728,131072 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2336 --field-trial-handle=1300,i,13963714306036328745,1561124852240489728,131072 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1312 --field-trial-handle=1300,i,13963714306036328745,1561124852240489728,131072 /prefetch:2
  2⤵
  PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1380 --field-trial-handle=1300,i,13963714306036328745,1561124852240489728,131072 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 --field-trial-handle=1300,i,13963714306036328745,1561124852240489728,131072 /prefetch:8
  2⤵
  PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3724 --field-trial-handle=1300,i,13963714306036328745,1561124852240489728,131072 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3852 --field-trial-handle=1300,i,13963714306036328745,1561124852240489728,131072 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=1992 --field-trial-handle=1300,i,13963714306036328745,1561124852240489728,131072 /prefetch:1
  2⤵
  PID:1440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2944 --field-trial-handle=1300,i,13963714306036328745,1561124852240489728,131072 /prefetch:8
  2⤵
  PID:592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1324 --field-trial-handle=1300,i,13963714306036328745,1561124852240489728,131072 /prefetch:8
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4036 --field-trial-handle=1300,i,13963714306036328745,1561124852240489728,131072 /prefetch:8
  2⤵
  PID:588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4044 --field-trial-handle=1300,i,13963714306036328745,1561124852240489728,131072 /prefetch:8
  2⤵
  PID:1980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3984 --field-trial-handle=1300,i,13963714306036328745,1561124852240489728,131072 /prefetch:8
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3948 --field-trial-handle=1300,i,13963714306036328745,1561124852240489728,131072 /prefetch:8
  2⤵
  PID:1908
- C:\Users\Admin\Downloads\red hub.exe
  "C:\Users\Admin\Downloads\red hub.exe"
  2⤵
  PID:2928
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2824
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\Downloads\red hub.exe"
    3⤵
    - Views/modifies file attributes
    PID:2144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\red hub.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2984
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:476
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    PID:1244
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:656
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:760
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1864
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:112
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\red hub.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2788
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3020 --field-trial-handle=1300,i,13963714306036328745,1561124852240489728,131072 /prefetch:8
  2⤵
  PID:2004

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000007.log

Filesize
1KB

MD5
2274e0221ce60ca43d745b0cf44c59f3

SHA1
7bcf233d298e2096588c129d1956257008d787f9

SHA256
c6d8431725eb7832fc7e38c9c550337bdaa7db6977ec61b3474bfbd9f1d6b9ca

SHA512
33abc47ac695116a922aaf304d1d898558a97078bbde4c442e66311e85e5989c4bf0d0bdb98aed414d98f69d96fabf2a7258628a2ac8a3bde657392cb727daa4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
d54fc7060c95d41416ff205bddf08da6

SHA1
fa5881cc87c578eba929704ddbcacf3d7d545298

SHA256
d3dcc8173f90ab054cfd452c1fb250de22a9d2d51007852764f8f9b304992167

SHA512
e0c2b98da243440bee8504ac23129644716936651fe6e80b54af817ace54ae97d74b25e304f5ba197020642a23820092ed2a6d3a6578904df74d92345439c2ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
9930e5c794459d5225f0835c7ac81a98

SHA1
fef316cdce481b6dc2f32f2630a3857f91854919

SHA256
402c05c1f411c0a798be69dea4cd884b1a9ef5fffc3d63396fc54ff18edadee7

SHA512
defdebd009725e791289ac57538f6fa973cce8f945cb8fa7fd92e0b372d080e48a6279ef13461ebd44dd443805f0b169db1f6dc9ad883f50af732e67a3a9aef3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ab88c679d6cc69a6c8c3e91b9c0cce3c

SHA1
b1d36bf1fb4a70b82ca68a47e0aaaeb6cd3ffea2

SHA256
61113acc4399c6fea06994b2937a968096b44dd0a50b5d721ea49ef44d6911de

SHA512
3f6f39e33cde22f4dc2b818c880847569be0d69b367bd855b21b3e71223b3995f737d31cfe14dfe6d3db0a78f4f279fefb72ce824e62fb5504fe0c352b99b53f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
117fd355ba1bb24270365558f6044872

SHA1
76cb0f52927c000794425eda95737de9f86d57ae

SHA256
40454607c04a8446f74a3d5a3bf55f6a00a18bc4e2d82819ae39d4bf6a72969f

SHA512
a75969d91729ca288764af216475bc2b1041a6cb96b9ead0e1b36f7d0e972af50ec44f41ace344fcd2483ccf9d8d2b9f67f1d05f5269650a149bb717756957a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFf77c8fa.TMP

Filesize
5KB

MD5
5804a4e22941adfa9711d262b5ebb127

SHA1
f6a4e4d86f5aca36fc419dddd57dd097c8fa7243

SHA256
15238e7022e66c6fb342fb14edbc9a51c1df5e55965591e78edaad50bd1c1dde

SHA512
141fc091c57d107d73f2ac3e0bb5f4cad380ea97ca7a7968bb616be6b6920c6e3e6b0f4e005fe2a4da3599fe820218f9f02a24409581827131b952b2e0037a62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000008.ldb

Filesize
1KB

MD5
820b29b893b9ad5291434b6678fb9ef7

SHA1
ae4b4bd12a87185437970e42dff9ef5469e989c9

SHA256
65fb2f9003ab0b3f11bbf04ee7d9dfe4a0a93cb1df831a59d60f908342c12c77

SHA512
4b286a8a45f4042176aa538b652a06b918e5d415ec27354ddb3cb3974f475f2653e9de41e5059092a59534d76515f6fe5aa981b09f0b82cd81090f7a8ce31dda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000009.log

Filesize
2KB

MD5
368e6ff6fa4fb439ea00f4d6d3e3e005

SHA1
f583eb39d0fed49b734af622d655c3e17c2f8f1c

SHA256
f91cd05c832c95b8b2374f881b5b3e0d27e23e27d153ecc00e551d03f2a16226

SHA512
96c6e74460dc30b3a9a2459641e5051882da586c1fbf31f781a040f09fea7affb1071957a6bbab77cd1ea849252e47296e8d71e44fd4a5627ce9a9e135a70cf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
347KB

MD5
8313a5d7bd4f3adfcfd0252b237b78ad

SHA1
cc6c5c47034603592769fa85e997ee5f93d0c1ef

SHA256
6a20cb2d8b83a454456b74565707192f4e4f94c6a0b903e818c23c41b1e10026

SHA512
1f9e88f71c0b9b04abc501ff6b7bf39f5c3c2ed0bb918c4fad48fe6807e2a168a5cc4b19c32e49da5c91a49b0e952e39495425f4027951c66503fd2539cffa8e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a6011993b025c9623c51a9a0541e9263

SHA1
59926d511493b1b6af7a7fe55e5e15cedbee3377

SHA256
0dcde25ceadd6b0b8f39274d577b11728be8b675668febdaeffd1b575106c5b8

SHA512
bf4de9b354b627fd6b75bdc2f3d9d654713d70f865b0ccf5688ec3e60a10c2b96a1fad897b59c0637294083f7a97fab72fd2d078634f1879e784ed97aa5fad4c

Download Submit
C:\Users\Admin\Downloads\red hub.exe

Filesize
229KB

MD5
2a1996466320e476da0b1ffbfd6be8b8

SHA1
15414fe5d21436f7434dddac986877c672c88ef1

SHA256
77a89d40174ff760a19252582299c0e8fc8fcf94105c9c16c1c871f504429f2c

SHA512
83486da6de7188b1f72452b9cb7f2d515bf0ba4f67265a30e2d2dbe95a6622acc51c7e3fc69aefb4078f09b4826de794adebb2106455685721ea6248dbe993ab

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
577f27e6d74bd8c5b7b0371f2b1e991c

SHA1
b334ccfe13792f82b698960cceaee2e690b85528

SHA256
0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9

SHA512
944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c

Download Submit
memory/476-194-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/476-193-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/1864-232-0x0000000002330000-0x0000000002338000-memory.dmp

Filesize
32KB

Download
memory/2336-0-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2336-1-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2928-180-0x000007FEF3B90000-0x000007FEF457C000-memory.dmp

Filesize
9.9MB

Download
memory/2928-178-0x000007FEF3B93000-0x000007FEF3B94000-memory.dmp

Filesize
4KB

Download
memory/2928-179-0x0000000000D80000-0x0000000000DC0000-memory.dmp

Filesize
256KB

Download
memory/2928-237-0x000007FEF3B90000-0x000007FEF457C000-memory.dmp

Filesize
9.9MB

Download
memory/2984-187-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2984-186-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download