8e95865efd39220dfc4abebc27141d9eae288a11981e43f09cbee6bf90347fe0

Resubmissions

18-02-2025 23:32

250218-3je64ssjfn 10

18-02-2025 23:31

250218-3hvv6s1rfx 10

Analysis

max time kernel
325s
max time network
317s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2025 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Umbral.builder.exe
Size

114KB
MD5

d91fb6867df7e4303d98b5e90faae73c
SHA1

496f53ad8cd9381f1c1b577a73e978081002c1db
SHA256

bb19b002df31e1196b4e6530cf54c449e9cf1383d3adc5334a0442fa96b36344
SHA512

5dbcfe9bf567c6f1e18027950726af1835ab8b363ba8b040fd379b4cfe94b0894bc969b3c04fa4f1964b441a7b894bd4d37f3aabe3ea31396687a6ca093cfdc9
SSDEEP

3072:aumr2q8XTs/8wEQuKqAFCq8FBJGgMMlpVFPo6QoJ7j:aumr2q8XTs/8wEQJhCqbsVehy7

Score

7^/10

agilenet discovery

Malware Config

Signatures

Obfuscated with Agile.Net obfuscator 8 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral4/memory/4932-2-0x000001C8EB570000-0x000001C8EB590000-memory.dmp	agile_net
behavioral4/memory/4932-3-0x000001C8EB590000-0x000001C8EB5B0000-memory.dmp	agile_net
behavioral4/memory/4932-4-0x000001C8ED6B0000-0x000001C8ED71E000-memory.dmp	agile_net
behavioral4/memory/4932-5-0x000001C8EB5B0000-0x000001C8EB5BE000-memory.dmp	agile_net
behavioral4/memory/4932-6-0x000001C8ED740000-0x000001C8ED79A000-memory.dmp	agile_net
behavioral4/memory/4932-8-0x000001C8ED640000-0x000001C8ED650000-memory.dmp	agile_net
behavioral4/memory/4932-9-0x000001C8ED670000-0x000001C8ED68E000-memory.dmp	agile_net
behavioral4/memory/4932-10-0x000001C8EDB70000-0x000001C8EDCBA000-memory.dmp	agile_net

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
82	discord.com
83	discord.com
85	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133843952300528942"	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe
4932	Umbral.builder.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4932	Umbral.builder.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe
Token: SeCreatePagefilePrivilege	4232	chrome.exe
Token: SeShutdownPrivilege	4232	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe
4232	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 3136	4232	chrome.exe	98
PID 4232 wrote to memory of 3136	4232	chrome.exe	98
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 1068	4232	chrome.exe	99
PID 4232 wrote to memory of 4500	4232	chrome.exe	100
PID 4232 wrote to memory of 4500	4232	chrome.exe	100
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101
PID 4232 wrote to memory of 2000	4232	chrome.exe	101

C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.builder.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc1c33cc40,0x7ffc1c33cc4c,0x7ffc1c33cc58
  2⤵
  PID:3136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,2271945203018959086,12529904328684362339,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2100,i,2271945203018959086,12529904328684362339,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2324,i,2271945203018959086,12529904328684362339,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2148 /prefetch:8
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,2271945203018959086,12529904328684362339,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3348,i,2271945203018959086,12529904328684362339,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3736,i,2271945203018959086,12529904328684362339,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4584 /prefetch:8
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4700,i,2271945203018959086,12529904328684362339,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4892,i,2271945203018959086,12529904328684362339,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5004,i,2271945203018959086,12529904328684362339,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4676 /prefetch:8
  2⤵
  PID:3840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5020,i,2271945203018959086,12529904328684362339,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4556 /prefetch:8
  2⤵
  PID:3268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1144,i,2271945203018959086,12529904328684362339,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:5052

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d8f81867edcb757109a0bfa5e6220dc7

SHA1
5f9969d3e88c304e27fe25b6e47a2f0688909c0a

SHA256
f38f133799f721593ba7f81758343426b96023b636eee5726e308cbb27e6cc18

SHA512
45360f41ad82cfe32fc9ed8a0d29692d95b4ed309a34aa8f33b090353e77f97ec31d628a6cb4a033160eea1f8dc3176e640d5d15ca4d477fdb65b267adbd1edc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
8974b4e130edf5d9f3499a4402ea972a

SHA1
10139d5dd74d1fb5fead7cc3b5b49d49466f3f1c

SHA256
d1dbbbe186b6e5480dd71c077318c33ed4de1780eb97aa2eacc6503dff03a751

SHA512
cf79bba6c8cdfc3e4f163e2aa15b0d7c26cf6acc9b31b38207eb585de63879d24d7cba3471ad1c0171206ab568f9eaef296bbc12db3bf261416319932034e730

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a843f2e059dba3171badc9bb77d632c4

SHA1
8b758a903946011ad3fd0de9c2543082dfd50494

SHA256
20767925d00c6bdbfae139a0c35ebd4c2f1506bc298724585a7ef338085fcf66

SHA512
2a83db5261825fcbccf4d269cd4fdd1b77f42e17a0010ebcc0316119778428a504ef2da6e29afeb96319356e94c96a2ab8f2595e530ced3986069a54e8f8fafc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7b6ddf0f585ce822d331b13219d59ddb

SHA1
43a0f2dd832ad0ac4904f555a22511086436fc3e

SHA256
db83524a6dc4e4344a03c47ed951398d73e6cd701693335e3af03950de26583e

SHA512
1c94f7ac6604515a62a3149a3aa09e9fb48760888bda8eea63fc3ae76b5a301a398ca59af629094a12b0ddba2f1edd4fd353ebc8bd98328545846fe3e4bdd462

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
bb15025b787509d0872c1b460906783f

SHA1
f661f2f292efff12984e722a8ba7fd424a3be196

SHA256
779e64519a30308f1cf53e10a590d79644ca7059b23030993c23c400cbf4be64

SHA512
a9d2679a79962e669399fc3166118674225f005771c2ac0eae9d76942040be6ee694da7dce5d2cd6c7c4e7a5b56c5da8c4fb4b22072706442d0e1d1df43cc93f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
46368b89efa28f8d356cd3c9ec53bfd8

SHA1
e2802e0e0ecfa6b1262ac667bdcfc9bbacb22e53

SHA256
9bd49ee8c40236fdd9439fc2d34aa55e2f8fd19419269b016ef30b78d231089a

SHA512
b3e589adf7000c12e93351aa4e2d3424ae5373ec6fe28c41fe8ed4599ae05bf9aecd93c641887c74d3ec0ec85a1e3c4340e4036affa8f19e416a35c79f4dd06f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
18acab0ba6fa4069799dfe127c74875f

SHA1
d493326cf8c2cc4cad3455559df31f4f9a3a0d76

SHA256
92247e5a4b7ec5166b0fd93ba116a939f02403f449d73c2f25b9cace47aaeda2

SHA512
cac4029969898617b86f533f65c4b72d423078cc8d05163ee36ba44f6de7b0b9dece3970112f1b1f558c35840a992642e20486a7b212803d2690432100550ed0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5f4b0736cda99a867957b60fe8b94025

SHA1
cfc6819b0eafb548c7bf1c8c99cb76921831b03e

SHA256
d88b32b3bea5012ffc6dd336e3b505ccd5359f8544b27479d47cf3dc1a71422d

SHA512
4aab124f287776ec0a8a486389bf125cb91ed5280c1b27bd2e77acda03e723ed902aa45601b09afd7a1ebf75902f088f658861d3ae184247f4a0054ea497af4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f27382b5e43ed32260f6de29538ab8e4

SHA1
55eaea636a24a291f9953522f0da9b5de86cc11e

SHA256
a67070b142c61ee87a9c21bb5427f248e48ba627d83efa6584566d35435fa796

SHA512
15b2bb73a637df9e0f6eec90f6c7a563289e484ccf0ae2904e87896b76b814c5e23e8cbb3b8392a442b530f5db441a1c837ef601b3cc061e3d535a656141707e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
bcae499c1f11bd93b6a2d08c16431229

SHA1
7215b0e66fca3898ff20b59e3662c132251ec074

SHA256
26389e4bcfb337cabbe49806f1de24afb6571398b9297c644760745098ab7bc2

SHA512
d1fe48f57bb03d7dffdb31adf76fe120448dc682df90d2d3b65279e050d20fc3e35e18a626ffc2db268152bdb6c961ff4cf25f761b2eb770e000615f75a80787

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
12339475ac244666d006bb1f005b8fae

SHA1
6ccca6bc7260ded8395c422a6337d101ef9372d7

SHA256
1a25b2f051415093275367ba94a5e9ab2460d9c897b14d04e61666db451af84e

SHA512
61d139318e7b52d514ea1be1a217d8d30df25f0607befeb158e9f1e87eddb80d2253b2415e4101a5b9a935bde1332f7078b5964e15e3c60a62e9a9d435f9a804

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
aa1ac775ed4d2d83530952cb4ec4cd90

SHA1
b698f1740dbd5798a6673dd5ec7ed8a2306df521

SHA256
523131390f6452fd9a35ee73cf7c23f30294d7990cfc35d6985b248a2610d2ae

SHA512
049d84b60942a60613379593da0ff35ea8654dabb95eeee2d016f0d217bb4b91eeb1c32de47a0408e0d4558e6b2cc053240f18118efbc016475dd304c2b7ba8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
14bac70b78fc597f481bb9e0008820d7

SHA1
61daf4a0da89ed13e9f5eddb065282dda8c29d3b

SHA256
ce1ae4dcacf8821bd89c89379829cd0007cf9e65f3916954f1481de0d9d7c543

SHA512
19909c182056d563dfe0dea193a2a825f5fbe2a75da93e4a2a3dec4a9af6507262cfa422ce40d4327c3bad58f12f33901839f6eafce8ae23045e0a670acdc58d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4dbfb7d0f8855de086831d0bfd572b2b

SHA1
b2f18172d8148b74217e1c72618a04a7e5d71397

SHA256
f0769595415d3c64f5978b2153e575a67b67fbdd2556a859549e29763d562de6

SHA512
58f54b9e2b817ff038eb10d6d127f0847e70e7f526bc28ffcea2d1678e31042ab6ee129e0c3f3e92cbebe002ec825690d5d40a5499e3cb18756c7e1818d9c283

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
afcbb771c9b5ddcafa9c9acc4ba05abd

SHA1
0d37195c55105a8ad6bc9ae713c6b937c4fe649b

SHA256
cc1b8391710ad3ca3b69773e89eb61ea3683e33f52fe5d7de0787fdd8b32f9b2

SHA512
fa4afb1ae2434fd91ed641152fbd3c2d4a6cbe3f4fb6d1b240bbff99b75cb59e37c5572d5dc83087f43e0082fe92c16cb13b113afc4f00612c5867eb5677702c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
bd492f7e671b3464438927d8c87304a8

SHA1
d2b535b3a830da1252f2d565bf663bf08c9b02fa

SHA256
e446e3401ec69d86cf3ba6028d91733119c237efb20c0711bc7c3d15c6f07d46

SHA512
35cb4b8bcb9599b64289475b3ad93d0ac33eccda6ab33c1dd5c0647c743a216506d7cd1a234fe4fa18895fe2cde670b9bf752be0b5b8d8f3baf547b34f779fc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e3da7e8610a44f4c87c0e98726201838

SHA1
82be670346918c7c0c07a8ddb29f4ede1fcff27e

SHA256
c591a34537237c9f4a5cc6727eb88f00506c42df3290398d5b9c044988d4ee51

SHA512
be7d02645efa293380846580aebc8b4bd35c65d1f212cb7fc4ee82b7c899f7edc66184d29fa788213190740734f7e0d0d577bdb25d3417c14ca63a0d29ff611c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4d3d7e0fcfcfa8ab6b9c6a7cc6aeac53

SHA1
27d4f49fba865a79156e5ba2f0896a90a51460eb

SHA256
8dad26c44a7c44f5098c3cf6455dd488b218cbcff0d0b31cb2abad35e6791b19

SHA512
6318b2766bb0ce723db5a42e2a5be9c902b328706c34362bd13168c479f7e45c3fbe4bdbe028808ae9c694e5b4397209e4eafd1d401e30721ffa2169a237b56a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
3ada5211c9043b94a0b239ff4e56d559

SHA1
d9f1239addf740fef19f5918b0538bf495cee5a8

SHA256
c318587cf6c0694bb97340c6a45bb0b366273c270c39cae9adb7684b732783b9

SHA512
b47a2490d3422b231f7bea36c5ad733baf6069519262c8b2dd665942ba1238421fa71fabb5d26e90ae2fc8345bafdbc019f311a640e6c1edbfee8d7c2c72bcf8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
edc1b3de94f15d92f21afe43bcef96b1

SHA1
5f2e481a31d573c788001efe418f3180605a2b9d

SHA256
318899623d4dd5dbb65eeca3f32fd61c69b4bf072cab2574f31f212b0352c3db

SHA512
1423fbb88e99da527de84a78da843c1f07e1c155c433af49526101267219f5f89e8f43aa18cecb9f4b81b88b5bf17a8a25bfcba68c419d6ed5e8f497de773f9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f20c175ba31850cea10160559ea9b364

SHA1
0bab5fb7d598090f41f908c2ec08a679dd376879

SHA256
0e72b51bba2c0c25668b50b2b385ae6ea55908c4de61211f9a4197dea8aaab9f

SHA512
b1dae78ea028ca8a2165e7849cf8f6228fee946a8988ac86c51f838c6b07e9718546719a9139ebc99d129ee47826a41425ff2b2ca9c4468d559dbf0d0aadd5a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
f7700290250e335aa3778f08795e3155

SHA1
4534c50c6eff88cdf68240f59d4c2d0716feeec7

SHA256
efc5eab945639824690cd1773d7d80de5e2437f2ac43aca6fd6664fe892524d0

SHA512
44283d6760af754ae2898506a045a152f2a7a5a78a2a2098f18b351f9b4d1dc8452ea85802dd3b2447f3bc70c1d42d5fc13c3650fcea1b8ae412521ba2cce072

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
242KB

MD5
8a69a90839b580e7d795e19975e42a95

SHA1
3e12f0b1566839b182e9a75dec2231c88e9d5b7c

SHA256
1360feb1beb313fe307f427b14f8d6a6512386901cb919bee154529a5f7d90e3

SHA512
85ad13b09c78e5e4428fada30db4e9c113fa741b2ce99ee847d4ec4bd44f0611d407d16007a2dbb7c67931ce80c442a4e35f09b126493f58ed19b57c30179015

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
242KB

MD5
3d74ac5f43606cce4b178b1bca414329

SHA1
5f0345232b45c5737d867df86cd79751b73e061e

SHA256
ae563b7002f86b2ea5851ef1747603e701cc2aa618213b5d32fc93e8f09fe723

SHA512
5b1c1d000fa971773a8570e4c10bce5b9d9af548f06b3428d366093ec071b12b261c758c8f2ef164210aecfd0cfc2f911db3af867ea86dee41beb604a217e6de

Download Submit
memory/4932-13-0x00007FFC21000000-0x00007FFC21AC1000-memory.dmp

Filesize
10.8MB

Download
memory/4932-15-0x00007FFC21003000-0x00007FFC21005000-memory.dmp

Filesize
8KB

Download
memory/4932-11-0x000001C8EDA20000-0x000001C8EDB36000-memory.dmp

Filesize
1.1MB

Download
memory/4932-8-0x000001C8ED640000-0x000001C8ED650000-memory.dmp

Filesize
64KB

Download
memory/4932-6-0x000001C8ED740000-0x000001C8ED79A000-memory.dmp

Filesize
360KB

Download
memory/4932-5-0x000001C8EB5B0000-0x000001C8EB5BE000-memory.dmp

Filesize
56KB

Download
memory/4932-4-0x000001C8ED6B0000-0x000001C8ED71E000-memory.dmp

Filesize
440KB

Download
memory/4932-2-0x000001C8EB570000-0x000001C8EB590000-memory.dmp

Filesize
128KB

Download
memory/4932-14-0x00007FFC21000000-0x00007FFC21AC1000-memory.dmp

Filesize
10.8MB

Download
memory/4932-10-0x000001C8EDB70000-0x000001C8EDCBA000-memory.dmp

Filesize
1.3MB

Download
memory/4932-0-0x00007FFC21003000-0x00007FFC21005000-memory.dmp

Filesize
8KB

Download
memory/4932-12-0x000001C8ED930000-0x000001C8ED960000-memory.dmp

Filesize
192KB

Download
memory/4932-1-0x000001C8EB100000-0x000001C8EB122000-memory.dmp

Filesize
136KB

Download
memory/4932-7-0x00007FFC21000000-0x00007FFC21AC1000-memory.dmp

Filesize
10.8MB

Download
memory/4932-18-0x00007FFC21000000-0x00007FFC21AC1000-memory.dmp

Filesize
10.8MB

Download
memory/4932-17-0x00007FFC21000000-0x00007FFC21AC1000-memory.dmp

Filesize
10.8MB

Download
memory/4932-16-0x00007FFC21000000-0x00007FFC21AC1000-memory.dmp

Filesize
10.8MB

Download
memory/4932-9-0x000001C8ED670000-0x000001C8ED68E000-memory.dmp

Filesize
120KB

Download
memory/4932-251-0x00007FFC21000000-0x00007FFC21AC1000-memory.dmp

Filesize
10.8MB

Download
memory/4932-3-0x000001C8EB590000-0x000001C8EB5B0000-memory.dmp

Filesize
128KB

Download