umbral | a0b1850a85ac0daf903f13a719423de6a27dd8a06f350ab5e339473e0dc9bf71

Analysis

max time kernel
299s
max time network
278s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

owo huntbot.exe
Size

244KB
MD5

8bb9018e6293c3eb4c78f2d520b9e864
SHA1

2597e4371b9a7e78030cfb96ac2a264ad91d2c4d
SHA256

73dea80ba33a377e08706a9e35254ecb0d20da9f34edbca5523c71a5e9c9bf23
SHA512

08a57c7ba8e389a9e98c5f3b745eb6514ff6d7a1b86bdf7836ff0c41f9c0e82038487eb7116f8b9a6bc235bbbe29d6eb5540cebf4a3904d3a6fe34766985876d
SSDEEP

6144:NloZM+rIkd8g+EtXHkv/iD4K2secjfUT1gevPeQRx6lm8e1mKsiDKeS:PoZtL+EP8HsecjfUT1gevPe/unlD9S

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/1416-0-0x00000162946D0000-0x0000016294714000-memory.dmp family_umbral
Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

resource	yara_rule
behavioral2/memory/1416-0-0x00000162946D0000-0x0000016294714000-memory.dmp	family_umbral

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEchrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645720299796366"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

1404 WINWORD.EXE
1404 WINWORD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exe

pid process

1532 chrome.exe
1532 chrome.exe
1532 chrome.exe
1532 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

chrome.exe

pid process

1532 chrome.exe
1532 chrome.exe
1532 chrome.exe
1532 chrome.exe
1532 chrome.exe
1532 chrome.exe
1532 chrome.exe
1532 chrome.exe
1532 chrome.exe
1532 chrome.exe
1532 chrome.exe

pid	process
1404	WINWORD.EXE
1404	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

owo huntbot.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	1416	owo huntbot.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe
Token: SeCreatePagefilePrivilege	1532	chrome.exe
Token: SeShutdownPrivilege	1532	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe
1532	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

1404 WINWORD.EXE
1404 WINWORD.EXE
1404 WINWORD.EXE
1404 WINWORD.EXE
1404 WINWORD.EXE
1404 WINWORD.EXE
1404 WINWORD.EXE

pid	process
1404	WINWORD.EXE
1404	WINWORD.EXE
1404	WINWORD.EXE
1404	WINWORD.EXE
1404	WINWORD.EXE
1404	WINWORD.EXE
1404	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1532 wrote to memory of 312	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 312	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 700	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 4380	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 4380	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe
PID 1532 wrote to memory of 3364	1532	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\owo huntbot.exe
"C:\Users\Admin\AppData\Local\Temp\owo huntbot.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4620

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\SubmitDisable.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff950f0ab58,0x7ff950f0ab68,0x7ff950f0ab78
2⤵
PID:312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1980,i,5797010066344979872,17162186783517013241,131072 /prefetch:2
2⤵
PID:700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1980,i,5797010066344979872,17162186783517013241,131072 /prefetch:8
2⤵
PID:4380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2284 --field-trial-handle=1980,i,5797010066344979872,17162186783517013241,131072 /prefetch:8
2⤵
PID:3364

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=1980,i,5797010066344979872,17162186783517013241,131072 /prefetch:1
2⤵
PID:2692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3148 --field-trial-handle=1980,i,5797010066344979872,17162186783517013241,131072 /prefetch:1
2⤵
PID:2660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4328 --field-trial-handle=1980,i,5797010066344979872,17162186783517013241,131072 /prefetch:1
2⤵
PID:856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4612 --field-trial-handle=1980,i,5797010066344979872,17162186783517013241,131072 /prefetch:8
2⤵
PID:3876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1980,i,5797010066344979872,17162186783517013241,131072 /prefetch:8
2⤵
PID:3492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 --field-trial-handle=1980,i,5797010066344979872,17162186783517013241,131072 /prefetch:8
2⤵
PID:4772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4828 --field-trial-handle=1980,i,5797010066344979872,17162186783517013241,131072 /prefetch:8
2⤵
PID:1764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 --field-trial-handle=1980,i,5797010066344979872,17162186783517013241,131072 /prefetch:8
2⤵
PID:4512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4640 --field-trial-handle=1980,i,5797010066344979872,17162186783517013241,131072 /prefetch:1
2⤵
PID:4536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4724 --field-trial-handle=1980,i,5797010066344979872,17162186783517013241,131072 /prefetch:1
2⤵
PID:2684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2808 --field-trial-handle=1980,i,5797010066344979872,17162186783517013241,131072 /prefetch:1
2⤵
PID:1404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5048 --field-trial-handle=1980,i,5797010066344979872,17162186783517013241,131072 /prefetch:1
2⤵
PID:3888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3384 --field-trial-handle=1980,i,5797010066344979872,17162186783517013241,131072 /prefetch:1
2⤵
PID:868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2356 --field-trial-handle=1980,i,5797010066344979872,17162186783517013241,131072 /prefetch:1
2⤵
PID:628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5132 --field-trial-handle=1980,i,5797010066344979872,17162186783517013241,131072 /prefetch:1
2⤵
PID:3168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=2792 --field-trial-handle=1980,i,5797010066344979872,17162186783517013241,131072 /prefetch:1
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2544

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\728b7e53-d564-499b-ad46-2bc55289bb8b.tmp
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
eb445f10f1be3ff024f3ec418886e9c0

SHA1
76eec2e199966c23973b06a5d20a3a081ade8d07

SHA256
671b87f4763459352507c87d41cc647baded2dbd20fa054e0b424020d9298f2e

SHA512
3e1d892760ec0a363e3a7fa94b745e4da7547073c2fa2135a04d1292f8907943c6b1f5062f5b5204ac3ad6f8b00dd5853f919a64a17f6965285e7a2938c9bdd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
e3c3cfbcbc8dd88a296303235794a962

SHA1
afaca6a1200c4dbcf8820e9303107f7ea2a8dbf5

SHA256
b07e0ae7d14feffa897ed3df75c10c8bb04a307ee822b270700609110fcfa671

SHA512
c5f0fd45eaa75090720cbfee50bfec1b43b60efb17983f331fc66e57482085905ee012f82bda1e5459fa694bc8045ed43447205e5a13c7b347a73e2aea32953c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
800c097a0b0a86473b7592b99878ebcf

SHA1
6286f594983b0a936f87076e9e360d2af2639aa8

SHA256
025edc8df0f8f3ebdb05fb0b591f823589b31f0859a22b596b7cf2aa55b88ce8

SHA512
6237d2d26726bde7472044a0e7d458f656c3d03ecc1105c4aa607a01164d4e0a68daac10be6b398e1f76ad4bd325fa6f0ad592e38d0fcf12bc4e9190fb92f90a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
8a343cfea4f1bddaccb6201ad3eef740

SHA1
63b57c07c7d5f984d06e7e1f0f12cbba621c1c10

SHA256
749c446d0d334943653b31326debba6c9f723618edcbe97690a5d5f5eada9a19

SHA512
1d34046558ff291ac6cc0ca2cea94e62bea4563af8a723daad54cf75f59fcd75ed3459d8fdbe04ade50bac5af9fd88e80a59e025d1d8f1fd48593cd74939fa72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
91KB

MD5
5a3be97ebedbbfead4315727791ec04a

SHA1
ea114828103cafd13e2b98340ac1a6771a826506

SHA256
dc832409b232bd6c58b6b327c412ce3bd49cea3e68cd413ada1835591092e1a0

SHA512
8f2123aea5b7a1f02f44e366bf43cc003cf48761d05b3f20729214e13daaf34224945cf4766bd8e644139bb15bb3902e0f49fa0beee9bb98545e31b6276f0011

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5ae7b2.TMP
Filesize
88KB

MD5
72ee1a06f42bbdb04f5a6d142f6512fa

SHA1
a1a4ba52e666f3e046f12e924a5a5776111935fd

SHA256
cc33d91f8004511a7ba8b4c8c680ac461aabd878730edf7a314655f6adf8152c

SHA512
15b1bb6bb5d12162a8e85eed10f44e7d1f74b0b9f677efc5a1f37cc07c774f8a956f35ad680fc8ca36d98c220e5c94ec881a269776b90c0ba565825701eafeca

Download Submit
\??\pipe\crashpad_1532_ZSGYSVFHVKNOPAZC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1404-27-0x00007FF965490000-0x00007FF965685000-memory.dmp

Filesize
2.0MB

Download
memory/1404-7-0x00007FF925510000-0x00007FF925520000-memory.dmp

Filesize
64KB

Download
memory/1404-19-0x00007FF965490000-0x00007FF965685000-memory.dmp

Filesize
2.0MB

Download
memory/1404-18-0x00007FF965490000-0x00007FF965685000-memory.dmp

Filesize
2.0MB

Download
memory/1404-21-0x00007FF965490000-0x00007FF965685000-memory.dmp

Filesize
2.0MB

Download
memory/1404-16-0x00007FF965490000-0x00007FF965685000-memory.dmp

Filesize
2.0MB

Download
memory/1404-15-0x00007FF965490000-0x00007FF965685000-memory.dmp

Filesize
2.0MB

Download
memory/1404-12-0x00007FF965490000-0x00007FF965685000-memory.dmp

Filesize
2.0MB

Download
memory/1404-22-0x00007FF965490000-0x00007FF965685000-memory.dmp

Filesize
2.0MB

Download
memory/1404-24-0x00007FF965490000-0x00007FF965685000-memory.dmp

Filesize
2.0MB

Download
memory/1404-25-0x00007FF965490000-0x00007FF965685000-memory.dmp

Filesize
2.0MB

Download
memory/1404-26-0x00007FF965490000-0x00007FF965685000-memory.dmp

Filesize
2.0MB

Download
memory/1404-5-0x00007FF925510000-0x00007FF925520000-memory.dmp

Filesize
64KB

Download
memory/1404-23-0x00007FF922C60000-0x00007FF922C70000-memory.dmp

Filesize
64KB

Download
memory/1404-13-0x00007FF965490000-0x00007FF965685000-memory.dmp

Filesize
2.0MB

Download
memory/1404-11-0x00007FF965490000-0x00007FF965685000-memory.dmp

Filesize
2.0MB

Download
memory/1404-8-0x00007FF925510000-0x00007FF925520000-memory.dmp

Filesize
64KB

Download
memory/1404-20-0x00007FF965490000-0x00007FF965685000-memory.dmp

Filesize
2.0MB

Download
memory/1404-6-0x00007FF925510000-0x00007FF925520000-memory.dmp

Filesize
64KB

Download
memory/1404-4-0x00007FF925510000-0x00007FF925520000-memory.dmp

Filesize
64KB

Download
memory/1404-33-0x00007FF965490000-0x00007FF965685000-memory.dmp

Filesize
2.0MB

Download
memory/1404-48-0x00007FF925510000-0x00007FF925520000-memory.dmp

Filesize
64KB

Download
memory/1404-49-0x00007FF925510000-0x00007FF925520000-memory.dmp

Filesize
64KB

Download
memory/1404-47-0x00007FF925510000-0x00007FF925520000-memory.dmp

Filesize
64KB

Download
memory/1404-50-0x00007FF925510000-0x00007FF925520000-memory.dmp

Filesize
64KB

Download
memory/1404-51-0x00007FF965490000-0x00007FF965685000-memory.dmp

Filesize
2.0MB

Download
memory/1404-17-0x00007FF922C60000-0x00007FF922C70000-memory.dmp

Filesize
64KB

Download
memory/1404-14-0x00007FF965490000-0x00007FF965685000-memory.dmp

Filesize
2.0MB

Download
memory/1404-10-0x00007FF965490000-0x00007FF965685000-memory.dmp

Filesize
2.0MB

Download
memory/1404-9-0x00007FF96552D000-0x00007FF96552E000-memory.dmp

Filesize
4KB

Download
memory/1416-0-0x00000162946D0000-0x0000016294714000-memory.dmp

Filesize
272KB

Download
memory/1416-3-0x00007FF947470000-0x00007FF947F31000-memory.dmp

Filesize
10.8MB

Download
memory/1416-2-0x00007FF947470000-0x00007FF947F31000-memory.dmp

Filesize
10.8MB

Download
memory/1416-1-0x00007FF947473000-0x00007FF947475000-memory.dmp

Filesize
8KB

Download