umbral | 4cc1f9f24687b31979df108d1cb40b332b2b867aa004314b3844fc9388051d10

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
06-02-2025 18:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

krx/krx/KRX Client.exe
Size

13.5MB
MD5

14aa5b66b4eb09f2ec43ab2785353b30
SHA1

13e604b67db06e15a4f6c320fadb653f35d8bd1a
SHA256

83d30f0c1b0fb62ba26d7a2a8ddd0f1d0a355d4011d57c9316fc1fe6fc3e144b
SHA512

ae7b132ae3d91e1f7967fffc52c7b30760d4bf29f7c3c25522c27002399c2de865729e99ce7141baa6355ce6e22141721e733bc1ebdacc840f2d3ad112ead39a
SSDEEP

196608:1aqDXlWLO5Ui4d+fNcCnpVubF7d2vziaM7G9PEozWpLMFhKxY+MyAD0vOLQpMJKu:1a0eO9kh7EzzKOPEoypIFDWY3tKgO4

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral10/files/0x000c000000023b61-4.dat	family_umbral
behavioral10/memory/228-13-0x000001D09F900000-0x000001D09F940000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2432	powershell.exe
4492	powershell.exe
3292	powershell.exe
4656	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2089655958-977706906-1981639424-1000\Control Panel\International\Geo\Nation	KRX Client.exe

Executes dropped EXE 2 IoCs

pid	Process
228	Umbral.exe
1960	KRX Client.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
28	discord.com
29	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KRX Client.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5032	PING.EXE
2548	cmd.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4496	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133833415953648792"	chrome.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5032	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
228	Umbral.exe
4656	powershell.exe
4656	powershell.exe
2432	powershell.exe
2432	powershell.exe
4492	powershell.exe
4492	powershell.exe
3684	powershell.exe
3684	powershell.exe
3292	powershell.exe
3292	powershell.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	228	Umbral.exe
Token: SeIncreaseQuotaPrivilege	4532	wmic.exe
Token: SeSecurityPrivilege	4532	wmic.exe
Token: SeTakeOwnershipPrivilege	4532	wmic.exe
Token: SeLoadDriverPrivilege	4532	wmic.exe
Token: SeSystemProfilePrivilege	4532	wmic.exe
Token: SeSystemtimePrivilege	4532	wmic.exe
Token: SeProfSingleProcessPrivilege	4532	wmic.exe
Token: SeIncBasePriorityPrivilege	4532	wmic.exe
Token: SeCreatePagefilePrivilege	4532	wmic.exe
Token: SeBackupPrivilege	4532	wmic.exe
Token: SeRestorePrivilege	4532	wmic.exe
Token: SeShutdownPrivilege	4532	wmic.exe
Token: SeDebugPrivilege	4532	wmic.exe
Token: SeSystemEnvironmentPrivilege	4532	wmic.exe
Token: SeRemoteShutdownPrivilege	4532	wmic.exe
Token: SeUndockPrivilege	4532	wmic.exe
Token: SeManageVolumePrivilege	4532	wmic.exe
Token: 33	4532	wmic.exe
Token: 34	4532	wmic.exe
Token: 35	4532	wmic.exe
Token: 36	4532	wmic.exe
Token: SeIncreaseQuotaPrivilege	4532	wmic.exe
Token: SeSecurityPrivilege	4532	wmic.exe
Token: SeTakeOwnershipPrivilege	4532	wmic.exe
Token: SeLoadDriverPrivilege	4532	wmic.exe
Token: SeSystemProfilePrivilege	4532	wmic.exe
Token: SeSystemtimePrivilege	4532	wmic.exe
Token: SeProfSingleProcessPrivilege	4532	wmic.exe
Token: SeIncBasePriorityPrivilege	4532	wmic.exe
Token: SeCreatePagefilePrivilege	4532	wmic.exe
Token: SeBackupPrivilege	4532	wmic.exe
Token: SeRestorePrivilege	4532	wmic.exe
Token: SeShutdownPrivilege	4532	wmic.exe
Token: SeDebugPrivilege	4532	wmic.exe
Token: SeSystemEnvironmentPrivilege	4532	wmic.exe
Token: SeRemoteShutdownPrivilege	4532	wmic.exe
Token: SeUndockPrivilege	4532	wmic.exe
Token: SeManageVolumePrivilege	4532	wmic.exe
Token: 33	4532	wmic.exe
Token: 34	4532	wmic.exe
Token: 35	4532	wmic.exe
Token: 36	4532	wmic.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeIncreaseQuotaPrivilege	3564	wmic.exe
Token: SeSecurityPrivilege	3564	wmic.exe
Token: SeTakeOwnershipPrivilege	3564	wmic.exe
Token: SeLoadDriverPrivilege	3564	wmic.exe
Token: SeSystemProfilePrivilege	3564	wmic.exe
Token: SeSystemtimePrivilege	3564	wmic.exe
Token: SeProfSingleProcessPrivilege	3564	wmic.exe
Token: SeIncBasePriorityPrivilege	3564	wmic.exe
Token: SeCreatePagefilePrivilege	3564	wmic.exe
Token: SeBackupPrivilege	3564	wmic.exe
Token: SeRestorePrivilege	3564	wmic.exe
Token: SeShutdownPrivilege	3564	wmic.exe
Token: SeDebugPrivilege	3564	wmic.exe
Token: SeSystemEnvironmentPrivilege	3564	wmic.exe
Token: SeRemoteShutdownPrivilege	3564	wmic.exe
Token: SeUndockPrivilege	3564	wmic.exe
Token: SeManageVolumePrivilege	3564	wmic.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe
3500	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 228	1788	KRX Client.exe	85
PID 1788 wrote to memory of 228	1788	KRX Client.exe	85
PID 1788 wrote to memory of 1960	1788	KRX Client.exe	86
PID 1788 wrote to memory of 1960	1788	KRX Client.exe	86
PID 228 wrote to memory of 4532	228	Umbral.exe	87
PID 228 wrote to memory of 4532	228	Umbral.exe	87
PID 228 wrote to memory of 3876	228	Umbral.exe	92
PID 228 wrote to memory of 3876	228	Umbral.exe	92
PID 228 wrote to memory of 4656	228	Umbral.exe	94
PID 228 wrote to memory of 4656	228	Umbral.exe	94
PID 228 wrote to memory of 2432	228	Umbral.exe	97
PID 228 wrote to memory of 2432	228	Umbral.exe	97
PID 228 wrote to memory of 4492	228	Umbral.exe	99
PID 228 wrote to memory of 4492	228	Umbral.exe	99
PID 228 wrote to memory of 3684	228	Umbral.exe	101
PID 228 wrote to memory of 3684	228	Umbral.exe	101
PID 228 wrote to memory of 3564	228	Umbral.exe	103
PID 228 wrote to memory of 3564	228	Umbral.exe	103
PID 228 wrote to memory of 5044	228	Umbral.exe	105
PID 228 wrote to memory of 5044	228	Umbral.exe	105
PID 228 wrote to memory of 376	228	Umbral.exe	107
PID 228 wrote to memory of 376	228	Umbral.exe	107
PID 228 wrote to memory of 3292	228	Umbral.exe	109
PID 228 wrote to memory of 3292	228	Umbral.exe	109
PID 228 wrote to memory of 4496	228	Umbral.exe	111
PID 228 wrote to memory of 4496	228	Umbral.exe	111
PID 228 wrote to memory of 2548	228	Umbral.exe	114
PID 228 wrote to memory of 2548	228	Umbral.exe	114
PID 2548 wrote to memory of 5032	2548	cmd.exe	116
PID 2548 wrote to memory of 5032	2548	cmd.exe	116
PID 3500 wrote to memory of 4532	3500	chrome.exe	138
PID 3500 wrote to memory of 4532	3500	chrome.exe	138
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 2208	3500	chrome.exe	139
PID 3500 wrote to memory of 5016	3500	chrome.exe	140
PID 3500 wrote to memory of 5016	3500	chrome.exe	140

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3876	attrib.exe

C:\Users\Admin\AppData\Local\Temp\krx\krx\KRX Client.exe
"C:\Users\Admin\AppData\Local\Temp\krx\krx\KRX Client.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4532
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:3876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3684
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3564
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:5044
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:376
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:3292
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4496
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5032
- C:\Users\Admin\AppData\Local\Temp\KRX Client.exe
  "C:\Users\Admin\AppData\Local\Temp\KRX Client.exe"
  2⤵
  - Executes dropped EXE
  PID:1960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe07f8cc40,0x7ffe07f8cc4c,0x7ffe07f8cc58
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2132,i,9236201804303399432,17966506776007954387,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1820,i,9236201804303399432,17966506776007954387,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2312,i,9236201804303399432,17966506776007954387,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2488 /prefetch:8
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,9236201804303399432,17966506776007954387,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:1120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,9236201804303399432,17966506776007954387,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3708,i,9236201804303399432,17966506776007954387,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3720 /prefetch:1
  2⤵
  PID:496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4848,i,9236201804303399432,17966506776007954387,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:60
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4912,i,9236201804303399432,17966506776007954387,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4916 /prefetch:8
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=240,i,9236201804303399432,17966506776007954387,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4968,i,9236201804303399432,17966506776007954387,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5100 /prefetch:8
  2⤵
  PID:3524

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2168

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\87c82d68-a1cc-4223-8359-34c77a89d665.tmp

Filesize
15KB

MD5
66f6463f699391151508005f7b3e53da

SHA1
416f9e647e1f64387735a76fb909993c4fb457a4

SHA256
621720c1e490f214256e0f0703dc46907daece5e660fc40a4273181b2029f00a

SHA512
d8e2655d26601a7ca6a120ca16f3bab58d77a912433ccb552f85a8484897de948a1042f6bbfa1c2e97ee4466c59a1df8b7d4f948b93f52a7ea79b3aef8d3c6d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
7103bad3c380274c744522af09743f53

SHA1
248a200ed7ae673c9aee00e414320313555e7a03

SHA256
435e516cfdc2158ba1a465479f2dcc511a5c613aa5d3b74f577bd72ce3edbf82

SHA512
54908ea58127aa1be142aa2ed13c77319bc863d962dbdb7a62729881f6095dd2ea14f31fe6bdd68d29ecaca85e390324d8398a9852a8fadc029964eb5c8a5012

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
cae1c42940da038f476cc94e37f397c0

SHA1
9705318ca39ec57534f856b31bbd47a88d3f3ba0

SHA256
bab7edeb3e765fccbc3b54b98a91b3e02afdc20ea96d9b282291eae08173a8e2

SHA512
f048fd2bbcf78d439a97693dedd2182b1849904f4c383b3e08f569a1b5486da903ef559dd8922a84a1e946c579f8fdf8c38bc26b631dd72909a43a032d6c7033

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
3561c1ee18bd4049a0905c5f72c58c4b

SHA1
f9b0cfd448a873ee093290fafa056b80a110a1a1

SHA256
fa7c7e50edcd5ea0b63e75bfa4b4611b3345f9b437fd8a0f22550df9ff0f2acd

SHA512
f32e3b2772f837794a928e7e8fa86d5ac6abeec30263d2f5024cb6fb7a51d6b18829e622df12f73e98d394dd4c11b7748f2c33c64944db1571e818483db77284

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4a984505bd48deb353dd9bba1a8b3c18

SHA1
b15b11f650f7fea9c7fc5769cd47626389ab09e8

SHA256
b806b17a610bd8ab271686d47d19f21b642140acfe4101c9dd6a2113c751f5b7

SHA512
9b379af2b17033f8b8ef6b55b997afd01cbdd221c283ca1e32eb2250ab841debd40ba76b2dba45616fd93278e48db076b9763971c8056c4dbec6b7cf9b3e8536

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c7e3cf2b373caefb2c3e7aa631632a50

SHA1
0ed50bfcd90b54821cb9ceeb0aaebfea898f8574

SHA256
bcc24026f761ecc7bde002832098e204fbbf8defb3fa490b6ea07c7de73f3700

SHA512
2b58df61da03b3a2bfe29145d289e813592e3d7f0e8a291b2dff9c41f0ee04e10fc66492b4110e66845a18fdb24b247df79ac5b969338a86d01e80c6638aacd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\cb5d0d5f-6243-4d1b-b34e-c87dfdde0bcf.tmp

Filesize
8KB

MD5
c7243d96627a700e03fb84f743c2e454

SHA1
9ecfdac945892b2f6808c86504dec5e82531cca6

SHA256
f4a3419f0c0fa2f945b20210ab467e36781deb0741784f8bed6ac69f1c9c8ee2

SHA512
faad7d056d0edf6555177f9f99419e94753508c7643153b1e202564a880cf1c325021b01ec3823e975f827dc671f9db7ad37362e1e1e9eda8aa8f2b8c0cb6530

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
124KB

MD5
8d81719ab7b9b94b1ab0c3ed93f54ed4

SHA1
3b77bd8fd25e7aec3e9076b175895aebd13b23a2

SHA256
1676986b11197ac2e44d18bdf82dd66c89f1f4f7c94256b4b7c7b12f5cbb0976

SHA512
6b709888d539706ec6ff49326ca6c51deb7c661c0f60f4410228c9ac713f79b3d42040045a83b2112e3e91b87e24af2ce271a1eb184e1c21f04213dabbcd5f76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
244KB

MD5
1e0adbb9aee36dfa9ea23bfb94f7e2db

SHA1
3ea5b168d5facc0f37be9052bf7ec0d685f9f657

SHA256
bcdf14696be3f158cf08a2e44b4a6e8a946789f019a78ae275042a4996e5a27f

SHA512
19531d803d2bea4374344d5bd94283fcedf8755144d7ed151bbf9f90fff688c68350a012949c0aba1638533a9de5bd79293c8ae33e03083b7b2fe09bc6839c14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
244KB

MD5
1fe21e3e4e6ba4130b6fed29d3c4f0e0

SHA1
a633eb4998ac0bb42a8e7cefc5a6a8c4eafb7b81

SHA256
35755aed41801f8dbb95f73144156a9e990632d1cb1646e7889db11831722206

SHA512
75f9e22d1217259fc25dbaebe3d7cbeacd93e1909147dfcbe6236bb0ccbe48c72336e2f4762e7dca39c5b78938c4529a332502b79ec6528f2de5ada9c8c11c8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
061e9b5da7f9fd404684666a318e199b

SHA1
359fbcd8bc8cb3927430cc14712cd342abcb1a54

SHA256
e3192bd21a73f05c04489dfe93e7f09531f6929122d2f770652cd9f6b7af572a

SHA512
26554f601be1d4638807ee7d6f86ee8602921ac461eb0cff812238760c1108b2ca0d76be763374328efe71b826e056aa27e1aaa4bcfee16e60d619498d9a8ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
0f2b0a63e9d012cd3c6ac69493be8251

SHA1
69735dbeb2694d35b6dcab681c526948e8c39a1c

SHA256
bdd9e005bc7df02ca94f2faeef8414671b0be7a11bb1e3c1db1ebeebbedad4e0

SHA512
f951aadbe8cd0305f109ca00ffeee6e513d3d87e17b7f8b5dad607fa8908f2251698b58e97c062dbaae758fa316c946dd9be7a86eef02dbd7293d415fcb20a33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRX Client.exe

Filesize
13.4MB

MD5
7907e9406015ceba49d7f1156f032ac8

SHA1
a8034055f4358c1d687b3c2c70c588f37982fa88

SHA256
fc59d043ebbf8e3225f399030bc6447a0592e992bcb57a08d769c35934335de3

SHA512
bff798c9a2301120c343e7108a857dc2a78e5c18fa5fbc06d71ada65f96adbff3ce47e3ffbf51c13db50f0c09ae6d0bcad4a2abe3911e0bd0b2a1b816c0685a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
231KB

MD5
39866481d5925ad5fb5a6c72bc51c3c5

SHA1
6c646ec853a4178e219c73cd1788d3f51623099d

SHA256
38042abd98755c213a6f36e5c79d23e7d09b56495b29daab3e89fcdccde80ad2

SHA512
daca18d9d9132ffe07b142a80148aa98575c72052de8bd18115f85adcac1ed8b6f990a85d3076a9c88e934694ae8ba19b58eb6cf81bc27a3c84480c3e853779d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mf2l04go.cup.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/228-51-0x000001D0BA100000-0x000001D0BA176000-memory.dmp

Filesize
472KB

Download
memory/228-53-0x000001D09FDC0000-0x000001D09FDDE000-memory.dmp

Filesize
120KB

Download
memory/228-52-0x000001D0B9E20000-0x000001D0B9E70000-memory.dmp

Filesize
320KB

Download
memory/228-108-0x00007FFE07C10000-0x00007FFE086D1000-memory.dmp

Filesize
10.8MB

Download
memory/228-90-0x000001D0A16E0000-0x000001D0A16F2000-memory.dmp

Filesize
72KB

Download
memory/228-20-0x00007FFE07C10000-0x00007FFE086D1000-memory.dmp

Filesize
10.8MB

Download
memory/228-89-0x000001D09FDF0000-0x000001D09FDFA000-memory.dmp

Filesize
40KB

Download
memory/228-13-0x000001D09F900000-0x000001D09F940000-memory.dmp

Filesize
256KB

Download
memory/228-12-0x00007FFE07C13000-0x00007FFE07C15000-memory.dmp

Filesize
8KB

Download
memory/1960-24-0x0000000140000000-0x0000000142086000-memory.dmp

Filesize
32.5MB

Download
memory/4656-25-0x000001C6607E0000-0x000001C660802000-memory.dmp

Filesize
136KB

Download