umbral | 9bd18d2dade015a169996c0c1e36b2d8a8ea7c696660d767aff916d98d3f1ddd

Analysis

max time kernel
94s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31/01/2025, 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

umbral.exe
Size

1.6MB
MD5

00d1500f2bf8bca0155b96b09d5c7294
SHA1

dda7ceda5e7bc5ad5db25dcdb4c9f3713ca70e18
SHA256

9bd18d2dade015a169996c0c1e36b2d8a8ea7c696660d767aff916d98d3f1ddd
SHA512

1bf4b531bdfc03508ed000f0f0750b7275d8c5b965804cc8780623010ff8dbe9787f019380d3fc44a96a6ac9bc1b5cd0604f87307ea708a69e0ea1c29f762639
SSDEEP

49152:4AodtaG9kS2U84B+FLan9k5TRM9zl/VjoeftKuFor:o/B1lfthar

Score

10^/10

umbral discovery execution stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/2020-19-0x0000000000400000-0x0000000000440000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2004	powershell.exe
3764	powershell.exe
3408	powershell.exe
1576	powershell.exe
1972	powershell.exe
2708	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	AddInProcess32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	umbral.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	umbral.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2380 set thread context of 2020	2380	umbral.exe	92
PID 2812 set thread context of 4640	2812	umbral.exe	108

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2852	cmd.exe
4512	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4768	wmic.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2484	taskkill.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4512	PING.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2004	powershell.exe
2004	powershell.exe
2380	umbral.exe
3764	powershell.exe
3764	powershell.exe
2708	powershell.exe
2708	powershell.exe
1576	powershell.exe
1576	powershell.exe
3408	powershell.exe
3408	powershell.exe
2812	umbral.exe
2964	powershell.exe
2964	powershell.exe
1972	powershell.exe
1972	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	umbral.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	2020	AddInProcess32.exe
Token: SeDebugPrivilege	3764	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	2812	umbral.exe
Token: SeDebugPrivilege	3408	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2484	taskkill.exe
Token: SeIncreaseQuotaPrivilege	436	wmic.exe
Token: SeSecurityPrivilege	436	wmic.exe
Token: SeTakeOwnershipPrivilege	436	wmic.exe
Token: SeLoadDriverPrivilege	436	wmic.exe
Token: SeSystemProfilePrivilege	436	wmic.exe
Token: SeSystemtimePrivilege	436	wmic.exe
Token: SeProfSingleProcessPrivilege	436	wmic.exe
Token: SeIncBasePriorityPrivilege	436	wmic.exe
Token: SeCreatePagefilePrivilege	436	wmic.exe
Token: SeBackupPrivilege	436	wmic.exe
Token: SeRestorePrivilege	436	wmic.exe
Token: SeShutdownPrivilege	436	wmic.exe
Token: SeDebugPrivilege	436	wmic.exe
Token: SeSystemEnvironmentPrivilege	436	wmic.exe
Token: SeRemoteShutdownPrivilege	436	wmic.exe
Token: SeUndockPrivilege	436	wmic.exe
Token: SeManageVolumePrivilege	436	wmic.exe
Token: 33	436	wmic.exe
Token: 34	436	wmic.exe
Token: 35	436	wmic.exe
Token: 36	436	wmic.exe
Token: SeIncreaseQuotaPrivilege	436	wmic.exe
Token: SeSecurityPrivilege	436	wmic.exe
Token: SeTakeOwnershipPrivilege	436	wmic.exe
Token: SeLoadDriverPrivilege	436	wmic.exe
Token: SeSystemProfilePrivilege	436	wmic.exe
Token: SeSystemtimePrivilege	436	wmic.exe
Token: SeProfSingleProcessPrivilege	436	wmic.exe
Token: SeIncBasePriorityPrivilege	436	wmic.exe
Token: SeCreatePagefilePrivilege	436	wmic.exe
Token: SeBackupPrivilege	436	wmic.exe
Token: SeRestorePrivilege	436	wmic.exe
Token: SeShutdownPrivilege	436	wmic.exe
Token: SeDebugPrivilege	436	wmic.exe
Token: SeSystemEnvironmentPrivilege	436	wmic.exe
Token: SeRemoteShutdownPrivilege	436	wmic.exe
Token: SeUndockPrivilege	436	wmic.exe
Token: SeManageVolumePrivilege	436	wmic.exe
Token: 33	436	wmic.exe
Token: 34	436	wmic.exe
Token: 35	436	wmic.exe
Token: 36	436	wmic.exe
Token: SeIncreaseQuotaPrivilege	3036	wmic.exe
Token: SeSecurityPrivilege	3036	wmic.exe
Token: SeTakeOwnershipPrivilege	3036	wmic.exe
Token: SeLoadDriverPrivilege	3036	wmic.exe
Token: SeSystemProfilePrivilege	3036	wmic.exe
Token: SeSystemtimePrivilege	3036	wmic.exe
Token: SeProfSingleProcessPrivilege	3036	wmic.exe
Token: SeIncBasePriorityPrivilege	3036	wmic.exe
Token: SeCreatePagefilePrivilege	3036	wmic.exe
Token: SeBackupPrivilege	3036	wmic.exe
Token: SeRestorePrivilege	3036	wmic.exe
Token: SeShutdownPrivilege	3036	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2004	2380	umbral.exe	85
PID 2380 wrote to memory of 2004	2380	umbral.exe	85
PID 2380 wrote to memory of 4668	2380	umbral.exe	89
PID 2380 wrote to memory of 4668	2380	umbral.exe	89
PID 2380 wrote to memory of 1196	2380	umbral.exe	90
PID 2380 wrote to memory of 1196	2380	umbral.exe	90
PID 2380 wrote to memory of 1196	2380	umbral.exe	90
PID 2380 wrote to memory of 1196	2380	umbral.exe	90
PID 2380 wrote to memory of 2020	2380	umbral.exe	92
PID 2380 wrote to memory of 2020	2380	umbral.exe	92
PID 2380 wrote to memory of 2020	2380	umbral.exe	92
PID 2380 wrote to memory of 2020	2380	umbral.exe	92
PID 2380 wrote to memory of 2020	2380	umbral.exe	92
PID 2380 wrote to memory of 2020	2380	umbral.exe	92
PID 2380 wrote to memory of 2020	2380	umbral.exe	92
PID 2380 wrote to memory of 2020	2380	umbral.exe	92
PID 2020 wrote to memory of 2324	2020	AddInProcess32.exe	93
PID 2020 wrote to memory of 2324	2020	AddInProcess32.exe	93
PID 2020 wrote to memory of 2324	2020	AddInProcess32.exe	93
PID 2020 wrote to memory of 3764	2020	AddInProcess32.exe	95
PID 2020 wrote to memory of 3764	2020	AddInProcess32.exe	95
PID 2020 wrote to memory of 3764	2020	AddInProcess32.exe	95
PID 2020 wrote to memory of 2708	2020	AddInProcess32.exe	97
PID 2020 wrote to memory of 2708	2020	AddInProcess32.exe	97
PID 2020 wrote to memory of 2708	2020	AddInProcess32.exe	97
PID 2020 wrote to memory of 1576	2020	AddInProcess32.exe	99
PID 2020 wrote to memory of 1576	2020	AddInProcess32.exe	99
PID 2020 wrote to memory of 1576	2020	AddInProcess32.exe	99
PID 2812 wrote to memory of 3408	2812	umbral.exe	103
PID 2812 wrote to memory of 3408	2812	umbral.exe	103
PID 2020 wrote to memory of 2964	2020	AddInProcess32.exe	105
PID 2020 wrote to memory of 2964	2020	AddInProcess32.exe	105
PID 2020 wrote to memory of 2964	2020	AddInProcess32.exe	105
PID 2812 wrote to memory of 2396	2812	umbral.exe	107
PID 2812 wrote to memory of 2396	2812	umbral.exe	107
PID 2812 wrote to memory of 4640	2812	umbral.exe	108
PID 2812 wrote to memory of 4640	2812	umbral.exe	108
PID 2812 wrote to memory of 4640	2812	umbral.exe	108
PID 2812 wrote to memory of 4640	2812	umbral.exe	108
PID 2812 wrote to memory of 4640	2812	umbral.exe	108
PID 2812 wrote to memory of 4640	2812	umbral.exe	108
PID 2812 wrote to memory of 4640	2812	umbral.exe	108
PID 2812 wrote to memory of 4640	2812	umbral.exe	108
PID 2020 wrote to memory of 436	2020	AddInProcess32.exe	112
PID 2020 wrote to memory of 436	2020	AddInProcess32.exe	112
PID 2020 wrote to memory of 436	2020	AddInProcess32.exe	112
PID 2020 wrote to memory of 3036	2020	AddInProcess32.exe	114
PID 2020 wrote to memory of 3036	2020	AddInProcess32.exe	114
PID 2020 wrote to memory of 3036	2020	AddInProcess32.exe	114
PID 2020 wrote to memory of 4912	2020	AddInProcess32.exe	116
PID 2020 wrote to memory of 4912	2020	AddInProcess32.exe	116
PID 2020 wrote to memory of 4912	2020	AddInProcess32.exe	116
PID 2020 wrote to memory of 1972	2020	AddInProcess32.exe	118
PID 2020 wrote to memory of 1972	2020	AddInProcess32.exe	118
PID 2020 wrote to memory of 1972	2020	AddInProcess32.exe	118
PID 2020 wrote to memory of 4768	2020	AddInProcess32.exe	120
PID 2020 wrote to memory of 4768	2020	AddInProcess32.exe	120
PID 2020 wrote to memory of 4768	2020	AddInProcess32.exe	120
PID 2020 wrote to memory of 2852	2020	AddInProcess32.exe	122
PID 2020 wrote to memory of 2852	2020	AddInProcess32.exe	122
PID 2020 wrote to memory of 2852	2020	AddInProcess32.exe	122
PID 2852 wrote to memory of 4512	2852	cmd.exe	124
PID 2852 wrote to memory of 4512	2852	cmd.exe	124
PID 2852 wrote to memory of 4512	2852	cmd.exe	124

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2324	attrib.exe

C:\Users\Admin\AppData\Local\Temp\umbral.exe
"C:\Users\Admin\AppData\Local\Temp\umbral.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\windows\system32\cmstp.exe
  "C:\windows\system32\cmstp.exe" /au C:\windows\temp\560822253.inf
  2⤵
  PID:4668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  PID:1196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  - Drops file in Drivers directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\attrib.exe
    "attrib.exe" +h +s "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2324
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3764
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2964
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:436
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3036
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4912
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1972
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - System Location Discovery: System Language Discovery
    - Detects videocard installed
    PID:4768
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" && pause
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\SysWOW64\PING.EXE
      ping localhost
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4512

C:\Users\Admin\AppData\Local\Temp\umbral.exe
C:\Users\Admin\AppData\Local\Temp\umbral.exe
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3408
- C:\windows\system32\cmstp.exe
  "C:\windows\system32\cmstp.exe" /au C:\windows\temp\443020613.inf
  2⤵
  PID:2396
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4640

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
3394849a38ac14dd830b24d5cfc2edac

SHA1
cc1af69c0f86e1f49b99b4dea32dc66d5cda4d1e

SHA256
4b37e8ea06327903f5d9538ae4ef2433ab8cc20c967285ca3d637b772580a046

SHA512
8ca309e87aedc9952f785a3604e2773bd864d83f216d63734c8250d52ed4a49a0ef4174894b7c31612f8dfbeb28bb6efbf263bc164520a8d48391627fa437edc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
17KB

MD5
ef90dc763115e45317e2837f6d4d482a

SHA1
94ad2598e2233a6ef56a06491cddc444351f5603

SHA256
46f69ca4de939b05acced0095938055253ef5fcd800fd452c78452abd483a26c

SHA512
fd612517a46572a1196ee71e9502dcbf0ca24734eb6facf869905514455875360da9dd66e615320fa07f7b04fb323aab153cac0569059f98e7e1d9cbfbbc645c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
8ffedc49c8adc9d7e021dff8dd4014d0

SHA1
38ac709875123d7220cbc3388d8eba854210a0d0

SHA256
153c5fa3905721a844c370f2d6265bc12b6ccd35db9452d32baf36498b92c588

SHA512
fe09ef3292b77331968afce3f90333c41f227d137a0851d125ae367fc683dea977f4da41c362cbdd1aa18cfd2e6592206516aa0079fe4900fd321de7c98a4adf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_abawg0up.jbc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\umbral.exe

Filesize
1.6MB

MD5
00d1500f2bf8bca0155b96b09d5c7294

SHA1
dda7ceda5e7bc5ad5db25dcdb4c9f3713ca70e18

SHA256
9bd18d2dade015a169996c0c1e36b2d8a8ea7c696660d767aff916d98d3f1ddd

SHA512
1bf4b531bdfc03508ed000f0f0750b7275d8c5b965804cc8780623010ff8dbe9787f019380d3fc44a96a6ac9bc1b5cd0604f87307ea708a69e0ea1c29f762639

Download Submit
C:\windows\temp\560822253.inf

Filesize
515B

MD5
80d2c07ef768a5a9beea96e8e486eb80

SHA1
3684c9e2c22850743ed549ddb5d607e24d3754fe

SHA256
b3bd9ad9314ed67fce90609697dad32926efa86b266d9c0a7afcb048584fb6a9

SHA512
9ca8114aaa2f0e64c4ab1ad8931ee77d0bd8036db7a94a3c26b98a373516734eff1d257004461685a1a1286793d5870e9a224186ce05dd0fde4f5b45cdd9d0ad

Download Submit
memory/1576-107-0x0000000006D30000-0x0000000006D52000-memory.dmp

Filesize
136KB

Download
memory/1576-94-0x0000000006130000-0x0000000006484000-memory.dmp

Filesize
3.3MB

Download
memory/1576-105-0x0000000006840000-0x000000000688C000-memory.dmp

Filesize
304KB

Download
memory/1972-153-0x0000000006AF0000-0x0000000006B3C000-memory.dmp

Filesize
304KB

Download
memory/1972-151-0x00000000062F0000-0x0000000006644000-memory.dmp

Filesize
3.3MB

Download
memory/2004-0-0x00007FFFDB823000-0x00007FFFDB825000-memory.dmp

Filesize
8KB

Download
memory/2004-17-0x00007FFFDB820000-0x00007FFFDC2E1000-memory.dmp

Filesize
10.8MB

Download
memory/2004-12-0x00007FFFDB820000-0x00007FFFDC2E1000-memory.dmp

Filesize
10.8MB

Download
memory/2004-11-0x00007FFFDB820000-0x00007FFFDC2E1000-memory.dmp

Filesize
10.8MB

Download
memory/2004-1-0x000001F755D70000-0x000001F755D92000-memory.dmp

Filesize
136KB

Download
memory/2020-19-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2020-139-0x0000000007DD0000-0x0000000007DE2000-memory.dmp

Filesize
72KB

Download
memory/2020-138-0x0000000007DA0000-0x0000000007DAA000-memory.dmp

Filesize
40KB

Download
memory/2020-21-0x00000000059A0000-0x0000000005F44000-memory.dmp

Filesize
5.6MB

Download
memory/2020-81-0x0000000006E00000-0x0000000006E1E000-memory.dmp

Filesize
120KB

Download
memory/2020-80-0x0000000006DB0000-0x0000000006E00000-memory.dmp

Filesize
320KB

Download
memory/2020-79-0x0000000006BA0000-0x0000000006C16000-memory.dmp

Filesize
472KB

Download
memory/2020-20-0x0000000005350000-0x00000000053E2000-memory.dmp

Filesize
584KB

Download
memory/2708-70-0x0000000005E90000-0x00000000061E4000-memory.dmp

Filesize
3.3MB

Download
memory/2964-132-0x0000000006460000-0x00000000067B4000-memory.dmp

Filesize
3.3MB

Download
memory/3764-24-0x0000000005080000-0x00000000050A2000-memory.dmp

Filesize
136KB

Download
memory/3764-61-0x0000000007550000-0x0000000007558000-memory.dmp

Filesize
32KB

Download
memory/3764-60-0x0000000007570000-0x000000000758A000-memory.dmp

Filesize
104KB

Download
memory/3764-59-0x0000000007470000-0x0000000007484000-memory.dmp

Filesize
80KB

Download
memory/3764-58-0x0000000007460000-0x000000000746E000-memory.dmp

Filesize
56KB

Download
memory/3764-57-0x0000000007430000-0x0000000007441000-memory.dmp

Filesize
68KB

Download
memory/3764-56-0x00000000074B0000-0x0000000007546000-memory.dmp

Filesize
600KB

Download
memory/3764-55-0x00000000072A0000-0x00000000072AA000-memory.dmp

Filesize
40KB

Download
memory/3764-54-0x0000000007230000-0x000000000724A000-memory.dmp

Filesize
104KB

Download
memory/3764-53-0x0000000007880000-0x0000000007EFA000-memory.dmp

Filesize
6.5MB

Download
memory/3764-52-0x00000000070E0000-0x0000000007183000-memory.dmp

Filesize
652KB

Download
memory/3764-51-0x00000000064B0000-0x00000000064CE000-memory.dmp

Filesize
120KB

Download
memory/3764-41-0x0000000070010000-0x000000007005C000-memory.dmp

Filesize
304KB

Download
memory/3764-40-0x00000000064D0000-0x0000000006502000-memory.dmp

Filesize
200KB

Download
memory/3764-39-0x0000000005F40000-0x0000000005F8C000-memory.dmp

Filesize
304KB

Download
memory/3764-38-0x0000000005F10000-0x0000000005F2E000-memory.dmp

Filesize
120KB

Download
memory/3764-32-0x0000000005960000-0x0000000005CB4000-memory.dmp

Filesize
3.3MB

Download
memory/3764-25-0x0000000005880000-0x00000000058E6000-memory.dmp

Filesize
408KB

Download
memory/3764-26-0x00000000058F0000-0x0000000005956000-memory.dmp

Filesize
408KB

Download
memory/3764-23-0x00000000051A0000-0x00000000057C8000-memory.dmp

Filesize
6.2MB

Download
memory/3764-22-0x0000000002600000-0x0000000002636000-memory.dmp

Filesize
216KB

Download