umbral | 3400ddef0bbb984b0236598a7e0416fc744bc3897ec4d2a6744f74799aa2f1d4

Analysis

max time kernel
180s
max time network
175s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
25/03/2025, 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Umbral.exe
Size

229KB
MD5

b4510acd06789ca5c9c98bfac48cd54c
SHA1

1907b55c643c7a3ab7f0589793c63f36065f8345
SHA256

24259eb3fb38c08bc329c1bab6a449a3f547734981c1b4c7884ac874ad66cc48
SHA512

8f49cdb658dc907d3464fe5619bb30972a5bc02b0abeda74e05beeaf69f2f2991e139cd93ca71e7b465ec4f6691583ff19dd7aee68db79cebafd26094a86f2f1
SSDEEP

6144:lloZM+rIkd8g+EtXHkv/iD438t9Cg/7I9R0STTK8Eb8e1mvi:noZtL+EP838t9Cg/7I9R0STTKht

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 1 IoCs

resource	yara_rule
behavioral2/memory/1620-1-0x0000023A8B0B0000-0x0000023A8B0F0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com
50	ip-api.com

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-780313508-644878201-565826771-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2816	wmic.exe
2816	wmic.exe
2816	wmic.exe
2816	wmic.exe
2736	wmic.exe
2736	wmic.exe
2736	wmic.exe
2736	wmic.exe
3984	wmic.exe
3984	wmic.exe
3984	wmic.exe
3984	wmic.exe
2964	wmic.exe
2964	wmic.exe
2964	wmic.exe
2964	wmic.exe
1788	wmic.exe
1788	wmic.exe
1788	wmic.exe
1788	wmic.exe
5128	wmic.exe
5128	wmic.exe
5128	wmic.exe
5128	wmic.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1620	Umbral.exe
Token: SeIncreaseQuotaPrivilege	2816	wmic.exe
Token: SeSecurityPrivilege	2816	wmic.exe
Token: SeTakeOwnershipPrivilege	2816	wmic.exe
Token: SeLoadDriverPrivilege	2816	wmic.exe
Token: SeSystemProfilePrivilege	2816	wmic.exe
Token: SeSystemtimePrivilege	2816	wmic.exe
Token: SeProfSingleProcessPrivilege	2816	wmic.exe
Token: SeIncBasePriorityPrivilege	2816	wmic.exe
Token: SeCreatePagefilePrivilege	2816	wmic.exe
Token: SeBackupPrivilege	2816	wmic.exe
Token: SeRestorePrivilege	2816	wmic.exe
Token: SeShutdownPrivilege	2816	wmic.exe
Token: SeDebugPrivilege	2816	wmic.exe
Token: SeSystemEnvironmentPrivilege	2816	wmic.exe
Token: SeRemoteShutdownPrivilege	2816	wmic.exe
Token: SeUndockPrivilege	2816	wmic.exe
Token: SeManageVolumePrivilege	2816	wmic.exe
Token: 33	2816	wmic.exe
Token: 34	2816	wmic.exe
Token: 35	2816	wmic.exe
Token: 36	2816	wmic.exe
Token: SeIncreaseQuotaPrivilege	2816	wmic.exe
Token: SeSecurityPrivilege	2816	wmic.exe
Token: SeTakeOwnershipPrivilege	2816	wmic.exe
Token: SeLoadDriverPrivilege	2816	wmic.exe
Token: SeSystemProfilePrivilege	2816	wmic.exe
Token: SeSystemtimePrivilege	2816	wmic.exe
Token: SeProfSingleProcessPrivilege	2816	wmic.exe
Token: SeIncBasePriorityPrivilege	2816	wmic.exe
Token: SeCreatePagefilePrivilege	2816	wmic.exe
Token: SeBackupPrivilege	2816	wmic.exe
Token: SeRestorePrivilege	2816	wmic.exe
Token: SeShutdownPrivilege	2816	wmic.exe
Token: SeDebugPrivilege	2816	wmic.exe
Token: SeSystemEnvironmentPrivilege	2816	wmic.exe
Token: SeRemoteShutdownPrivilege	2816	wmic.exe
Token: SeUndockPrivilege	2816	wmic.exe
Token: SeManageVolumePrivilege	2816	wmic.exe
Token: 33	2816	wmic.exe
Token: 34	2816	wmic.exe
Token: 35	2816	wmic.exe
Token: 36	2816	wmic.exe
Token: SeDebugPrivilege	720	Umbral.exe
Token: SeIncreaseQuotaPrivilege	2736	wmic.exe
Token: SeSecurityPrivilege	2736	wmic.exe
Token: SeTakeOwnershipPrivilege	2736	wmic.exe
Token: SeLoadDriverPrivilege	2736	wmic.exe
Token: SeSystemProfilePrivilege	2736	wmic.exe
Token: SeSystemtimePrivilege	2736	wmic.exe
Token: SeProfSingleProcessPrivilege	2736	wmic.exe
Token: SeIncBasePriorityPrivilege	2736	wmic.exe
Token: SeCreatePagefilePrivilege	2736	wmic.exe
Token: SeBackupPrivilege	2736	wmic.exe
Token: SeRestorePrivilege	2736	wmic.exe
Token: SeShutdownPrivilege	2736	wmic.exe
Token: SeDebugPrivilege	2736	wmic.exe
Token: SeSystemEnvironmentPrivilege	2736	wmic.exe
Token: SeRemoteShutdownPrivilege	2736	wmic.exe
Token: SeUndockPrivilege	2736	wmic.exe
Token: SeManageVolumePrivilege	2736	wmic.exe
Token: 33	2736	wmic.exe
Token: 34	2736	wmic.exe
Token: 35	2736	wmic.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe
1928	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1928	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2816	1620	Umbral.exe	82
PID 1620 wrote to memory of 2816	1620	Umbral.exe	82
PID 720 wrote to memory of 2736	720	Umbral.exe	100
PID 720 wrote to memory of 2736	720	Umbral.exe	100
PID 5100 wrote to memory of 3984	5100	Umbral.exe	104
PID 5100 wrote to memory of 3984	5100	Umbral.exe	104
PID 5752 wrote to memory of 2964	5752	Umbral.exe	107
PID 5752 wrote to memory of 2964	5752	Umbral.exe	107
PID 5824 wrote to memory of 1788	5824	Umbral.exe	110
PID 5824 wrote to memory of 1788	5824	Umbral.exe	110
PID 1544 wrote to memory of 5128	1544	Umbral.exe	113
PID 1544 wrote to memory of 5128	1544	Umbral.exe	113
PID 1676 wrote to memory of 1928	1676	firefox.exe	116
PID 1676 wrote to memory of 1928	1676	firefox.exe	116
PID 1676 wrote to memory of 1928	1676	firefox.exe	116
PID 1676 wrote to memory of 1928	1676	firefox.exe	116
PID 1676 wrote to memory of 1928	1676	firefox.exe	116
PID 1676 wrote to memory of 1928	1676	firefox.exe	116
PID 1676 wrote to memory of 1928	1676	firefox.exe	116
PID 1676 wrote to memory of 1928	1676	firefox.exe	116
PID 1676 wrote to memory of 1928	1676	firefox.exe	116
PID 1676 wrote to memory of 1928	1676	firefox.exe	116
PID 1676 wrote to memory of 1928	1676	firefox.exe	116
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117
PID 1928 wrote to memory of 2764	1928	firefox.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3112

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:720
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2736

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3984

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5752
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2964

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5824
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1788

C:\Users\Admin\AppData\Local\Temp\Umbral.exe
"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\System32\Wbem\wmic.exe
  "wmic.exe" csproduct get uuid
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5128

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1996 -prefsLen 27100 -prefMapHandle 2000 -prefMapSize 270279 -ipcHandle 2088 -initialChannelId {2324729d-64de-4661-b40c-b55c40221760} -parentPid 1928 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1928" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:2764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2464 -prefsLen 27136 -prefMapHandle 2468 -prefMapSize 270279 -ipcHandle 2476 -initialChannelId {808389a0-a9a1-43ed-81ee-20ac1b6946f2} -parentPid 1928 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1928" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    PID:3692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3928 -prefsLen 27277 -prefMapHandle 3932 -prefMapSize 270279 -jsInitHandle 3936 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3944 -initialChannelId {08844f4f-b2fc-4830-91cd-e62ee5bc6248} -parentPid 1928 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1928" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:2840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4120 -prefsLen 27277 -prefMapHandle 4124 -prefMapSize 270279 -ipcHandle 4140 -initialChannelId {2eed78b0-4cf7-45e2-b8c5-a239236eed71} -parentPid 1928 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1928" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:5192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2940 -prefsLen 34776 -prefMapHandle 2752 -prefMapSize 270279 -jsInitHandle 2876 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4564 -initialChannelId {91c45782-b608-4c2a-a6ed-d5047b18d236} -parentPid 1928 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1928" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:2368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5080 -prefsLen 35013 -prefMapHandle 5084 -prefMapSize 270279 -ipcHandle 5064 -initialChannelId {d0e47635-8dfa-4b20-9121-49569d2ea4a9} -parentPid 1928 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1928" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:2956
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5564 -prefsLen 32952 -prefMapHandle 5576 -prefMapSize 270279 -jsInitHandle 5580 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 1620 -initialChannelId {17fa84a5-c056-4f59-ad35-e27567f6160c} -parentPid 1928 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1928" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:3500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5736 -prefsLen 32952 -prefMapHandle 5740 -prefMapSize 270279 -jsInitHandle 5744 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5752 -initialChannelId {adca693f-7d4a-42b5-8921-9c51b658f073} -parentPid 1928 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1928" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:5820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5924 -prefsLen 32952 -prefMapHandle 5928 -prefMapSize 270279 -jsInitHandle 5932 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5940 -initialChannelId {d3ffab2f-494f-457e-b928-0ef990067947} -parentPid 1928 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1928" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    - Checks processor information in registry
    PID:64

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

Filesize
1KB

MD5
b428b2a6db50d729cb6fa0fe9e1431a5

SHA1
0460ba5df0195f2e48e3df56ad7b5139d2e6313e

SHA256
4ef5e2c0e6c6e13aee09a04bf96ddba701b8e594baa09ec72a29d161961fe224

SHA512
6e5e6f6527ae9bc7880d832f096ecfec969a50d565d4e800c97251b0f196a3bee61edfd266e3e1e9672c5d21fc3dd68c5d6233ff01eec78996858ff62521c1c4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\AlternateServices.bin

Filesize
6KB

MD5
45c87cd0452f96214093224133d6d091

SHA1
fba6d80f4b152f28a9a97095db854914346779c8

SHA256
450b923e78515b4283d2296976870b8fe71f6c42b4877910dd9ab5fcf6399db1

SHA512
d6210737c362a4be354e3127ce765f6a314631632dee7a240cd2f4ed33f481c46bf5a5710625d974030b334f0a9f1f4c029f1d2170db0ecaffe0abdb381a6216

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
eafe9a2203749001f9caae6b1ab07c60

SHA1
d4ae727979816739b86e9fd91c89fec84225fa91

SHA256
f18d029547b74db86474f0b13904c194f6a67a27b6dc0cc1f6b9b12fc82ad3a7

SHA512
ad1706335cca098862f36017730bd12f46270cc1735cbd6a94f412bc0d76f8aa5b8bd7294ab0cef56b780214bf390f357ead466dde42d51b7b2f812eedb5a001

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
979efdd594ca5c892ae1b0fab96c9dc7

SHA1
2a36b7a470a886d717fa33e4459c2de99c14d29f

SHA256
9fbc85ee9b8e994448687cad8764376348ecfb236f7a2fd1e40c523e144df0b5

SHA512
61c14ede23fe460ffcbd96eeeef6860c626fccafd022b54c13b458887b7a2c9f4e8ee4a5b3992f8d21b356026acd5a30abab6359be5f996e3ce259de2a26543f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\15ddebf2-611b-4d22-b338-e304f57b5a8a

Filesize
886B

MD5
b6b2528c6a77b99689a3f70014b9c23f

SHA1
0e84c0d31dc931534ac2caf3ac06d55e1396006d

SHA256
c38297b7c18fdeec5cdab7c908e5c1f27caac90409815fd161cf9a2768cd8362

SHA512
23f77caa4b56de815f4fa0cf3305e48b7769aa1af1afc01bfd3fbbad9b77c30c602a2f5b8bdcb32081f90d6ad2944c37fdd40899eb695b33c2da86d02f6c8004

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\517daf06-deb3-44e2-aa00-14739e65be61

Filesize
2KB

MD5
3dfd42899c99885598fe54796d6a71b0

SHA1
f44b61e237a8f399dc710c25a82fd7cc1018ee1f

SHA256
5ffcb3dc4f72e4b46cc1a6ad39f3e42ea0ca27d271683def6f1eab38ee4d9b7c

SHA512
ce31cb8aed63cdead6f00c0466669b1331a7abbcbda53f17cda428e382dcb414e7174cda35227c5a602cb644ce35d9a8db233860596def2d3a769a7c00175b96

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\63d7fc4b-6465-41bb-a855-4421e16a2653

Filesize
16KB

MD5
402d591b120d341bc5a24ade85edf1d4

SHA1
c18d79b001dd4a81ce2945fb5ca6f4f35587289b

SHA256
684bfbc450444a22d1e6caca888723740ef4752b2d4f487e7cc74490f978ef5c

SHA512
5e916b75678bb59b4e8bf9a414b24eb5cc7ad2a7b9b191fac047d7ba06b048c0187d24588d8726a6e674aeafaee28d20c5a30cb588ae4b6e0bd0d43ccde74f30

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\6f60e65c-6346-40ff-a725-116a0b08d0fe

Filesize
235B

MD5
e58e64a9b5d921a867cd2ac7771ef5d9

SHA1
c28f58cc32a6175413812707a910a01cee43297a

SHA256
d22a1f41574744b28e40a31bc539a1c9b4c5950f519a93fa3dd6cce025ef6385

SHA512
0353d9c3ca03ebcc45ca023bd2439fa311dc297ce1628bd26edaa7e94a15d160c155c71636a0a44913ad0d6a560952008b23c9311a50af42c0eb0713c1f1a50f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\889a0607-c93c-4056-963d-780db291d4de

Filesize
883B

MD5
61b7a4addf60685fc106135b6ef884ce

SHA1
4e35c3220437a765b341ef6989c114f1f83ee3f4

SHA256
9de201f104e99da9bc79fdc1dae0c974d83a7922b31d606d46009db89de7c0b3

SHA512
d7248d7da05d695a43b7ee40c3947b9f1d974581ac4b13103cd4a8c9c8a2c9e78799d5af21b380c78dfc14932dddb9acb4ee1047f1f3c47708af7567717652b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\datareporting\glean\pending_pings\f086063a-108d-46fe-99d4-4136676f1ede

Filesize
235B

MD5
8ef0f0ee4679dccd43ba12a98b40d938

SHA1
bc3d221566a7317fb69b903f15aba63c8d79794b

SHA256
3fd4fa800ad8ad09c14c6e76f91c1d1207814c693a41ef1f3a9a8a7715211245

SHA512
a1b1acd6761c1658e7acb9e7edf4a103b1492cd023cc285728a6d0ee48731c4d214e266eb83525f64913e02611a883bc6401c76214cad9fe407945593a45ab6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\prefs.js

Filesize
6KB

MD5
dd1e1bf89b5bfd8ca08c76f4be811c7f

SHA1
5db633a5a0c8f610e224568944e0a3ad3ee769d0

SHA256
7b59d1109b6d253d33f022b0a1a7e6c834655fd3fe84a3d25e1ba59543309769

SHA512
0d80eeee2b43a1e1d27af8709c1d3b9f793121fcdb205bd5fb25ba7d7d959ed29bd3ea82637bd30a16d6daa773ef74ca07136679ed5bee93c8616cc10182a53a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\50jftte4.default-release\prefs.js

Filesize
6KB

MD5
e66798aad77be2c7c96dd033a07a98a6

SHA1
30a6a5142d0581027654c0433616c828b2439185

SHA256
3d47d24485811ed0da77df7f63c3bbcc66b783179bd863f003242466c6398f8c

SHA512
04c84a3cc2c6ad21a7acbcdd6b6854b99b98d5939a1c3b3670ff435e5f75f72bfead89b37b357efbbb6869fa022c426546a9fdda7d1d1956ea6fc4b544133e31

Download Submit
memory/1620-4-0x00007FFED4210000-0x00007FFED4CD2000-memory.dmp

Filesize
10.8MB

Download
memory/1620-2-0x00007FFED4210000-0x00007FFED4CD2000-memory.dmp

Filesize
10.8MB

Download
memory/1620-0-0x00007FFED4213000-0x00007FFED4215000-memory.dmp

Filesize
8KB

Download
memory/1620-1-0x0000023A8B0B0000-0x0000023A8B0F0000-memory.dmp

Filesize
256KB

Download