| File name: | twojmatka.exe |
| Full analysis: | https://app.any.run/tasks/f1846dde-4370-43ab-860d-ab7532223046 |
| Verdict: | Malicious activity |
| Analysis date: | June 13, 2023, 23:09:16 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | BC55D6117642BAF5DA346CE845D60DE8 |
| SHA1: | 450D5A9A2113B36FD41F73D9ED202AFCF84DED0E |
| SHA256: | E94CDD9CC2217DA0DFC5838A26F3A326D126F830D48854EFFBA45BE6461EAC59 |
| SSDEEP: | 6144:uloZMNrIkd8g+EtXHkv/iD4d1X7T5KyNh4ZL22Xipb8e1m2fVi:4oZmL+EP8d1X7T5KyNh4ZL22X+B0 |
MALICIOUS
BLACKGUARD detected by memory dumps
- twojmatka.exe (PID: 2544)
SUSPICIOUS
Reads the Internet Settings
- twojmatka.exe (PID: 2544)
INFO
Reads the computer name
- twojmatka.exe (PID: 2544)
Reads Environment values
- twojmatka.exe (PID: 2544)
Checks supported languages
- twojmatka.exe (PID: 2544)
The process checks LSA protection
- twojmatka.exe (PID: 2544)
Reads the machine GUID from the registry
- twojmatka.exe (PID: 2544)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
BlackGuard
(PID) Process(2544) twojmatka.exe
C2 (5)https://discord.com/api/v10/users/@me
https://discord.com/api/v10/users/@me/outbound-promotions/codes
https://discordapp.com/api/v9/users/@me/billing/payment-sources
https://github.com/Blank-c/Umbral-Stealer
https://gstatic.com
Strings (493){{ Key = {0}, Value = {1} }}
Invalid JSON string
utf32
The argument must be from 0 to 0x10FFFF.
The argument must not be in surrogate pair range.
0123456789+-.eE
false
true
null
type
input
yyyy-MM-dd\THH:mm:ss.FFFFFFF\Z
yyyy-MM-dd\THH:mm:ss\Z
yyyy-MM-dd\THH:mm:ssK
virustotal.com
avast.com
totalav.com
scanguard.com
totaladblock.com
pcprotect.com
mcafee.com
bitdefender.com
us.norton.com
avg.com
malwarebytes.com
pandasecurity.com
avira.com
norton.com
eset.com
zillya.com
kaspersky.com
usa.kaspersky.com
sophos.com
home.sophos.com
adaware.com
bullguard.com
clamav.net
drweb.com
emsisoft.com
f-secure.com
zonealarm.com
trendmicro.com
ccleaner.com
systemroot
System32
drivers
hosts
.ligma
Games
Minecraft
Wallets
Messenger
Telegram
Discord
Discord Accounts.txt
Display
Webcam
Browsers
Passwords
Brave Passwords.txt
Chrome Passwords.txt
Chromium Passwords.txt
Comodo Dragon Passwords.txt
Edge Passwords.txt
Epic Privacy Passwords.txt
Iridium Passwords.txt
Opera Passwords.txt
Opera GX Passwords.txt
Slimjet Passwords.txt
UR Browser Passwords.txt
Vivaldi Passwords.txt
Yandex Passwords.txt
Cookies
Brave Cookies.txt
Chrome Cookies.txt
Chromium Cookies.txt
Comodo Dragon Cookies.txt
Edge Cookies.txt
Epic Privacy Cookies.txt
Iridium Cookies.txt
Opera Cookies.txt
Opera GX Cookies.txt
Slimjet Cookies.txt
UR Browser Cookies.txt
Vivaldi Cookies.txt
Yandex Cookies.txt
Roblox
Roblox Cookies.txt
Discord Tokens
Minecraft Session Files
Roblox Cookies
Screenshots
Telegram Sessions
Could not compress file
aEdid1R1SDM5THFTbEVpTDZiYzl2VmN4Nm1KTWpzWEU=
aEdid1R1SDM5THFT
+jvejl4VTooU5A5J6b+J7qqKkoIhYK0pY/MoGn87II2S2b0Z3D7IrTVcWVSN2/Y5pDD27RojlYULPuNB5ml1bpyycqqH85oYXHn4YMJ6gAA1ITv8WWcM+wIKyGJYHCsyoO279rXvm+7IPE6++4l5XsxENaeM8Pdns43Su3xqadri1jI4b94XINY=
5H6EzWTvVmJmxPF+HU5noXehMA8=
2HjMqHVHF+dEwxJl/vyEpq6dxu772br9S0G96R08nETG1yYY
wmic.exe
os get Caption
computersystem get totalphysicalmemory
csproduct get uuid
powershell.exe
Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
wmic
path win32_VideoController get name
http://ip-api.com/json/?fields=225545
country
regionName
timezone
reverse
mobile
proxy
query
@everyone
Umbral Stealer
Umbral Stealer
| https://github.com/Blank-c/Umbral-Stealer
application/json
Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17
application/zip
~)^
Umbral-
.zip
args
instance
value
Assign
_\|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items\.\|_[A-Z0-9]+
HKCU
HKLN
Get-ItemPropertyValue -Path
:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
userprofile
Intent
intentlauncher
launcherconfig
Lunar
.lunarclient
settings
game
accounts.json
TLauncher
.minecraft
TlauncherProfiles.json
Feather
.feather
Meteor
meteor-client
accounts.nbt
Impact
alts.json
Novoline
.minectaft
alts.novo
CheatBreakers
cheatbreaker_accounts.json
Microsoft Store
launcher_accounts_microsoft_store.json
alts.txt
Rise (Intent)
Paladium
paladium-group
PolyMC
Badlion
Badlion Client
Source.txt
Source:
Failed getting current directory
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
.scr
==================Umbral Stealer==================
-{0}
.png
FALSE
(None)
Gift Codes: (None)
Add-MpPreference -ExclusionPath '
Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell S...
runas
This application requires administrative permissions to run correctly. Please restart the application with administrative permissions.
Error
Another instance of the application is already running.
cmd.exe
/c ping localhost && del /F /A h "
" && pause
attrib.exe
+h +s "
index
array
SQLite format 3
Not a valid SQLite 3 Database File
Auto-vacuum capable database is not supported
table
UNIQUE
USB camera is not available.
cameraIndex
VideoCapture
SampleGrabber
NullRenderer
no IAMStreamConfig interface.
no VIDEO_STREAM_CONFIG_CAPS.
Available={0}, Min={1}, Max={2}, Step={3}, Default={4}, Flags={5}
no IAMCameraControl Interface.
no IAMVideoProcAmp Interface.
{0}, {1}, {2}, {3}, {4}
{0},
{0}={1},
can't create filter.
can't fild pin.
{{{0}, {1}}}
{{{0}, {1}, {2}, {3}}}
[{0}]
{73646976-0000-0010-8000-00AA00389B71}
{73647561-0000-0010-8000-00AA00389B71}
{E436EB8E-524F-11CE-9F53-0020AF0BA770}
{56595559-0000-0010-8000-00AA00389B71}
{56555949-0000-0010-8000-00AA00389B71}
{39555659-0000-0010-8000-00AA00389B71}
{32595559-0000-0010-8000-00AA00389B71}
{55595659-0000-0010-8000-00AA00389B71}
{59565955-0000-0010-8000-00AA00389B71}
{47504A4D-0000-0010-8000-00AA00389B71}
{E436EB7B-524F-11CE-9F53-0020AF0BA770}
{E436EB7C-524F-11CE-9F53-0020AF0BA770}
{E436EB7D-524F-11CE-9F53-0020AF0BA770}
{E436EB7E-524F-11CE-9F53-0020AF0BA770}
{773C9AC0-3274-11D0-B724-00AA006C1A01}
{00000001-0000-0010-8000-00AA00389B71}
{E436EB8B-524F-11CE-9F53-0020AF0BA770}
{0F6417D6-C318-11D0-A43F-00A0C9223196}
{05589F80-C356-11CE-BF01-00AA0055595A}
{F72A76A0-EB0A-11d0-ACE4-0000C0CC16BA}
{05589F81-C356-11CE-BF01-00AA0055595A}
{33D9A762-90C8-11d0-BD43-00A0C911CE86}
{E0F158E1-CB04-11d0-BD4E-00A0C911CE86}
{860BB310-5D01-11d0-BD3B-00A0C911CE86}
{33D9A760-90C8-11d0-BD43-00A0C911CE86}
{C1F400A4-3F08-11D3-9F0B-006008039E37}
{C1F400A0-3F08-11D3-9F0B-006008039E37}
{E436EBB3-524F-11CE-9F53-0020AF0BA770}
{62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
{BF87B6E1-8C27-11d0-B3F0-00AA003761C5}
{55272A00-42CB-11CE-8135-00AA004BB851}
{56a86895-0ad4-11ce-b03a-0020af0ba770}
{C6E13340-30AC-11d0-A18C-00A0C9118956}
{fb6c4281-0353-11d1-905f-0000c0cc16ba}
{fb6c4282-0353-11d1-905f-0000c0cc16ba}
{fb6c428a-0353-11d1-905f-0000c0cc16ba}
9b00f101-1567-11d1-b3f1-00aa003761c5
FriendlyName
appdata
Telegram Desktop
tdata
key_datas
leveldb
*.sqlite
premium_type
username
discriminator
mfa_enabled
email
(Not Found)
phone
verified
No Nitro
Nitro Classic
Nitro
Nitro Basic
(Unknown)
[\w-]{24,26}\.[\w-]{6}\.[\w-]{25,110}
Card
Paypal
code
promotion
outbound_title
.log
.ldb
dQw4w9WgXcQ:[^.*\['(.*)'\].*$][^"]*
Local State
Local Storage
os_crypt
encrypted_key
dQw4w9WgXcQ:
discord
Discord Canary
discordcanary
Lightcord
Discord PTB
discordptb
Opera
Opera Software
Opera Stable
Opera GX
Opera GX Stable
Amigo
User Data
Torch
Kometa
Orbitum
CentBrowse
CentBrowser
7Sta
7Star
Sputnik
Vivaldi
Chrome SxS
Google
Chrome
FireFox
Mozilla
Firefox
Profiles
Epic Privacy Browse
Epic Privacy Browser
Microsoft Edge
Microsoft
Edge
Uran
uCozMedia
Yandex
YandexBrowser
Brave
BraveSoftware
Brave-Browser
Iridium
localappdata
Zcash
Armory
Bytecoin
Jaxx
com.liberty.jaxx
IndexedDB
file_0.indexeddb.leveldb
Exodus
exodus.wallet
Ethereum
keystore
Electrum
wallets
AtomicWallet
atomic
Guarda
Coinomi
Login Data
cookies
host_key
name
path
encrypted_value
expires_utc
logins
origin_url
username_value
password_value
Chromium
Comodo
Dragon
Slimjet
UR Browser
http://ip-api.com/line/?fields=hosting
7AB5C494-39F5-4941-9163-47F54D6D5016
032E02B4-0499-05C3-0806-3C0700080009
03DE0294-0480-05DE-1A06-350700080009
11111111-2222-3333-4444-555555555555
6F3CA5EC-BEC9-4A4D-8274-11168F640058
ADEEEE9E-EF0A-6B84-B14B-B83A54AFC548
4C4C4544-0050-3710-8058-CAC04F59344A
00000000-0000-0000-0000-AC1F6BD04972
49434D53-0200-9065-2500-65902500E439
49434D53-0200-9036-2500-36902500F022
00000000-0000-0000-0000-000000000000
5BD24D56-789F-8468-7CDC-CAA7222CC121
777D84B3-88D1-451C-93E4-D235177420A7
49434D53-0200-9036-2500-369025000C65
B1112042-52E8-E25B-3655-6A4F54155DBF
00000000-0000-0000-0000-AC1F6BD048FE
EB16924B-FB6D-4FA1-8666-17B91F62FB37
A15A930C-8251-9645-AF63-E45AD728C20C
67E595EB-54AC-4FF0-B5E3-3DA7C7B547E3
C7D23342-A5D4-68A1-59AC-CF40F735B363
63203342-0EB0-AA1A-4DF5-3FB37DBB0670
44B94D56-65AB-DC02-86A0-98143A7423BF
6608003F-ECE4-494E-B07E-1C4615D1D93C
D9142042-8F51-5EFF-D5F8-EE9AE3D1602A
49434D53-0200-9036-2500-369025003AF0
8B4E8278-525C-7343-B825-280AEBCD3BCB
4D4DDC94-E06C-44F4-95FE-33A1ADA5AC27
79AF5279-16CF-4094-9758-F88A616D81B4
FE822042-A70C-D08B-F1D1-C207055A488F
76122042-C286-FA81-F0A8-514CC507B250
481E2042-A1AF-D390-CE06-A8F783B1E76A
F3988356-32F5-4AE1-8D47-FD3B8BAFBD4C
9961A120-E691-4FFE-B67B-F0E4115D5919
bee7370c-8c0c-4
desktop-nakffmt
win-5e07cos9alr
b30f0242-1c6a-4
desktop-vrsqlag
q9iatrkprh
xc64zb
desktop-d019gdm
desktop-wi8clet
server1
lisa-pc
john-pc
desktop-b0t93d6
desktop-1pykp29
desktop-1y2433r
wileypc
work
6c4e733f-c2d9-4
ralphs-pc
desktop-wg3myjs
desktop-7xc6gez
desktop-5ov9s0o
qarzhrdbpj
oreleepc
archibaldpc
julia-pc
d1bnjkfvlh
compname_5076
desktop-vkeons4
NTT-EFF-2W11WSS
wdagutilityaccount
abby
peter wilson
hmarc
patex
rdhj0cnfevzx
keecfmwgj
frank
8nl0colnq5bq
lisa
john
george
pxmduopvyx
8vizsm
w0fjuovmccp5a
lmvwjj9b
pqonjhvwexss
3u2v9m8
julia
heuerzl
harry johnson
j.seance
a.monaldo
fakenet
dumpcap
httpdebuggerui
wireshark
fiddler
vboxservice
df5serv
vboxtray
vmtoolsd
vmwaretray
ida64
ollydbg
pestudio
vmwareuser
vgauthservice
vmacthlp
x96dbg
vmsrvc
x32dbg
vmusrvc
prl_cc
prl_tools
xenservice
qemu-ga
joeboxcontrol
ksdumperclient
ksdumper
joeboxserver
vmwareservice
discordtokenprotector
taskmgr
BCrypt.BCryptDecrypt() (get size) failed with status code: {0}
BCrypt.BCryptDecrypt(): authentication tag mismatch
BCrypt.BCryptDecrypt() failed with status code:{0}
BCrypt.BCryptOpenAlgorithmProvider() failed with status code:{0}
BCrypt.BCryptSetAlgorithmProperty(BCrypt.BCRYPT_CHAINING_MODE, BCrypt.BCRYPT_CHAIN_MODE_GCM) failed with status code:{0}
BCrypt.BCryptImportKey() failed with status code:{0}
BCrypt.BCryptGetProperty() (get size) failed with status code:{0}
BCrypt.BCryptGetProperty() failed with status code:{0}
ObjectLength
ChainingModeGCM
AuthTagLength
ChainingMode
KeyDataBlob
Microsoft Primitive Provider
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (56.7) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (21.3) |
| .scr | | | Windows screen saver (10.1) |
| .dll | | | Win32 Dynamic Link Library (generic) (5) |
| .exe | | | Win32 Executable (generic) (3.4) |
EXIF
EXE
| AssemblyVersion: | 1.0.0.0 |
|---|---|
| ProductVersion: | 1.0.0.0 |
| ProductName: | - |
| OriginalFileName: | - |
| LegalTrademarks: | - |
| LegalCopyright: | - |
| InternalName: | - |
| FileVersion: | 1.0.0.0 |
| FileDescription: | - |
| CompanyName: | - |
| Comments: | Payload for Umbral Stealer |
| CharacterSet: | Unicode |
| LanguageCode: | Neutral |
| FileSubtype: | - |
| ObjectFileType: | Executable application |
| FileOS: | Win32 |
| FileFlags: | (none) |
| FileFlagsMask: | 0x003f |
| ProductVersionNumber: | 1.0.0.0 |
| FileVersionNumber: | 1.0.0.0 |
| Subsystem: | Windows GUI |
| SubsystemVersion: | 6 |
| ImageVersion: | - |
| OSVersion: | 4 |
| EntryPoint: | 0x3adde |
| UninitializedDataSize: | - |
| InitializedDataSize: | 2048 |
| CodeSize: | 232960 |
| LinkerVersion: | 48 |
| PEType: | PE32 |
| ImageFileCharacteristics: | Executable, Large address aware, 32-bit |
| TimeStamp: | 2053:02:19 18:54:36+00:00 |
| MachineType: | Intel 386 or later, and compatibles |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 19-Feb-2053 18:54:36 |
| Comments: | Payload for Umbral Stealer |
| CompanyName: | - |
| FileDescription: | - |
| FileVersion: | 1.0.0.0 |
| InternalName: | - |
| LegalCopyright: | - |
| LegalTrademarks: | - |
| OriginalFilename: | - |
| ProductName: | - |
| ProductVersion: | 1.0.0.0 |
| Assembly Version: | 1.0.0.0 |
DOS Header
| Magic number: | MZ |
|---|---|
| Bytes on last page of file: | 0x0090 |
| Pages in file: | 0x0003 |
| Relocations: | 0x0000 |
| Size of header: | 0x0004 |
| Min extra paragraphs: | 0x0000 |
| Max extra paragraphs: | 0xFFFF |
| Initial SS value: | 0x0000 |
| Initial SP value: | 0x00B8 |
| Checksum: | 0x0000 |
| Initial IP value: | 0x0000 |
| Initial CS value: | 0x0000 |
| Overlay number: | 0x0000 |
| OEM identifier: | 0x0000 |
| OEM information: | 0x0000 |
| Address of NE header: | 0x00000080 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| Number of sections: | 3 |
| Time date stamp: | 19-Feb-2053 18:54:36 |
| Pointer to Symbol Table: | 0x00000000 |
| Number of symbols: | 0 |
| Size of Optional Header: | 0x00E0 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 0x00002000 | 0x00038DE4 | 0x00038E00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.0866 |
.rsrc | 0x0003C000 | 0x00000550 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.57501 |
.reloc | 0x0003E000 | 0x0000000C | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 0.10191 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 5.00112 | 490 | Latin 1 / Western European | UNKNOWN | RT_MANIFEST |
Imports
mscoree.dll |
Total processes
37
Monitored processes
1
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2544 | "C:\Users\admin\AppData\Local\Temp\twojmatka.exe" | C:\Users\admin\AppData\Local\Temp\twojmatka.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Version: 1.0.0.0 Modules
BlackGuard(PID) Process(2544) twojmatka.exe C2 (5)https://discord.com/api/v10/users/@me https://discord.com/api/v10/users/@me/outbound-promotions/codes https://discordapp.com/api/v9/users/@me/billing/payment-sources https://github.com/Blank-c/Umbral-Stealer https://gstatic.com Strings (493){{ Key = {0}, Value = {1} }} Invalid JSON string utf32 The argument must be from 0 to 0x10FFFF. The argument must not be in surrogate pair range. 0123456789+-.eE false true null type input yyyy-MM-dd\THH:mm:ss.FFFFFFF\Z yyyy-MM-dd\THH:mm:ss\Z yyyy-MM-dd\THH:mm:ssK virustotal.com avast.com totalav.com scanguard.com totaladblock.com pcprotect.com mcafee.com bitdefender.com us.norton.com avg.com malwarebytes.com pandasecurity.com avira.com norton.com eset.com zillya.com kaspersky.com usa.kaspersky.com sophos.com home.sophos.com adaware.com bullguard.com clamav.net drweb.com emsisoft.com f-secure.com zonealarm.com trendmicro.com ccleaner.com systemroot System32 drivers hosts .ligma Games Minecraft Wallets Messenger Telegram Discord Discord Accounts.txt Display Webcam Browsers Passwords Brave Passwords.txt Chrome Passwords.txt Chromium Passwords.txt Comodo Dragon Passwords.txt Edge Passwords.txt Epic Privacy Passwords.txt Iridium Passwords.txt Opera Passwords.txt Opera GX Passwords.txt Slimjet Passwords.txt UR Browser Passwords.txt Vivaldi Passwords.txt Yandex Passwords.txt Cookies Brave Cookies.txt Chrome Cookies.txt Chromium Cookies.txt Comodo Dragon Cookies.txt Edge Cookies.txt Epic Privacy Cookies.txt Iridium Cookies.txt Opera Cookies.txt Opera GX Cookies.txt Slimjet Cookies.txt UR Browser Cookies.txt Vivaldi Cookies.txt Yandex Cookies.txt Roblox Roblox Cookies.txt Discord Tokens Minecraft Session Files Roblox Cookies Screenshots Telegram Sessions Could not compress file aEdid1R1SDM5THFTbEVpTDZiYzl2VmN4Nm1KTWpzWEU= aEdid1R1SDM5THFT +jvejl4VTooU5A5J6b+J7qqKkoIhYK0pY/MoGn87II2S2b0Z3D7IrTVcWVSN2/Y5pDD27RojlYULPuNB5ml1bpyycqqH85oYXHn4YMJ6gAA1ITv8WWcM+wIKyGJYHCsyoO279rXvm+7IPE6++4l5XsxENaeM8Pdns43Su3xqadri1jI4b94XINY= 5H6EzWTvVmJmxPF+HU5noXehMA8= 2HjMqHVHF+dEwxJl/vyEpq6dxu772br9S0G96R08nETG1yYY wmic.exe os get Caption computersystem get totalphysicalmemory csproduct get uuid powershell.exe Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER wmic path win32_VideoController get name http://ip-api.com/json/?fields=225545 country regionName timezone reverse mobile proxy query @everyone Umbral Stealer Umbral Stealer | https://github.com/Blank-c/Umbral-Stealer application/json Opera/9.80 (Windows NT 6.1; YB/4.0.0) Presto/2.12.388 Version/12.17 application/zip ~)^ Umbral- .zip args instance value Assign _\|WARNING:-DO-NOT-SHARE-THIS.--Sharing-this-will-allow-someone-to-log-in-as-you-and-to-steal-your-ROBUX-and-items\.\|_[A-Z0-9]+ HKCU HKLN Get-ItemPropertyValue -Path :SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY userprofile Intent intentlauncher launcherconfig Lunar .lunarclient settings game accounts.json TLauncher .minecraft TlauncherProfiles.json Feather .feather Meteor meteor-client accounts.nbt Impact alts.json Novoline .minectaft alts.novo CheatBreakers cheatbreaker_accounts.json Microsoft Store launcher_accounts_microsoft_store.json alts.txt Rise (Intent) Paladium paladium-group PolyMC Badlion Badlion Client Source.txt Source: Failed getting current directory 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz .scr ==================Umbral Stealer================== -{0} .png FALSE (None) Gift Codes: (None) Add-MpPreference -ExclusionPath ' Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell S... runas This application requires administrative permissions to run correctly. Please restart the application with administrative permissions. Error Another instance of the application is already running. cmd.exe /c ping localhost && del /F /A h " " && pause attrib.exe +h +s " index array SQLite format 3 Not a valid SQLite 3 Database File Auto-vacuum capable database is not supported table UNIQUE USB camera is not available. cameraIndex VideoCapture SampleGrabber NullRenderer no IAMStreamConfig interface. no VIDEO_STREAM_CONFIG_CAPS. Available={0}, Min={1}, Max={2}, Step={3}, Default={4}, Flags={5} no IAMCameraControl Interface. no IAMVideoProcAmp Interface. {0}, {1}, {2}, {3}, {4} {0}, {0}={1}, can't create filter. can't fild pin. {{{0}, {1}}} {{{0}, {1}, {2}, {3}}} [{0}] {73646976-0000-0010-8000-00AA00389B71} {73647561-0000-0010-8000-00AA00389B71} {E436EB8E-524F-11CE-9F53-0020AF0BA770} {56595559-0000-0010-8000-00AA00389B71} {56555949-0000-0010-8000-00AA00389B71} {39555659-0000-0010-8000-00AA00389B71} {32595559-0000-0010-8000-00AA00389B71} {55595659-0000-0010-8000-00AA00389B71} {59565955-0000-0010-8000-00AA00389B71} {47504A4D-0000-0010-8000-00AA00389B71} {E436EB7B-524F-11CE-9F53-0020AF0BA770} {E436EB7C-524F-11CE-9F53-0020AF0BA770} {E436EB7D-524F-11CE-9F53-0020AF0BA770} {E436EB7E-524F-11CE-9F53-0020AF0BA770} {773C9AC0-3274-11D0-B724-00AA006C1A01} {00000001-0000-0010-8000-00AA00389B71} {E436EB8B-524F-11CE-9F53-0020AF0BA770} {0F6417D6-C318-11D0-A43F-00A0C9223196} {05589F80-C356-11CE-BF01-00AA0055595A} {F72A76A0-EB0A-11d0-ACE4-0000C0CC16BA} {05589F81-C356-11CE-BF01-00AA0055595A} {33D9A762-90C8-11d0-BD43-00A0C911CE86} {E0F158E1-CB04-11d0-BD4E-00A0C911CE86} {860BB310-5D01-11d0-BD3B-00A0C911CE86} {33D9A760-90C8-11d0-BD43-00A0C911CE86} {C1F400A4-3F08-11D3-9F0B-006008039E37} {C1F400A0-3F08-11D3-9F0B-006008039E37} {E436EBB3-524F-11CE-9F53-0020AF0BA770} {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} {BF87B6E1-8C27-11d0-B3F0-00AA003761C5} {55272A00-42CB-11CE-8135-00AA004BB851} {56a86895-0ad4-11ce-b03a-0020af0ba770} {C6E13340-30AC-11d0-A18C-00A0C9118956} {fb6c4281-0353-11d1-905f-0000c0cc16ba} {fb6c4282-0353-11d1-905f-0000c0cc16ba} {fb6c428a-0353-11d1-905f-0000c0cc16ba} 9b00f101-1567-11d1-b3f1-00aa003761c5 FriendlyName appdata Telegram Desktop tdata key_datas leveldb *.sqlite premium_type username discriminator mfa_enabled email (Not Found) phone verified No Nitro Nitro Classic Nitro Nitro Basic (Unknown) [\w-]{24,26}\.[\w-]{6}\.[\w-]{25,110} Card Paypal code promotion outbound_title .log .ldb dQw4w9WgXcQ:[^.*\['(.*)'\].*$][^"]* Local State Local Storage os_crypt encrypted_key dQw4w9WgXcQ: discord Discord Canary discordcanary Lightcord Discord PTB discordptb Opera Opera Software Opera Stable Opera GX Opera GX Stable Amigo User Data Torch Kometa Orbitum CentBrowse CentBrowser 7Sta 7Star Sputnik Vivaldi Chrome SxS Google Chrome FireFox Mozilla Firefox Profiles Epic Privacy Browse Epic Privacy Browser Microsoft Edge Microsoft Edge Uran uCozMedia Yandex YandexBrowser Brave BraveSoftware Brave-Browser Iridium localappdata Zcash Armory Bytecoin Jaxx com.liberty.jaxx IndexedDB file_0.indexeddb.leveldb Exodus exodus.wallet Ethereum keystore Electrum wallets AtomicWallet atomic Guarda Coinomi Login Data cookies host_key name path encrypted_value expires_utc logins origin_url username_value password_value Chromium Comodo Dragon Slimjet UR Browser http://ip-api.com/line/?fields=hosting 7AB5C494-39F5-4941-9163-47F54D6D5016 032E02B4-0499-05C3-0806-3C0700080009 03DE0294-0480-05DE-1A06-350700080009 11111111-2222-3333-4444-555555555555 6F3CA5EC-BEC9-4A4D-8274-11168F640058 ADEEEE9E-EF0A-6B84-B14B-B83A54AFC548 4C4C4544-0050-3710-8058-CAC04F59344A 00000000-0000-0000-0000-AC1F6BD04972 49434D53-0200-9065-2500-65902500E439 49434D53-0200-9036-2500-36902500F022 00000000-0000-0000-0000-000000000000 5BD24D56-789F-8468-7CDC-CAA7222CC121 777D84B3-88D1-451C-93E4-D235177420A7 49434D53-0200-9036-2500-369025000C65 B1112042-52E8-E25B-3655-6A4F54155DBF 00000000-0000-0000-0000-AC1F6BD048FE EB16924B-FB6D-4FA1-8666-17B91F62FB37 A15A930C-8251-9645-AF63-E45AD728C20C 67E595EB-54AC-4FF0-B5E3-3DA7C7B547E3 C7D23342-A5D4-68A1-59AC-CF40F735B363 63203342-0EB0-AA1A-4DF5-3FB37DBB0670 44B94D56-65AB-DC02-86A0-98143A7423BF 6608003F-ECE4-494E-B07E-1C4615D1D93C D9142042-8F51-5EFF-D5F8-EE9AE3D1602A 49434D53-0200-9036-2500-369025003AF0 8B4E8278-525C-7343-B825-280AEBCD3BCB 4D4DDC94-E06C-44F4-95FE-33A1ADA5AC27 79AF5279-16CF-4094-9758-F88A616D81B4 FE822042-A70C-D08B-F1D1-C207055A488F 76122042-C286-FA81-F0A8-514CC507B250 481E2042-A1AF-D390-CE06-A8F783B1E76A F3988356-32F5-4AE1-8D47-FD3B8BAFBD4C 9961A120-E691-4FFE-B67B-F0E4115D5919 bee7370c-8c0c-4 desktop-nakffmt win-5e07cos9alr b30f0242-1c6a-4 desktop-vrsqlag q9iatrkprh xc64zb desktop-d019gdm desktop-wi8clet server1 lisa-pc john-pc desktop-b0t93d6 desktop-1pykp29 desktop-1y2433r wileypc work 6c4e733f-c2d9-4 ralphs-pc desktop-wg3myjs desktop-7xc6gez desktop-5ov9s0o qarzhrdbpj oreleepc archibaldpc julia-pc d1bnjkfvlh compname_5076 desktop-vkeons4 NTT-EFF-2W11WSS wdagutilityaccount abby peter wilson hmarc patex rdhj0cnfevzx keecfmwgj frank 8nl0colnq5bq lisa john george pxmduopvyx 8vizsm w0fjuovmccp5a lmvwjj9b pqonjhvwexss 3u2v9m8 julia heuerzl harry johnson j.seance a.monaldo fakenet dumpcap httpdebuggerui wireshark fiddler vboxservice df5serv vboxtray vmtoolsd vmwaretray ida64 ollydbg pestudio vmwareuser vgauthservice vmacthlp x96dbg vmsrvc x32dbg vmusrvc prl_cc prl_tools xenservice qemu-ga joeboxcontrol ksdumperclient ksdumper joeboxserver vmwareservice discordtokenprotector taskmgr BCrypt.BCryptDecrypt() (get size) failed with status code: {0} BCrypt.BCryptDecrypt(): authentication tag mismatch BCrypt.BCryptDecrypt() failed with status code:{0} BCrypt.BCryptOpenAlgorithmProvider() failed with status code:{0} BCrypt.BCryptSetAlgorithmProperty(BCrypt.BCRYPT_CHAINING_MODE, BCrypt.BCRYPT_CHAIN_MODE_GCM) failed with status code:{0} BCrypt.BCryptImportKey() failed with status code:{0} BCrypt.BCryptGetProperty() (get size) failed with status code:{0} BCrypt.BCryptGetProperty() failed with status code:{0} ObjectLength ChainingModeGCM AuthTagLength ChainingMode KeyDataBlob Microsoft Primitive Provider | |||||||||||||||
Total events
328
Read events
328
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4008 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
2544 | twojmatka.exe | 172.217.18.3:443 | gstatic.com | GOOGLE | US | whitelisted |
1076 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
gstatic.com |
| whitelisted |