umbral | 19eae6936192eec5f6c219f1c759646c73c7133137ab6297a84553c7c92ae203

Analysis

max time kernel
99s
max time network
85s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
26-06-2024 07:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SolaraBootstrapper.exe
Size

7.1MB
MD5

54f95f450352500a4b29ffcfd73321d3
SHA1

191665dc5293c3936218d0bb7a6469781121cf4b
SHA256

19eae6936192eec5f6c219f1c759646c73c7133137ab6297a84553c7c92ae203
SHA512

25903a78e28d4ea37ad6a7bb623880a86464e0d163f9bbf1bb43b559316152e01de55d727c359f9d129946b93de75b17f5c4116ad31d2126c29fd7c8d812509a
SSDEEP

196608:zhhDmMPuq//hu0LDdxgekzhdj+Ib1SBaeycFOOmi:9ZmUu+pu6xKvn5SBnt0i

Score

10^/10

umbral stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000500000002a997-7.dat	family_umbral
behavioral2/memory/972-23-0x000002A17A560000-0x000002A17A5A0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Executes dropped EXE 64 IoCs

pid	Process
972	Umbral.exe
2372	Client.exe
2572	Umbral.exe
4544	Client.exe
2768	Umbral.exe
4672	Client.exe
2912	Umbral.exe
1340	Client.exe
4536	Umbral.exe
2668	Client.exe
2136	Umbral.exe
228	Client.exe
4488	Umbral.exe
3356	Client.exe
4296	Umbral.exe
4080	Client.exe
1908	Umbral.exe
2868	Client.exe
1472	Umbral.exe
3152	Client.exe
2964	Umbral.exe
2804	Client.exe
4796	Umbral.exe
2448	Client.exe
4580	Umbral.exe
5060	Client.exe
1728	Umbral.exe
736	Client.exe
2956	Umbral.exe
2332	Client.exe
4940	Umbral.exe
840	Client.exe
4792	Umbral.exe
3960	Client.exe
4496	Umbral.exe
2276	Client.exe
2800	Umbral.exe
4864	Client.exe
1476	Umbral.exe
2892	Client.exe
2896	Umbral.exe
4340	Client.exe
568	Umbral.exe
3724	Client.exe
436	Umbral.exe
4580	Client.exe
2304	Umbral.exe
3132	Client.exe
736	Umbral.exe
240	Client.exe
236	Umbral.exe
2068	Client.exe
3568	Umbral.exe
4912	Client.exe
2632	Umbral.exe
4236	Client.exe
3116	Umbral.exe
2512	Client.exe
1740	Umbral.exe
1976	Client.exe
5088	Umbral.exe
4948	Client.exe
1472	Umbral.exe
1724	Client.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	972	Umbral.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 4988	3032	SolaraBootstrapper.exe	78
PID 3032 wrote to memory of 4988	3032	SolaraBootstrapper.exe	78
PID 3032 wrote to memory of 972	3032	SolaraBootstrapper.exe	79
PID 3032 wrote to memory of 972	3032	SolaraBootstrapper.exe	79
PID 3032 wrote to memory of 2372	3032	SolaraBootstrapper.exe	80
PID 3032 wrote to memory of 2372	3032	SolaraBootstrapper.exe	80
PID 4988 wrote to memory of 3368	4988	SolaraBootstrapper.exe	82
PID 4988 wrote to memory of 3368	4988	SolaraBootstrapper.exe	82
PID 4988 wrote to memory of 2572	4988	SolaraBootstrapper.exe	83
PID 4988 wrote to memory of 2572	4988	SolaraBootstrapper.exe	83
PID 4988 wrote to memory of 4544	4988	SolaraBootstrapper.exe	84
PID 4988 wrote to memory of 4544	4988	SolaraBootstrapper.exe	84
PID 3368 wrote to memory of 2292	3368	SolaraBootstrapper.exe	85
PID 3368 wrote to memory of 2292	3368	SolaraBootstrapper.exe	85
PID 3368 wrote to memory of 2768	3368	SolaraBootstrapper.exe	86
PID 3368 wrote to memory of 2768	3368	SolaraBootstrapper.exe	86
PID 3368 wrote to memory of 4672	3368	SolaraBootstrapper.exe	87
PID 3368 wrote to memory of 4672	3368	SolaraBootstrapper.exe	87
PID 2292 wrote to memory of 1440	2292	SolaraBootstrapper.exe	88
PID 2292 wrote to memory of 1440	2292	SolaraBootstrapper.exe	88
PID 2292 wrote to memory of 2912	2292	SolaraBootstrapper.exe	89
PID 2292 wrote to memory of 2912	2292	SolaraBootstrapper.exe	89
PID 2292 wrote to memory of 1340	2292	SolaraBootstrapper.exe	90
PID 2292 wrote to memory of 1340	2292	SolaraBootstrapper.exe	90
PID 1440 wrote to memory of 908	1440	SolaraBootstrapper.exe	91
PID 1440 wrote to memory of 908	1440	SolaraBootstrapper.exe	91
PID 1440 wrote to memory of 4536	1440	SolaraBootstrapper.exe	92
PID 1440 wrote to memory of 4536	1440	SolaraBootstrapper.exe	92
PID 1440 wrote to memory of 2668	1440	SolaraBootstrapper.exe	93
PID 1440 wrote to memory of 2668	1440	SolaraBootstrapper.exe	93
PID 908 wrote to memory of 4596	908	SolaraBootstrapper.exe	94
PID 908 wrote to memory of 4596	908	SolaraBootstrapper.exe	94
PID 908 wrote to memory of 2136	908	SolaraBootstrapper.exe	95
PID 908 wrote to memory of 2136	908	SolaraBootstrapper.exe	95
PID 908 wrote to memory of 228	908	SolaraBootstrapper.exe	96
PID 908 wrote to memory of 228	908	SolaraBootstrapper.exe	96
PID 4596 wrote to memory of 1484	4596	SolaraBootstrapper.exe	97
PID 4596 wrote to memory of 1484	4596	SolaraBootstrapper.exe	97
PID 4596 wrote to memory of 4488	4596	SolaraBootstrapper.exe	98
PID 4596 wrote to memory of 4488	4596	SolaraBootstrapper.exe	98
PID 4596 wrote to memory of 3356	4596	SolaraBootstrapper.exe	99
PID 4596 wrote to memory of 3356	4596	SolaraBootstrapper.exe	99
PID 1484 wrote to memory of 5092	1484	SolaraBootstrapper.exe	100
PID 1484 wrote to memory of 5092	1484	SolaraBootstrapper.exe	100
PID 1484 wrote to memory of 4296	1484	SolaraBootstrapper.exe	101
PID 1484 wrote to memory of 4296	1484	SolaraBootstrapper.exe	101
PID 1484 wrote to memory of 4080	1484	SolaraBootstrapper.exe	102
PID 1484 wrote to memory of 4080	1484	SolaraBootstrapper.exe	102
PID 5092 wrote to memory of 1344	5092	SolaraBootstrapper.exe	103
PID 5092 wrote to memory of 1344	5092	SolaraBootstrapper.exe	103
PID 5092 wrote to memory of 1908	5092	SolaraBootstrapper.exe	104
PID 5092 wrote to memory of 1908	5092	SolaraBootstrapper.exe	104
PID 5092 wrote to memory of 2868	5092	SolaraBootstrapper.exe	105
PID 5092 wrote to memory of 2868	5092	SolaraBootstrapper.exe	105
PID 1344 wrote to memory of 2900	1344	SolaraBootstrapper.exe	106
PID 1344 wrote to memory of 2900	1344	SolaraBootstrapper.exe	106
PID 1344 wrote to memory of 1472	1344	SolaraBootstrapper.exe	107
PID 1344 wrote to memory of 1472	1344	SolaraBootstrapper.exe	107
PID 1344 wrote to memory of 3152	1344	SolaraBootstrapper.exe	108
PID 1344 wrote to memory of 3152	1344	SolaraBootstrapper.exe	108
PID 2900 wrote to memory of 3532	2900	SolaraBootstrapper.exe	109
PID 2900 wrote to memory of 3532	2900	SolaraBootstrapper.exe	109
PID 2900 wrote to memory of 2964	2900	SolaraBootstrapper.exe	110
PID 2900 wrote to memory of 2964	2900	SolaraBootstrapper.exe	110

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
  "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3368
  - - C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2292
    - - C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1440
      - C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        12⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        13⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        14⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        15⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        16⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        17⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        18⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        19⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        20⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        21⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        22⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        23⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        24⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        25⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        26⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        27⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        28⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        29⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        30⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        31⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        32⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        33⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        34⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        35⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        36⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        37⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        38⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        39⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        40⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        41⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        42⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        43⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        44⤵
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
        45⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        45⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        45⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        44⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        44⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        43⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        43⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        42⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        42⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        41⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        41⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        40⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        40⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        39⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        39⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        38⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        38⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        37⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        37⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        36⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        36⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        35⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        35⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        34⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        34⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        33⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        33⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        32⤵
        Executes dropped EXE
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        32⤵
        Executes dropped EXE
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        31⤵
        Executes dropped EXE
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        31⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        30⤵
        Executes dropped EXE
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        30⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        29⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        29⤵
        Executes dropped EXE
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        28⤵
        Executes dropped EXE
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        28⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        27⤵
        Executes dropped EXE
        
        PID:236
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        27⤵
        Executes dropped EXE
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        26⤵
        Executes dropped EXE
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        26⤵
        Executes dropped EXE
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        25⤵
        Executes dropped EXE
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        25⤵
        Executes dropped EXE
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        24⤵
        Executes dropped EXE
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        24⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        23⤵
        Executes dropped EXE
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        23⤵
        Executes dropped EXE
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        22⤵
        Executes dropped EXE
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        22⤵
        Executes dropped EXE
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        21⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        21⤵
        Executes dropped EXE
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        20⤵
        Executes dropped EXE
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        20⤵
        Executes dropped EXE
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        19⤵
        Executes dropped EXE
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        19⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        18⤵
        Executes dropped EXE
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        18⤵
        Executes dropped EXE
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        17⤵
        Executes dropped EXE
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        17⤵
        Executes dropped EXE
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        16⤵
        Executes dropped EXE
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        16⤵
        Executes dropped EXE
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        15⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        15⤵
        Executes dropped EXE
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        14⤵
        Executes dropped EXE
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        14⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        13⤵
        Executes dropped EXE
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        13⤵
        Executes dropped EXE
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        12⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        12⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        11⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        11⤵
        Executes dropped EXE
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        10⤵
        Executes dropped EXE
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        10⤵
        Executes dropped EXE
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        9⤵
        Executes dropped EXE
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        9⤵
        Executes dropped EXE
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        8⤵
        Executes dropped EXE
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        8⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        7⤵
        Executes dropped EXE
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        7⤵
        Executes dropped EXE
        
        PID:228
      - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        6⤵
        Executes dropped EXE
        
        PID:4536
      - C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        6⤵
        Executes dropped EXE
        
        PID:2668
    - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        5⤵
        Executes dropped EXE
        
        PID:2912
    - - C:\Users\Admin\AppData\Local\Temp\Client.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
        5⤵
        Executes dropped EXE
        
        PID:1340
  - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
      "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      4⤵
      Executes dropped EXE
      PID:2768
  - - C:\Users\Admin\AppData\Local\Temp\Client.exe
      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
      4⤵
      Executes dropped EXE
      PID:4672
- - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Executes dropped EXE
    PID:2572
- - C:\Users\Admin\AppData\Local\Temp\Client.exe
    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
    3⤵
    - Executes dropped EXE
    PID:4544
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:972
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Executes dropped EXE
  PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
871B

MD5
bc4e798e428bf600621ffa361da29e88

SHA1
60c6bbe3f8dd34346f4b917d540bf23d7e388d0c

SHA256
e581886635b44fab5f83b1267283d3718cfd5b1663c888bd43723d3735d13d61

SHA512
f311add74aea7f96f9face313710328846f49131c97568ee556bd31447036c29c08e6953394fe8dcb0fc072bb19dcb6e72dcf26c0519cec26056da0e869127c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SolaraBootstrapper.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

Filesize
1KB

MD5
b51beb4423c86427f672916554030c47

SHA1
9b97736d8434b62ef627a4ee8484e26c719924a8

SHA256
df796564c34fb36085aa25452d44ead56fba39aa18e80cb4ba1c30becca0dfea

SHA512
262fc9e9cddee9ae3c733bb961f44f27628783961db101aabc868765ba0e2aafdcb8f9b689f1abd4613836ed9cf3064e92cbd10495c83fe04dd2a496db3485d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
254KB

MD5
57d823c61903106d7ec4c29cd30df04f

SHA1
b9fc7f9ba1ba1b6d308615be86df9a8e460f85d5

SHA256
62b29230fa9a240ccc2b02ebfb4e83c9cdbb7d95a0a53e9b9df3c699e8d23dab

SHA512
0cd94a8f2f58b2f99134920e14a3569f96ffa3febe35f33f03c44b6109d2b1c7d63ea37f53cce86aba1a2a2ce4030f2cf01bf5ef89bf0f1b2d7795490556a2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
232KB

MD5
d534b7ce43629032d053b5c88122e761

SHA1
161b697296b3225d2e0116729e3f493660a48196

SHA256
f867a240eab1d2993a2a0917e1ba63d9156e66ad637d0a500afc0347c5172075

SHA512
ffbbe9f7f4890c4f9b17142a81a5b724a15373a6fab89bf46a2e28068c89b96cec0cebaf4248ff10b21c826f003c6090aeea7fc80f42137961f3efb7cd708f15

Download Submit
memory/972-23-0x000002A17A560000-0x000002A17A5A0000-memory.dmp

Filesize
256KB

Download
memory/972-29-0x00007FFFFD680000-0x00007FFFFE142000-memory.dmp

Filesize
10.8MB

Download
memory/972-169-0x00007FFFFD680000-0x00007FFFFE142000-memory.dmp

Filesize
10.8MB

Download
memory/2372-28-0x0000000000630000-0x0000000000676000-memory.dmp

Filesize
280KB

Download
memory/3032-30-0x00007FFFFD680000-0x00007FFFFE142000-memory.dmp

Filesize
10.8MB

Download
memory/3032-0-0x00007FFFFD683000-0x00007FFFFD685000-memory.dmp

Filesize
8KB

Download
memory/3032-2-0x00007FFFFD680000-0x00007FFFFE142000-memory.dmp

Filesize
10.8MB

Download
memory/3032-1-0x0000000000980000-0x00000000010A6000-memory.dmp

Filesize
7.1MB

Download
memory/4988-11-0x00007FFFFD680000-0x00007FFFFE142000-memory.dmp

Filesize
10.8MB

Download
memory/4988-47-0x00007FFFFD680000-0x00007FFFFE142000-memory.dmp

Filesize
10.8MB

Download