umbral | 80a2a856062d5fdfc9a8d3f68fe717e5128f87ea9fe286e545f45886e1c4ab17

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26-06-2024 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solaro.exe
Size

513KB
MD5

b9a7b8d97ac9e492b592e723c47f3f71
SHA1

840d72ade351c907ef21ffc9c87f948016219286
SHA256

80a2a856062d5fdfc9a8d3f68fe717e5128f87ea9fe286e545f45886e1c4ab17
SHA512

4c1cc3b0ef59a4689d2b70778360737c9fc86b4ed0395f303cf4a9a3ae27a1aee8b1140907953c12ba58ffac7709d9e895578a64dd0547f5d14c4cd5d29ae1e9
SSDEEP

12288:cSgkiATxhl6E41yG5uuo0kD4qiGLJROQZZMQPX:3gkiAUhRYuw4HG9XZ+

Score

10^/10

umbral stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1255440152264708116/e78YrGll2h6-MFL5WBXh0buoJQb4Q69Z5cO34I92dvicPnzPfxpjHhlb2KFfvFVxGUhf

Signatures

Detect Umbral payload 35 IoCs

resource	yara_rule
behavioral1/memory/2160-14-0x00000000002A0000-0x00000000002E0000-memory.dmp	family_umbral
behavioral1/files/0x0009000000015018-13.dat	family_umbral
behavioral1/memory/1796-42-0x00000000010A0000-0x00000000010E0000-memory.dmp	family_umbral
behavioral1/memory/876-51-0x0000000000D80000-0x0000000000DC0000-memory.dmp	family_umbral
behavioral1/memory/3052-60-0x0000000000AB0000-0x0000000000AF0000-memory.dmp	family_umbral
behavioral1/memory/2004-69-0x0000000000FF0000-0x0000000001030000-memory.dmp	family_umbral
behavioral1/memory/2608-78-0x0000000001360000-0x00000000013A0000-memory.dmp	family_umbral
behavioral1/memory/2156-87-0x0000000000820000-0x0000000000860000-memory.dmp	family_umbral
behavioral1/memory/1308-96-0x0000000001020000-0x0000000001060000-memory.dmp	family_umbral
behavioral1/memory/2444-105-0x0000000000160000-0x00000000001A0000-memory.dmp	family_umbral
behavioral1/memory/868-114-0x0000000000060000-0x00000000000A0000-memory.dmp	family_umbral
behavioral1/memory/2068-123-0x00000000013B0000-0x00000000013F0000-memory.dmp	family_umbral
behavioral1/memory/2644-132-0x0000000000D40000-0x0000000000D80000-memory.dmp	family_umbral
behavioral1/memory/2156-139-0x0000000000920000-0x0000000000960000-memory.dmp	family_umbral
behavioral1/memory/1752-143-0x0000000000100000-0x0000000000140000-memory.dmp	family_umbral
behavioral1/memory/1852-147-0x0000000000F70000-0x0000000000FB0000-memory.dmp	family_umbral
behavioral1/memory/1560-151-0x0000000000300000-0x0000000000340000-memory.dmp	family_umbral
behavioral1/memory/1172-155-0x0000000000F30000-0x0000000000F70000-memory.dmp	family_umbral
behavioral1/memory/1168-159-0x0000000001310000-0x0000000001350000-memory.dmp	family_umbral
behavioral1/memory/572-163-0x00000000002D0000-0x0000000000310000-memory.dmp	family_umbral
behavioral1/memory/108-167-0x00000000008A0000-0x00000000008E0000-memory.dmp	family_umbral
behavioral1/memory/2964-171-0x0000000000390000-0x00000000003D0000-memory.dmp	family_umbral
behavioral1/memory/1828-175-0x00000000008E0000-0x0000000000920000-memory.dmp	family_umbral
behavioral1/memory/1780-179-0x0000000001150000-0x0000000001190000-memory.dmp	family_umbral
behavioral1/memory/2772-183-0x0000000000FE0000-0x0000000001020000-memory.dmp	family_umbral
behavioral1/memory/2112-187-0x0000000001100000-0x0000000001140000-memory.dmp	family_umbral
behavioral1/memory/1796-191-0x00000000009C0000-0x0000000000A00000-memory.dmp	family_umbral
behavioral1/memory/2356-195-0x0000000000B90000-0x0000000000BD0000-memory.dmp	family_umbral
behavioral1/memory/2856-199-0x0000000000F40000-0x0000000000F80000-memory.dmp	family_umbral
behavioral1/memory/944-203-0x0000000000CF0000-0x0000000000D30000-memory.dmp	family_umbral
behavioral1/memory/2460-207-0x0000000001120000-0x0000000001160000-memory.dmp	family_umbral
behavioral1/memory/1776-211-0x0000000000120000-0x0000000000160000-memory.dmp	family_umbral
behavioral1/memory/1904-215-0x0000000000E20000-0x0000000000E60000-memory.dmp	family_umbral
behavioral1/memory/2144-219-0x00000000009F0000-0x0000000000A30000-memory.dmp	family_umbral
behavioral1/memory/2824-223-0x0000000000EA0000-0x0000000000EE0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Executes dropped EXE 64 IoCs

pid	Process
2772	SolaroB.exe
2160	Umbral.exe
2632	SolaroB.exe
2620	Umbral.exe
2540	SolaroB.exe
2396	Umbral.exe
928	SolaroB.exe
1796	Umbral.exe
320	SolaroB.exe
932	Umbral.exe
2184	SolaroB.exe
876	Umbral.exe
1228	SolaroB.exe
572	Umbral.exe
496	SolaroB.exe
3052	Umbral.exe
1888	SolaroB.exe
1664	Umbral.exe
1180	SolaroB.exe
2004	Umbral.exe
2968	SolaroB.exe
2988	Umbral.exe
3016	SolaroB.exe
2608	Umbral.exe
2484	SolaroB.exe
2524	Umbral.exe
1084	SolaroB.exe
2156	Umbral.exe
936	SolaroB.exe
2812	Umbral.exe
1256	SolaroB.exe
1308	Umbral.exe
2276	SolaroB.exe
268	Umbral.exe
444	SolaroB.exe
2444	Umbral.exe
1800	SolaroB.exe
348	Umbral.exe
2852	SolaroB.exe
868	Umbral.exe
1564	SolaroB.exe
1860	Umbral.exe
2888	SolaroB.exe
2068	Umbral.exe
2836	SolaroB.exe
2468	Umbral.exe
1624	SolaroB.exe
2644	Umbral.exe
1972	SolaroB.exe
2572	Umbral.exe
2676	SolaroB.exe
2156	Umbral.exe
484	SolaroB.exe
2232	Umbral.exe
1796	SolaroB.exe
1752	Umbral.exe
2668	SolaroB.exe
1916	Umbral.exe
1856	SolaroB.exe
1852	Umbral.exe
752	SolaroB.exe
1164	Umbral.exe
1828	SolaroB.exe
1560	Umbral.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Umbral.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Umbral.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e210f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Umbral.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Umbral.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	Umbral.exe
Token: SeIncreaseQuotaPrivilege	1848	wmic.exe
Token: SeSecurityPrivilege	1848	wmic.exe
Token: SeTakeOwnershipPrivilege	1848	wmic.exe
Token: SeLoadDriverPrivilege	1848	wmic.exe
Token: SeSystemProfilePrivilege	1848	wmic.exe
Token: SeSystemtimePrivilege	1848	wmic.exe
Token: SeProfSingleProcessPrivilege	1848	wmic.exe
Token: SeIncBasePriorityPrivilege	1848	wmic.exe
Token: SeCreatePagefilePrivilege	1848	wmic.exe
Token: SeBackupPrivilege	1848	wmic.exe
Token: SeRestorePrivilege	1848	wmic.exe
Token: SeShutdownPrivilege	1848	wmic.exe
Token: SeDebugPrivilege	1848	wmic.exe
Token: SeSystemEnvironmentPrivilege	1848	wmic.exe
Token: SeRemoteShutdownPrivilege	1848	wmic.exe
Token: SeUndockPrivilege	1848	wmic.exe
Token: SeManageVolumePrivilege	1848	wmic.exe
Token: 33	1848	wmic.exe
Token: 34	1848	wmic.exe
Token: 35	1848	wmic.exe
Token: SeIncreaseQuotaPrivilege	1848	wmic.exe
Token: SeSecurityPrivilege	1848	wmic.exe
Token: SeTakeOwnershipPrivilege	1848	wmic.exe
Token: SeLoadDriverPrivilege	1848	wmic.exe
Token: SeSystemProfilePrivilege	1848	wmic.exe
Token: SeSystemtimePrivilege	1848	wmic.exe
Token: SeProfSingleProcessPrivilege	1848	wmic.exe
Token: SeIncBasePriorityPrivilege	1848	wmic.exe
Token: SeCreatePagefilePrivilege	1848	wmic.exe
Token: SeBackupPrivilege	1848	wmic.exe
Token: SeRestorePrivilege	1848	wmic.exe
Token: SeShutdownPrivilege	1848	wmic.exe
Token: SeDebugPrivilege	1848	wmic.exe
Token: SeSystemEnvironmentPrivilege	1848	wmic.exe
Token: SeRemoteShutdownPrivilege	1848	wmic.exe
Token: SeUndockPrivilege	1848	wmic.exe
Token: SeManageVolumePrivilege	1848	wmic.exe
Token: 33	1848	wmic.exe
Token: 34	1848	wmic.exe
Token: 35	1848	wmic.exe
Token: SeDebugPrivilege	1796	Umbral.exe
Token: SeIncreaseQuotaPrivilege	2188	wmic.exe
Token: SeSecurityPrivilege	2188	wmic.exe
Token: SeTakeOwnershipPrivilege	2188	wmic.exe
Token: SeLoadDriverPrivilege	2188	wmic.exe
Token: SeSystemProfilePrivilege	2188	wmic.exe
Token: SeSystemtimePrivilege	2188	wmic.exe
Token: SeProfSingleProcessPrivilege	2188	wmic.exe
Token: SeIncBasePriorityPrivilege	2188	wmic.exe
Token: SeCreatePagefilePrivilege	2188	wmic.exe
Token: SeBackupPrivilege	2188	wmic.exe
Token: SeRestorePrivilege	2188	wmic.exe
Token: SeShutdownPrivilege	2188	wmic.exe
Token: SeDebugPrivilege	2188	wmic.exe
Token: SeSystemEnvironmentPrivilege	2188	wmic.exe
Token: SeRemoteShutdownPrivilege	2188	wmic.exe
Token: SeUndockPrivilege	2188	wmic.exe
Token: SeManageVolumePrivilege	2188	wmic.exe
Token: 33	2188	wmic.exe
Token: 34	2188	wmic.exe
Token: 35	2188	wmic.exe
Token: SeIncreaseQuotaPrivilege	2188	wmic.exe
Token: SeSecurityPrivilege	2188	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2772	2880	Solaro.exe	28
PID 2880 wrote to memory of 2772	2880	Solaro.exe	28
PID 2880 wrote to memory of 2772	2880	Solaro.exe	28
PID 2880 wrote to memory of 2160	2880	Solaro.exe	29
PID 2880 wrote to memory of 2160	2880	Solaro.exe	29
PID 2880 wrote to memory of 2160	2880	Solaro.exe	29
PID 2772 wrote to memory of 2632	2772	SolaroB.exe	30
PID 2772 wrote to memory of 2632	2772	SolaroB.exe	30
PID 2772 wrote to memory of 2632	2772	SolaroB.exe	30
PID 2772 wrote to memory of 2620	2772	SolaroB.exe	31
PID 2772 wrote to memory of 2620	2772	SolaroB.exe	31
PID 2772 wrote to memory of 2620	2772	SolaroB.exe	31
PID 2632 wrote to memory of 2540	2632	SolaroB.exe	32
PID 2632 wrote to memory of 2540	2632	SolaroB.exe	32
PID 2632 wrote to memory of 2540	2632	SolaroB.exe	32
PID 2632 wrote to memory of 2396	2632	SolaroB.exe	33
PID 2632 wrote to memory of 2396	2632	SolaroB.exe	33
PID 2632 wrote to memory of 2396	2632	SolaroB.exe	33
PID 2160 wrote to memory of 1848	2160	Umbral.exe	34
PID 2160 wrote to memory of 1848	2160	Umbral.exe	34
PID 2160 wrote to memory of 1848	2160	Umbral.exe	34
PID 2540 wrote to memory of 928	2540	SolaroB.exe	37
PID 2540 wrote to memory of 928	2540	SolaroB.exe	37
PID 2540 wrote to memory of 928	2540	SolaroB.exe	37
PID 2540 wrote to memory of 1796	2540	SolaroB.exe	38
PID 2540 wrote to memory of 1796	2540	SolaroB.exe	38
PID 2540 wrote to memory of 1796	2540	SolaroB.exe	38
PID 928 wrote to memory of 320	928	SolaroB.exe	39
PID 928 wrote to memory of 320	928	SolaroB.exe	39
PID 928 wrote to memory of 320	928	SolaroB.exe	39
PID 928 wrote to memory of 932	928	SolaroB.exe	40
PID 928 wrote to memory of 932	928	SolaroB.exe	40
PID 928 wrote to memory of 932	928	SolaroB.exe	40
PID 1796 wrote to memory of 2188	1796	Umbral.exe	41
PID 1796 wrote to memory of 2188	1796	Umbral.exe	41
PID 1796 wrote to memory of 2188	1796	Umbral.exe	41
PID 320 wrote to memory of 2184	320	SolaroB.exe	43
PID 320 wrote to memory of 2184	320	SolaroB.exe	43
PID 320 wrote to memory of 2184	320	SolaroB.exe	43
PID 320 wrote to memory of 876	320	SolaroB.exe	44
PID 320 wrote to memory of 876	320	SolaroB.exe	44
PID 320 wrote to memory of 876	320	SolaroB.exe	44
PID 2184 wrote to memory of 1228	2184	SolaroB.exe	45
PID 2184 wrote to memory of 1228	2184	SolaroB.exe	45
PID 2184 wrote to memory of 1228	2184	SolaroB.exe	45
PID 2184 wrote to memory of 572	2184	SolaroB.exe	46
PID 2184 wrote to memory of 572	2184	SolaroB.exe	46
PID 2184 wrote to memory of 572	2184	SolaroB.exe	46
PID 876 wrote to memory of 1160	876	Umbral.exe	47
PID 876 wrote to memory of 1160	876	Umbral.exe	47
PID 876 wrote to memory of 1160	876	Umbral.exe	47
PID 1228 wrote to memory of 496	1228	SolaroB.exe	49
PID 1228 wrote to memory of 496	1228	SolaroB.exe	49
PID 1228 wrote to memory of 496	1228	SolaroB.exe	49
PID 1228 wrote to memory of 3052	1228	SolaroB.exe	50
PID 1228 wrote to memory of 3052	1228	SolaroB.exe	50
PID 1228 wrote to memory of 3052	1228	SolaroB.exe	50
PID 496 wrote to memory of 1888	496	SolaroB.exe	51
PID 496 wrote to memory of 1888	496	SolaroB.exe	51
PID 496 wrote to memory of 1888	496	SolaroB.exe	51
PID 496 wrote to memory of 1664	496	SolaroB.exe	52
PID 496 wrote to memory of 1664	496	SolaroB.exe	52
PID 496 wrote to memory of 1664	496	SolaroB.exe	52
PID 3052 wrote to memory of 1700	3052	Umbral.exe	53

C:\Users\Admin\AppData\Local\Temp\Solaro.exe
"C:\Users\Admin\AppData\Local\Temp\Solaro.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
  "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
    "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
      "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:928
      - C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:496
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        10⤵
        Executes dropped EXE
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        11⤵
        Executes dropped EXE
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        12⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        13⤵
        Executes dropped EXE
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        14⤵
        Executes dropped EXE
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        15⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        16⤵
        Executes dropped EXE
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        17⤵
        Executes dropped EXE
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        18⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        19⤵
        Executes dropped EXE
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        20⤵
        Executes dropped EXE
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        21⤵
        Executes dropped EXE
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        22⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        23⤵
        Executes dropped EXE
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        24⤵
        Executes dropped EXE
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        25⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        26⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        27⤵
        Executes dropped EXE
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        28⤵
        Executes dropped EXE
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        29⤵
        Executes dropped EXE
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        30⤵
        Executes dropped EXE
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        31⤵
        Executes dropped EXE
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        32⤵
        Executes dropped EXE
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        33⤵
        Executes dropped EXE
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        34⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        35⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        36⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        37⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        38⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        39⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        40⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        41⤵
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        42⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        43⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        44⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        45⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        46⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        47⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        48⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        49⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        50⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        51⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        52⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        53⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        54⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        55⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        56⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        57⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        58⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        59⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        60⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        61⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        62⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        63⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        64⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        65⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        66⤵
        
        PID:496
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        67⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        68⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        69⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        70⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        71⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        72⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        72⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        71⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        70⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        69⤵
        
        PID:2824
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        70⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        68⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        67⤵
        
        PID:2144
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        68⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        66⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        65⤵
        
        PID:1904
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        66⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        64⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        63⤵
        
        PID:1776
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        64⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        62⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        61⤵
        
        PID:2460
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        62⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        60⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        59⤵
        
        PID:944
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        60⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        58⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        57⤵
        
        PID:2856
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        58⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        56⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        55⤵
        
        PID:2356
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        56⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        54⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        53⤵
        
        PID:1796
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        54⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        52⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        51⤵
        
        PID:2112
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        52⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        50⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        49⤵
        
        PID:2772
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        50⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        48⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        47⤵
        
        PID:1780
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        48⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        46⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        45⤵
        
        PID:1828
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        46⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        44⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        43⤵
        
        PID:2964
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        44⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        42⤵
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        41⤵
        
        PID:108
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        42⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        40⤵
        
        PID:596
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        39⤵
        
        PID:572
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        40⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        38⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        37⤵
        
        PID:1168
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        38⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        36⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        35⤵
        
        PID:1172
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        36⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        34⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        33⤵
        Executes dropped EXE
        
        PID:1560
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        34⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        32⤵
        Executes dropped EXE
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        31⤵
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        32⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        30⤵
        Executes dropped EXE
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        29⤵
        Executes dropped EXE
        
        PID:1752
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        30⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        28⤵
        Executes dropped EXE
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        27⤵
        Executes dropped EXE
        
        PID:2156
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        28⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        26⤵
        Executes dropped EXE
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        25⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        26⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        24⤵
        Executes dropped EXE
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        23⤵
        Executes dropped EXE
        
        PID:2068
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        24⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        22⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        21⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        22⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        20⤵
        Executes dropped EXE
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        19⤵
        Executes dropped EXE
        
        PID:2444
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        20⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        18⤵
        Executes dropped EXE
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        17⤵
        Executes dropped EXE
        
        PID:1308
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        18⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        16⤵
        Executes dropped EXE
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        15⤵
        Executes dropped EXE
        
        PID:2156
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        16⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        14⤵
        Executes dropped EXE
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        13⤵
        Executes dropped EXE
        
        PID:2608
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        14⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        12⤵
        Executes dropped EXE
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        11⤵
        Executes dropped EXE
        
        PID:2004
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        12⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        10⤵
        Executes dropped EXE
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        10⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        8⤵
        Executes dropped EXE
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        8⤵
        
        PID:1160
      - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        6⤵
        Executes dropped EXE
        
        PID:932
    - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
  - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
      "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      4⤵
      Executes dropped EXE
      PID:2396
- - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Executes dropped EXE
    PID:2620
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SolaroB.exe

Filesize
416KB

MD5
61c0431f9f53ae84d9907354c08c997d

SHA1
e2bc204b091c5bd391261fecdc5e5c81e2d7c129

SHA256
cade9d8c77eaf397cf2fd28e0bab0becc79a66b2c6a9d338e2d8411d62e757b2

SHA512
950ffd12606be726374241977e8094a992b5a91afbf841eca1f7f43e8f2d3bddac743ff03a18700570a399db4b6f324fd79213d53c1c523bf375f5ecaf16d6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
230KB

MD5
d5a61fff058c6015802f7dc8c75684d1

SHA1
60170c1a41b778c17ba886b7f6ec71c1ab6cfd44

SHA256
3e0d91b0c5b67446c6fcbb9f30d079dd54381d6fdea2cec74f4dcc0e2334b155

SHA512
537b85584a931a7984fccbc62a41c92d406c399212d9b25fdac39b14e12f0d82be67583c88d1b70bf9c0a8c0cf2d5a7c6fcfbf83332bf251e2afe3767232338d

Download Submit
memory/108-167-0x00000000008A0000-0x00000000008E0000-memory.dmp

Filesize
256KB

Download
memory/572-163-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/868-114-0x0000000000060000-0x00000000000A0000-memory.dmp

Filesize
256KB

Download
memory/876-51-0x0000000000D80000-0x0000000000DC0000-memory.dmp

Filesize
256KB

Download
memory/944-203-0x0000000000CF0000-0x0000000000D30000-memory.dmp

Filesize
256KB

Download
memory/1168-159-0x0000000001310000-0x0000000001350000-memory.dmp

Filesize
256KB

Download
memory/1172-155-0x0000000000F30000-0x0000000000F70000-memory.dmp

Filesize
256KB

Download
memory/1308-96-0x0000000001020000-0x0000000001060000-memory.dmp

Filesize
256KB

Download
memory/1560-151-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/1752-143-0x0000000000100000-0x0000000000140000-memory.dmp

Filesize
256KB

Download
memory/1776-211-0x0000000000120000-0x0000000000160000-memory.dmp

Filesize
256KB

Download
memory/1780-179-0x0000000001150000-0x0000000001190000-memory.dmp

Filesize
256KB

Download
memory/1796-42-0x00000000010A0000-0x00000000010E0000-memory.dmp

Filesize
256KB

Download
memory/1796-191-0x00000000009C0000-0x0000000000A00000-memory.dmp

Filesize
256KB

Download
memory/1828-175-0x00000000008E0000-0x0000000000920000-memory.dmp

Filesize
256KB

Download
memory/1852-147-0x0000000000F70000-0x0000000000FB0000-memory.dmp

Filesize
256KB

Download
memory/1904-215-0x0000000000E20000-0x0000000000E60000-memory.dmp

Filesize
256KB

Download
memory/2004-69-0x0000000000FF0000-0x0000000001030000-memory.dmp

Filesize
256KB

Download
memory/2068-123-0x00000000013B0000-0x00000000013F0000-memory.dmp

Filesize
256KB

Download
memory/2112-187-0x0000000001100000-0x0000000001140000-memory.dmp

Filesize
256KB

Download
memory/2144-219-0x00000000009F0000-0x0000000000A30000-memory.dmp

Filesize
256KB

Download
memory/2156-87-0x0000000000820000-0x0000000000860000-memory.dmp

Filesize
256KB

Download
memory/2156-139-0x0000000000920000-0x0000000000960000-memory.dmp

Filesize
256KB

Download
memory/2160-14-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/2356-195-0x0000000000B90000-0x0000000000BD0000-memory.dmp

Filesize
256KB

Download
memory/2444-105-0x0000000000160000-0x00000000001A0000-memory.dmp

Filesize
256KB

Download
memory/2460-207-0x0000000001120000-0x0000000001160000-memory.dmp

Filesize
256KB

Download
memory/2608-78-0x0000000001360000-0x00000000013A0000-memory.dmp

Filesize
256KB

Download
memory/2644-132-0x0000000000D40000-0x0000000000D80000-memory.dmp

Filesize
256KB

Download
memory/2772-15-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2772-183-0x0000000000FE0000-0x0000000001020000-memory.dmp

Filesize
256KB

Download
memory/2772-10-0x0000000000A90000-0x0000000000AFE000-memory.dmp

Filesize
440KB

Download
memory/2772-19-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2824-223-0x0000000000EA0000-0x0000000000EE0000-memory.dmp

Filesize
256KB

Download
memory/2856-199-0x0000000000F40000-0x0000000000F80000-memory.dmp

Filesize
256KB

Download
memory/2880-16-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2880-4-0x000007FEF5F10000-0x000007FEF68FC000-memory.dmp

Filesize
9.9MB

Download
memory/2880-0-0x000007FEF5F13000-0x000007FEF5F14000-memory.dmp

Filesize
4KB

Download
memory/2880-1-0x0000000000C50000-0x0000000000CD6000-memory.dmp

Filesize
536KB

Download
memory/2964-171-0x0000000000390000-0x00000000003D0000-memory.dmp

Filesize
256KB

Download
memory/3052-60-0x0000000000AB0000-0x0000000000AF0000-memory.dmp

Filesize
256KB

Download