umbral | 808fc30e9ed9cf43a86b6608fc9c5f5c28443d51207f30d06cf88c0081b54e18

Analysis

max time kernel
347s
max time network
358s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
12/04/2025, 15:24

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

solara.exe
Size

2.8MB
MD5

84c1cc9f977f79b4820bcb8f236fce20
SHA1

88d879456a7f075760525824dcc8b2de7bbe6f13
SHA256

808fc30e9ed9cf43a86b6608fc9c5f5c28443d51207f30d06cf88c0081b54e18
SHA512

66b98b55c9d36b27a0f96eba539b820450ba552deacc323dabfbe4db936eb5ad4c57cb8683e10570212ce1b6ea9f04adeaecd9f41618e4625f78bc5b87f3f65c
SSDEEP

49152:N5wRNpPAI7CYItONjnwsp61qLJa2uQzdqYoqDLdS96A4zDziq2EJLFp2C/XHYQ/:NaRvROYEQEqFajKoqDLgMAI2KLmC/XHv

Score

10^/10

umbral bootkit defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x00080000000241dd-7.dat	family_umbral
behavioral2/memory/4308-22-0x000001CF08620000-0x000001CF08660000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4092	powershell.exe
1068	powershell.exe
4556	powershell.exe
4500	powershell.exe

Disables Task Manager via registry modification
defense_evasion

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
940	netsh.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation	MBR2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation	MatrixMBR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation	solara.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation	Server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\International\Geo\Nation	tmp6D87.tmp.COM

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\58ef1cb24ef99d0cdb9aa4d818c79b63.exe	Server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\58ef1cb24ef99d0cdb9aa4d818c79b63.exe	Server.exe

Executes dropped EXE 64 IoCs

pid	Process
4308	Umbral.exe
4728	Server.exe
5004	BootstrapperNew.exe
2124	Server.exe
3040	Server.exe
2896	Server.exe
5976	Server.exe
5636	Server.exe
1052	Server.exe
4936	Server.exe
3768	Server.exe
4964	Server.exe
5052	Server.exe
5156	Server.exe
4940	Server.exe
4156	Server.exe
5108	Server.exe
3320	Server.exe
3576	Server.exe
3544	Server.exe
5380	Server.exe
4816	Server.exe
2744	Server.exe
6024	Server.exe
6020	Server.exe
4444	Server.exe
4508	Server.exe
2324	Server.exe
2768	Server.exe
2504	Server.exe
4712	Server.exe
4128	Server.exe
5312	Server.exe
3612	Server.exe
748	Server.exe
5288	Server.exe
5304	Server.exe
4460	Server.exe
5724	Server.exe
4408	Server.exe
2944	Server.exe
3220	Server.exe
4060	Server.exe
5916	Server.exe
3148	Server.exe
3132	Server.exe
3948	Server.exe
6028	Server.exe
3628	Server.exe
3888	Server.exe
1952	Server.exe
244	Server.exe
4136	Server.exe
5560	Server.exe
4472	Server.exe
2452	Server.exe
2012	Server.exe
4368	Server.exe
3008	Server.exe
1176	Server.exe
4036	Server.exe
5596	Server.exe
5240	Server.exe
3712	Server.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\58ef1cb24ef99d0cdb9aa4d818c79b63 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\58ef1cb24ef99d0cdb9aa4d818c79b63 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."	Server.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
25	discord.com
26	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MBR.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\MatrixMBR.exe	MBR2.exe
File opened for modification	C:\Windows\System32\MatrixMBR.exe	MBR2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GDI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TROLL2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MBR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TROLL5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5808	wmic.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4092	powershell.exe
4092	powershell.exe
1068	powershell.exe
1068	powershell.exe
4556	powershell.exe
4556	powershell.exe
5164	powershell.exe
5164	powershell.exe
4500	powershell.exe
4500	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4308	Umbral.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	5164	powershell.exe
Token: SeIncreaseQuotaPrivilege	232	wmic.exe
Token: SeSecurityPrivilege	232	wmic.exe
Token: SeTakeOwnershipPrivilege	232	wmic.exe
Token: SeLoadDriverPrivilege	232	wmic.exe
Token: SeSystemProfilePrivilege	232	wmic.exe
Token: SeSystemtimePrivilege	232	wmic.exe
Token: SeProfSingleProcessPrivilege	232	wmic.exe
Token: SeIncBasePriorityPrivilege	232	wmic.exe
Token: SeCreatePagefilePrivilege	232	wmic.exe
Token: SeBackupPrivilege	232	wmic.exe
Token: SeRestorePrivilege	232	wmic.exe
Token: SeShutdownPrivilege	232	wmic.exe
Token: SeDebugPrivilege	232	wmic.exe
Token: SeSystemEnvironmentPrivilege	232	wmic.exe
Token: SeRemoteShutdownPrivilege	232	wmic.exe
Token: SeUndockPrivilege	232	wmic.exe
Token: SeManageVolumePrivilege	232	wmic.exe
Token: 33	232	wmic.exe
Token: 34	232	wmic.exe
Token: 35	232	wmic.exe
Token: 36	232	wmic.exe
Token: SeIncreaseQuotaPrivilege	232	wmic.exe
Token: SeSecurityPrivilege	232	wmic.exe
Token: SeTakeOwnershipPrivilege	232	wmic.exe
Token: SeLoadDriverPrivilege	232	wmic.exe
Token: SeSystemProfilePrivilege	232	wmic.exe
Token: SeSystemtimePrivilege	232	wmic.exe
Token: SeProfSingleProcessPrivilege	232	wmic.exe
Token: SeIncBasePriorityPrivilege	232	wmic.exe
Token: SeCreatePagefilePrivilege	232	wmic.exe
Token: SeBackupPrivilege	232	wmic.exe
Token: SeRestorePrivilege	232	wmic.exe
Token: SeShutdownPrivilege	232	wmic.exe
Token: SeDebugPrivilege	232	wmic.exe
Token: SeSystemEnvironmentPrivilege	232	wmic.exe
Token: SeRemoteShutdownPrivilege	232	wmic.exe
Token: SeUndockPrivilege	232	wmic.exe
Token: SeManageVolumePrivilege	232	wmic.exe
Token: 33	232	wmic.exe
Token: 34	232	wmic.exe
Token: 35	232	wmic.exe
Token: 36	232	wmic.exe
Token: SeIncreaseQuotaPrivilege	1888	wmic.exe
Token: SeSecurityPrivilege	1888	wmic.exe
Token: SeTakeOwnershipPrivilege	1888	wmic.exe
Token: SeLoadDriverPrivilege	1888	wmic.exe
Token: SeSystemProfilePrivilege	1888	wmic.exe
Token: SeSystemtimePrivilege	1888	wmic.exe
Token: SeProfSingleProcessPrivilege	1888	wmic.exe
Token: SeIncBasePriorityPrivilege	1888	wmic.exe
Token: SeCreatePagefilePrivilege	1888	wmic.exe
Token: SeBackupPrivilege	1888	wmic.exe
Token: SeRestorePrivilege	1888	wmic.exe
Token: SeShutdownPrivilege	1888	wmic.exe
Token: SeDebugPrivilege	1888	wmic.exe
Token: SeSystemEnvironmentPrivilege	1888	wmic.exe
Token: SeRemoteShutdownPrivilege	1888	wmic.exe
Token: SeUndockPrivilege	1888	wmic.exe
Token: SeManageVolumePrivilege	1888	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5996 wrote to memory of 4308	5996	solara.exe	87
PID 5996 wrote to memory of 4308	5996	solara.exe	87
PID 5996 wrote to memory of 4728	5996	solara.exe	88
PID 5996 wrote to memory of 4728	5996	solara.exe	88
PID 5996 wrote to memory of 4728	5996	solara.exe	88
PID 5996 wrote to memory of 5004	5996	solara.exe	89
PID 5996 wrote to memory of 5004	5996	solara.exe	89
PID 4308 wrote to memory of 4092	4308	Umbral.exe	90
PID 4308 wrote to memory of 4092	4308	Umbral.exe	90
PID 4308 wrote to memory of 1068	4308	Umbral.exe	93
PID 4308 wrote to memory of 1068	4308	Umbral.exe	93
PID 4308 wrote to memory of 4556	4308	Umbral.exe	95
PID 4308 wrote to memory of 4556	4308	Umbral.exe	95
PID 4308 wrote to memory of 5164	4308	Umbral.exe	97
PID 4308 wrote to memory of 5164	4308	Umbral.exe	97
PID 4308 wrote to memory of 232	4308	Umbral.exe	100
PID 4308 wrote to memory of 232	4308	Umbral.exe	100
PID 4308 wrote to memory of 1888	4308	Umbral.exe	103
PID 4308 wrote to memory of 1888	4308	Umbral.exe	103
PID 4308 wrote to memory of 3568	4308	Umbral.exe	105
PID 4308 wrote to memory of 3568	4308	Umbral.exe	105
PID 4308 wrote to memory of 4500	4308	Umbral.exe	107
PID 4308 wrote to memory of 4500	4308	Umbral.exe	107
PID 4308 wrote to memory of 5808	4308	Umbral.exe	109
PID 4308 wrote to memory of 5808	4308	Umbral.exe	109
PID 4728 wrote to memory of 940	4728	Server.exe	112
PID 4728 wrote to memory of 940	4728	Server.exe	112
PID 4728 wrote to memory of 940	4728	Server.exe	112
PID 4952 wrote to memory of 2124	4952	cmd.exe	118
PID 4952 wrote to memory of 2124	4952	cmd.exe	118
PID 4952 wrote to memory of 2124	4952	cmd.exe	118
PID 2116 wrote to memory of 3040	2116	cmd.exe	119
PID 2116 wrote to memory of 3040	2116	cmd.exe	119
PID 2116 wrote to memory of 3040	2116	cmd.exe	119
PID 5556 wrote to memory of 2896	5556	cmd.exe	125
PID 5556 wrote to memory of 2896	5556	cmd.exe	125
PID 5556 wrote to memory of 2896	5556	cmd.exe	125
PID 916 wrote to memory of 5976	916	cmd.exe	126
PID 916 wrote to memory of 5976	916	cmd.exe	126
PID 916 wrote to memory of 5976	916	cmd.exe	126
PID 1588 wrote to memory of 5636	1588	cmd.exe	131
PID 1588 wrote to memory of 5636	1588	cmd.exe	131
PID 1588 wrote to memory of 5636	1588	cmd.exe	131
PID 2452 wrote to memory of 1052	2452	cmd.exe	132
PID 2452 wrote to memory of 1052	2452	cmd.exe	132
PID 2452 wrote to memory of 1052	2452	cmd.exe	132
PID 4988 wrote to memory of 4936	4988	cmd.exe	139
PID 4988 wrote to memory of 4936	4988	cmd.exe	139
PID 4988 wrote to memory of 4936	4988	cmd.exe	139
PID 1692 wrote to memory of 3768	1692	cmd.exe	140
PID 1692 wrote to memory of 3768	1692	cmd.exe	140
PID 1692 wrote to memory of 3768	1692	cmd.exe	140
PID 3520 wrote to memory of 4964	3520	cmd.exe	145
PID 3520 wrote to memory of 4964	3520	cmd.exe	145
PID 3520 wrote to memory of 4964	3520	cmd.exe	145
PID 628 wrote to memory of 5052	628	cmd.exe	146
PID 628 wrote to memory of 5052	628	cmd.exe	146
PID 628 wrote to memory of 5052	628	cmd.exe	146
PID 4484 wrote to memory of 5156	4484	cmd.exe	152
PID 4484 wrote to memory of 5156	4484	cmd.exe	152
PID 4484 wrote to memory of 5156	4484	cmd.exe	152
PID 2376 wrote to memory of 4940	2376	cmd.exe	153
PID 2376 wrote to memory of 4940	2376	cmd.exe	153
PID 2376 wrote to memory of 4940	2376	cmd.exe	153

C:\Users\Admin\AppData\Local\Temp\solara.exe
"C:\Users\Admin\AppData\Local\Temp\solara.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5996
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5164
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:232
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1888
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:3568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:4500
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:5808
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:940
- - C:\Users\Admin\AppData\Local\Temp\tmp6D87.tmp.COM
    "C:\Users\Admin\AppData\Local\Temp\tmp6D87.tmp.COM"
    3⤵
    - Checks computer location settings
    PID:5600
  - - C:\Users\Admin\AppData\Local\Temp\MBR2.exe
      "C:\Users\Admin\AppData\Local\Temp\MBR2.exe"
      4⤵
      Checks computer location settings
      Drops file in System32 directory
      PID:3708
    - - C:\Windows\System32\MatrixMBR.exe
        
        "C:\Windows\System32\MatrixMBR.exe"
        5⤵
        Checks computer location settings
        
        PID:2028
      - C:\Users\Admin\AppData\Local\Temp\GDI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GDI.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:840
      - C:\Users\Admin\AppData\Local\Temp\MBR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MBR.exe"
        6⤵
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:1384
  - - C:\Users\Admin\AppData\Local\Temp\TROLL5.exe
      "C:\Users\Admin\AppData\Local\Temp\TROLL5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4664
  - - C:\Users\Admin\AppData\Local\Temp\TROLL2.exe
      "C:\Users\Admin\AppData\Local\Temp\TROLL2.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3416
- C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
  2⤵
  - Executes dropped EXE
  PID:5004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:5556
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:916
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:3520
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:628
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:4940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:884
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2540
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2688
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:1640
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:3576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4076
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:1268
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:3544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4748
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3064
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3260
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2620
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2616
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3692
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:5976
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2984
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:2768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:6080
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3672
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:5888
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:680
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:5312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4108
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:8
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:1464
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4964
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3244
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2024
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3904
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:4408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:5992
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:2944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3912
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:3220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3344
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:768
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:5608
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:5916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:232
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:676
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:1780
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:1924
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4176
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:1916
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3300
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:1416
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3040
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3848
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4464
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3636
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4744
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4860
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3196
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:1176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:5652
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:4036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:8
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:5240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4736
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2856
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:6008
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2804
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4836
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:5768
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  PID:2148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3788
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:5928
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:5804
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2112
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4600
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2184
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:5284
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3948
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  PID:1048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2356
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:428
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  PID:4644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:1960
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:664
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4176
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3336
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3144
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  PID:3164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2556
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  PID:916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2312
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3848

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a4 0x49c
1⤵
PID:4744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2432
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:5084
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6044

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Server.exe.log

Filesize
319B

MD5
824ba7b7eed8b900a98dd25129c4cd83

SHA1
54478770b2158000ef365591d42977cb854453a1

SHA256
d182dd648c92e41cd62dccc65f130c07f0a96c03b32f907c3d1218e9aa5bda03

SHA512
ae4f3a9673711ecb6cc5d06874c587341d5094803923b53b6e982278fa64549d7acf866de165e23750facd55da556b6794c0d32f129f4087529c73acd4ffb11e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
09c38bf09493920e93b25f37f1ae4efe

SHA1
42e5d800056f08481870c4ca2d0d48181ca8edc8

SHA256
37874b332a80efcccee52825b3d71d1faaae3820e09b47c3f161628bf35cc255

SHA512
91eacaafc2cd9f80338302d6b3cc3a1aa957752f63a449fb2c1ebcac2bcc59fd8624d4e042c488b5fbe73b881da86c9de819d500de8c7eb6bc0d3951a2bf9123

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ac057a92f4b62d8880169af0693ef5b2

SHA1
66e7c7834c5dae5cec863ccd69403150d05841f4

SHA256
7cef55990e8e6cfe07e1965b303e79ac562cdc128ab82edf480d9873f72bb3ed

SHA512
d525f47da9e61fc87e55aca6b34e776be3ed081b719bbbb5256705a6afe5fdd4c16d5ee595af13994e2718f789f5fd32830331347d97b029c031c9dfe30c7f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9ead98795a15fa750acd5f87ae6ae1f6

SHA1
66b6ae852480d1d1fcd3b4f550a20bc9bfc0c421

SHA256
8932692c95a4511e3729e77d6afae5098361b7cb862977a486315f2ac43a5151

SHA512
7904e0988f7faaac095ebd8e1b2ac86b977e15dc4a0426a6f9450bcf7172a2ce1d53f026c3b6c5dc0447784ff552255f6ad21d185c507f5e954c217537d350e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
fbee0d4f2c131cf32d5d79447f766486

SHA1
af64ecdc9097cc8114140c712f523261a9e3e690

SHA256
97fe27ebd171a5c7e6d9841cf71aeaa44ddcff01450bfc6b5cc6d8f67fed94f5

SHA512
38b7f63991ae443727b347a361438316498f2473933ccb0b372308dc20597203ec7f826c925aa84ba00047702ce598829d9f6b455cb33e6ea3d3cc6ac854fe46

Download Submit
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe

Filesize
3.4MB

MD5
07b2ed9af56f55a999156738b17848df

SHA1
960e507c0ef860080b573c4e11a76328c8831d08

SHA256
73427b83bd00a8745e5182d2cdb3727e654ae9af5e42befc45903027f6606597

SHA512
3a982d1130b41e6c01943eee7fa546c3da95360afdad03bff434b9211201c80f22bd8bf79d065180010bc0659ee1e71febbfd750320d95811ee26a54ee1b34c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GDI.exe

Filesize
11KB

MD5
c08ae6d9c6ecd7e13f827bf68767785f

SHA1
e71c2ec8d00c1e82b8b07baee0688b0a28604454

SHA256
e153def894c867923dd56a7025b7b0b7bd3ee37c801a5957201d39f999bb28bf

SHA512
c28bbe8abc66ad2433e5a3b93a4601b28225e86cb4bff077fd3224adfa63164bebfa3002a42b1cb4cb3c7ccad0208f8b143b8a17099bea04fcb964e667c7a1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBR.exe

Filesize
93KB

MD5
d2fc66cf781a2497fceb4041a93cc676

SHA1
480b1aa31b0b31fc0e0833afbba06533ab9a90ee

SHA256
acddde9514e3b9d5c40b3d1750af5f4187c99f8987b027d6da44fb6bcf79b3ca

SHA512
6c4cb42f786301be7614d4cb0b32601fea151351b0877e2371632435eb2c54bd4cd04d6b23bf4f49017ccaf679331162aac7329a1ed2409e3c2e02d0326e3487

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBR2.exe

Filesize
205KB

MD5
3dc0e225f886bae3b655cd9d738ed32f

SHA1
abda127fd477bd9d051cd57b16ac13f44030a9ae

SHA256
c22e2419f04fe03a92255a139ca8814697962e86d191a1d4171788fd0c903f68

SHA512
c8a6c0bfa96defde6f83d847583ff2ec065a43f80f9886259a2d1fe7df306ef6ed7aeed61b7dcf0bdc111fc67419eb66cf1ca44e831711dd4ea7d25ed9aed09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
32KB

MD5
c30d7d561c7cd145687cfec82a8dc436

SHA1
6cd3cc34b5074a8b25a1d1b605d56ed9b0bc4203

SHA256
d467702296dbb5c5f84db6ffa8373684b429997c0ea3f1e2c88365250239bf01

SHA512
f8f1c5aaca62a20dd9342491a9d82571c8c280807dd61c9bd91d035436651115fce371bed4cab19af325b4b956b36fcd4ec93cccb433229438047947078260c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TROLL2.exe

Filesize
105KB

MD5
52a2a5517deb1a06896891a35299ce20

SHA1
badcbdfef312bd71de997a7416ee20cee5d66af6

SHA256
dcdf5140bc51db27f3aec80ae9a66a57aad446a2522904d288770e8d8cde8cee

SHA512
7cb0de412c0508f5af522aeaf3731dda418f72f7cae8dd3f21b34d5cdbc08f9dea8699d59878610496c68d687227a0269739221490d70d03b8e4b84dfd29d5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TROLL5.exe

Filesize
712KB

MD5
542a4e400ff233b21a1a3c27751ac783

SHA1
000a67f00b0003531d65a6ed6f16488ae5dcd0fe

SHA256
79f00c7dab0891824136539fabd542c74e26cbed94b9add3f1aa7f793d653de6

SHA512
8335118ca0c268635d9495b331fb65800a32a0631f132cd34ce84ca3b523d0a9e23eee6d76539d0c81d86fda534da56c936914012d8bad35040b15cc8caaf645

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
229KB

MD5
dcd9253fa3b14afa8d8e636315517897

SHA1
37fcf6a0b4b67e99ad6b4e2c51f0fab9f0874052

SHA256
83fa6a1e67c9ecd7ec68e905c4474274340b96b718da2dbab29cc7fcc4c3e414

SHA512
6cdc1cb0795a2ce33c377141b643b969da1ac7b9708a348115cfe89522f605c99b2f8c3f5cbe08059af0fae1e1a44e9cf05728de7fc50aeb8a78d813e7d80758

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5q25l2ty.pgx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\MatrixMBR.exe

Filesize
250KB

MD5
24c441662c09b94e14a4096a8e59c316

SHA1
11576cad137bd8ed76efecd711c0390fe5c85292

SHA256
339fe94164952a8454e6ec5fc75e2c38baade2c14b231e47bf41989ffbb55ee4

SHA512
7f6ca1366733c5fb4925001c0846510732031a9e5f1b16291ff596187c20a88f41193389cedcb73e3928c318fc972be4f03e3cb71f1487c34642897ff9a2b590

Download Submit
memory/840-261-0x0000000000FA0000-0x0000000000FA8000-memory.dmp

Filesize
32KB

Download
memory/2028-244-0x0000000000D30000-0x0000000000D76000-memory.dmp

Filesize
280KB

Download
memory/3416-241-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3708-218-0x0000000000A30000-0x0000000000A6A000-memory.dmp

Filesize
232KB

Download
memory/4092-54-0x00000188C5850000-0x00000188C5872000-memory.dmp

Filesize
136KB

Download
memory/4308-137-0x00007FF8AF3F0000-0x00007FF8AFEB1000-memory.dmp

Filesize
10.8MB

Download
memory/4308-82-0x000001CF08B10000-0x000001CF08B2E000-memory.dmp

Filesize
120KB

Download
memory/4308-119-0x000001CF0A430000-0x000001CF0A442000-memory.dmp

Filesize
72KB

Download
memory/4308-118-0x000001CF08B40000-0x000001CF08B4A000-memory.dmp

Filesize
40KB

Download
memory/4308-39-0x00007FF8AF3F0000-0x00007FF8AFEB1000-memory.dmp

Filesize
10.8MB

Download
memory/4308-37-0x00007FF8AF3F0000-0x00007FF8AFEB1000-memory.dmp

Filesize
10.8MB

Download
memory/4308-22-0x000001CF08620000-0x000001CF08660000-memory.dmp

Filesize
256KB

Download
memory/4308-80-0x000001CF22E10000-0x000001CF22E86000-memory.dmp

Filesize
472KB

Download
memory/4308-81-0x000001CF22D90000-0x000001CF22DE0000-memory.dmp

Filesize
320KB

Download
memory/4664-229-0x0000000005B00000-0x00000000060A4000-memory.dmp

Filesize
5.6MB

Download
memory/4664-228-0x0000000000B10000-0x0000000000BC8000-memory.dmp

Filesize
736KB

Download
memory/4664-230-0x0000000005460000-0x00000000054F2000-memory.dmp

Filesize
584KB

Download
memory/4664-231-0x0000000005530000-0x000000000553A000-memory.dmp

Filesize
40KB

Download
memory/4728-141-0x0000000000E50000-0x0000000000E60000-memory.dmp

Filesize
64KB

Download
memory/4728-42-0x0000000000E50000-0x0000000000E60000-memory.dmp

Filesize
64KB

Download
memory/5004-52-0x000002B3196F0000-0x000002B319700000-memory.dmp

Filesize
64KB

Download
memory/5004-58-0x000002B332B20000-0x000002B332B2A000-memory.dmp

Filesize
40KB

Download
memory/5004-63-0x000002B332B30000-0x000002B332B3A000-memory.dmp

Filesize
40KB

Download
memory/5004-40-0x000002B3176F0000-0x000002B317A60000-memory.dmp

Filesize
3.4MB

Download
memory/5004-53-0x000002B3365D0000-0x000002B3365D8000-memory.dmp

Filesize
32KB

Download
memory/5004-59-0x000002B332C80000-0x000002B332CA6000-memory.dmp

Filesize
152KB

Download
memory/5004-62-0x000002B332CB0000-0x000002B332CBA000-memory.dmp

Filesize
40KB

Download
memory/5004-60-0x000002B332CC0000-0x000002B332CC8000-memory.dmp

Filesize
32KB

Download
memory/5004-61-0x000002B332CD0000-0x000002B332CE6000-memory.dmp

Filesize
88KB

Download
memory/5004-64-0x000002B332D00000-0x000002B332D08000-memory.dmp

Filesize
32KB

Download
memory/5004-57-0x000002B332B80000-0x000002B332C80000-memory.dmp

Filesize
1024KB

Download
memory/5004-55-0x000002B332B40000-0x000002B332B78000-memory.dmp

Filesize
224KB

Download
memory/5004-56-0x000002B332B10000-0x000002B332B1E000-memory.dmp

Filesize
56KB

Download
memory/5600-198-0x0000000002D80000-0x0000000002E64000-memory.dmp

Filesize
912KB

Download
memory/5600-197-0x00000000009F0000-0x0000000000ADC000-memory.dmp

Filesize
944KB

Download
memory/5996-0-0x00007FF8AF3F3000-0x00007FF8AF3F5000-memory.dmp

Filesize
8KB

Download
memory/5996-41-0x00007FF8AF3F0000-0x00007FF8AFEB1000-memory.dmp

Filesize
10.8MB

Download
memory/5996-3-0x00007FF8AF3F0000-0x00007FF8AFEB1000-memory.dmp

Filesize
10.8MB

Download
memory/5996-1-0x0000000000B10000-0x0000000000DE6000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads