umbral | 808fc30e9ed9cf43a86b6608fc9c5f5c28443d51207f30d06cf88c0081b54e18

Analysis

max time kernel
344s
max time network
353s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
12/04/2025, 15:24

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

solara.exe
Size

2.8MB
MD5

84c1cc9f977f79b4820bcb8f236fce20
SHA1

88d879456a7f075760525824dcc8b2de7bbe6f13
SHA256

808fc30e9ed9cf43a86b6608fc9c5f5c28443d51207f30d06cf88c0081b54e18
SHA512

66b98b55c9d36b27a0f96eba539b820450ba552deacc323dabfbe4db936eb5ad4c57cb8683e10570212ce1b6ea9f04adeaecd9f41618e4625f78bc5b87f3f65c
SSDEEP

49152:N5wRNpPAI7CYItONjnwsp61qLJa2uQzdqYoqDLdS96A4zDziq2EJLFp2C/XHYQ/:NaRvROYEQEqFajKoqDLgMAI2KLmC/XHv

Score

10^/10

umbral bootkit defense_evasion discovery execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral4/files/0x001a00000002b23b-7.dat	family_umbral
behavioral4/memory/5880-23-0x0000021A70C80000-0x0000021A70CC0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2304	powershell.exe
2348	powershell.exe
2440	powershell.exe
2128	powershell.exe

Disables Task Manager via registry modification
defense_evasion

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4080	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\58ef1cb24ef99d0cdb9aa4d818c79b63.exe	Server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\58ef1cb24ef99d0cdb9aa4d818c79b63.exe	Server.exe

Executes dropped EXE 64 IoCs

pid	Process
5880	Umbral.exe
5944	Server.exe
1824	BootstrapperNew.exe
1400	Server.exe
2576	Server.exe
2920	Server.exe
1356	Server.exe
1168	Server.exe
5584	Server.exe
3744	Server.exe
6028	Server.exe
3652	Server.exe
6056	Server.exe
6036	Server.exe
4056	Server.exe
4944	Server.exe
5100	Server.exe
5304	Server.exe
2304	Server.exe
6068	Server.exe
4756	Server.exe
3700	Server.exe
1920	Server.exe
3356	Server.exe
6004	Server.exe
5984	Server.exe
3400	Server.exe
5740	Server.exe
3892	Server.exe
3064	Server.exe
3540	Server.exe
4064	Server.exe
3028	Server.exe
6128	Server.exe
4160	Server.exe
4032	Server.exe
5528	Server.exe
4416	Server.exe
4476	Server.exe
4612	Server.exe
4728	Server.exe
4540	Server.exe
764	Server.exe
5364	Server.exe
2304	Server.exe
3900	Server.exe
768	Server.exe
5932	Server.exe
3476	Server.exe
4232	Server.exe
424	Server.exe
4212	Server.exe
1992	Server.exe
2000	Server.exe
3080	Server.exe
3676	Server.exe
5668	Server.exe
1172	Server.exe
4668	Server.exe
1280	Server.exe
5172	Server.exe
2864	Server.exe
5596	Server.exe
5528	Server.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Run\58ef1cb24ef99d0cdb9aa4d818c79b63 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."	Server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\58ef1cb24ef99d0cdb9aa4d818c79b63 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Server.exe\" .."	Server.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	discord.com
5	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MBR.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\MatrixMBR.exe	MBR2.exe
File opened for modification	C:\Windows\System32\MatrixMBR.exe	MBR2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MBR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GDI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TROLL5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2052	wmic.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2304	powershell.exe
2304	powershell.exe
2348	powershell.exe
2348	powershell.exe
2440	powershell.exe
2440	powershell.exe
4568	powershell.exe
4568	powershell.exe
2128	powershell.exe
2128	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5880	Umbral.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeIncreaseQuotaPrivilege	5892	wmic.exe
Token: SeSecurityPrivilege	5892	wmic.exe
Token: SeTakeOwnershipPrivilege	5892	wmic.exe
Token: SeLoadDriverPrivilege	5892	wmic.exe
Token: SeSystemProfilePrivilege	5892	wmic.exe
Token: SeSystemtimePrivilege	5892	wmic.exe
Token: SeProfSingleProcessPrivilege	5892	wmic.exe
Token: SeIncBasePriorityPrivilege	5892	wmic.exe
Token: SeCreatePagefilePrivilege	5892	wmic.exe
Token: SeBackupPrivilege	5892	wmic.exe
Token: SeRestorePrivilege	5892	wmic.exe
Token: SeShutdownPrivilege	5892	wmic.exe
Token: SeDebugPrivilege	5892	wmic.exe
Token: SeSystemEnvironmentPrivilege	5892	wmic.exe
Token: SeRemoteShutdownPrivilege	5892	wmic.exe
Token: SeUndockPrivilege	5892	wmic.exe
Token: SeManageVolumePrivilege	5892	wmic.exe
Token: 33	5892	wmic.exe
Token: 34	5892	wmic.exe
Token: 35	5892	wmic.exe
Token: 36	5892	wmic.exe
Token: SeIncreaseQuotaPrivilege	5892	wmic.exe
Token: SeSecurityPrivilege	5892	wmic.exe
Token: SeTakeOwnershipPrivilege	5892	wmic.exe
Token: SeLoadDriverPrivilege	5892	wmic.exe
Token: SeSystemProfilePrivilege	5892	wmic.exe
Token: SeSystemtimePrivilege	5892	wmic.exe
Token: SeProfSingleProcessPrivilege	5892	wmic.exe
Token: SeIncBasePriorityPrivilege	5892	wmic.exe
Token: SeCreatePagefilePrivilege	5892	wmic.exe
Token: SeBackupPrivilege	5892	wmic.exe
Token: SeRestorePrivilege	5892	wmic.exe
Token: SeShutdownPrivilege	5892	wmic.exe
Token: SeDebugPrivilege	5892	wmic.exe
Token: SeSystemEnvironmentPrivilege	5892	wmic.exe
Token: SeRemoteShutdownPrivilege	5892	wmic.exe
Token: SeUndockPrivilege	5892	wmic.exe
Token: SeManageVolumePrivilege	5892	wmic.exe
Token: 33	5892	wmic.exe
Token: 34	5892	wmic.exe
Token: 35	5892	wmic.exe
Token: 36	5892	wmic.exe
Token: SeIncreaseQuotaPrivilege	3564	wmic.exe
Token: SeSecurityPrivilege	3564	wmic.exe
Token: SeTakeOwnershipPrivilege	3564	wmic.exe
Token: SeLoadDriverPrivilege	3564	wmic.exe
Token: SeSystemProfilePrivilege	3564	wmic.exe
Token: SeSystemtimePrivilege	3564	wmic.exe
Token: SeProfSingleProcessPrivilege	3564	wmic.exe
Token: SeIncBasePriorityPrivilege	3564	wmic.exe
Token: SeCreatePagefilePrivilege	3564	wmic.exe
Token: SeBackupPrivilege	3564	wmic.exe
Token: SeRestorePrivilege	3564	wmic.exe
Token: SeShutdownPrivilege	3564	wmic.exe
Token: SeDebugPrivilege	3564	wmic.exe
Token: SeSystemEnvironmentPrivilege	3564	wmic.exe
Token: SeRemoteShutdownPrivilege	3564	wmic.exe
Token: SeUndockPrivilege	3564	wmic.exe
Token: SeManageVolumePrivilege	3564	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5580 wrote to memory of 5880	5580	solara.exe	79
PID 5580 wrote to memory of 5880	5580	solara.exe	79
PID 5580 wrote to memory of 5944	5580	solara.exe	80
PID 5580 wrote to memory of 5944	5580	solara.exe	80
PID 5580 wrote to memory of 5944	5580	solara.exe	80
PID 5580 wrote to memory of 1824	5580	solara.exe	81
PID 5580 wrote to memory of 1824	5580	solara.exe	81
PID 5880 wrote to memory of 2304	5880	Umbral.exe	82
PID 5880 wrote to memory of 2304	5880	Umbral.exe	82
PID 5880 wrote to memory of 2348	5880	Umbral.exe	84
PID 5880 wrote to memory of 2348	5880	Umbral.exe	84
PID 5880 wrote to memory of 2440	5880	Umbral.exe	86
PID 5880 wrote to memory of 2440	5880	Umbral.exe	86
PID 5880 wrote to memory of 4568	5880	Umbral.exe	88
PID 5880 wrote to memory of 4568	5880	Umbral.exe	88
PID 5880 wrote to memory of 5892	5880	Umbral.exe	90
PID 5880 wrote to memory of 5892	5880	Umbral.exe	90
PID 5880 wrote to memory of 3564	5880	Umbral.exe	93
PID 5880 wrote to memory of 3564	5880	Umbral.exe	93
PID 5880 wrote to memory of 2356	5880	Umbral.exe	95
PID 5880 wrote to memory of 2356	5880	Umbral.exe	95
PID 5880 wrote to memory of 2128	5880	Umbral.exe	97
PID 5880 wrote to memory of 2128	5880	Umbral.exe	97
PID 5880 wrote to memory of 2052	5880	Umbral.exe	99
PID 5880 wrote to memory of 2052	5880	Umbral.exe	99
PID 5944 wrote to memory of 4080	5944	Server.exe	101
PID 5944 wrote to memory of 4080	5944	Server.exe	101
PID 5944 wrote to memory of 4080	5944	Server.exe	101
PID 828 wrote to memory of 1400	828	cmd.exe	107
PID 828 wrote to memory of 1400	828	cmd.exe	107
PID 828 wrote to memory of 1400	828	cmd.exe	107
PID 1352 wrote to memory of 2576	1352	cmd.exe	108
PID 1352 wrote to memory of 2576	1352	cmd.exe	108
PID 1352 wrote to memory of 2576	1352	cmd.exe	108
PID 6128 wrote to memory of 2920	6128	cmd.exe	113
PID 6128 wrote to memory of 2920	6128	cmd.exe	113
PID 6128 wrote to memory of 2920	6128	cmd.exe	113
PID 3472 wrote to memory of 1356	3472	cmd.exe	114
PID 3472 wrote to memory of 1356	3472	cmd.exe	114
PID 3472 wrote to memory of 1356	3472	cmd.exe	114
PID 3808 wrote to memory of 1168	3808	cmd.exe	119
PID 3808 wrote to memory of 1168	3808	cmd.exe	119
PID 3808 wrote to memory of 1168	3808	cmd.exe	119
PID 1956 wrote to memory of 5584	1956	cmd.exe	120
PID 1956 wrote to memory of 5584	1956	cmd.exe	120
PID 1956 wrote to memory of 5584	1956	cmd.exe	120
PID 3712 wrote to memory of 3744	3712	cmd.exe	125
PID 3712 wrote to memory of 3744	3712	cmd.exe	125
PID 3712 wrote to memory of 3744	3712	cmd.exe	125
PID 5048 wrote to memory of 6028	5048	cmd.exe	126
PID 5048 wrote to memory of 6028	5048	cmd.exe	126
PID 5048 wrote to memory of 6028	5048	cmd.exe	126
PID 1340 wrote to memory of 3652	1340	cmd.exe	131
PID 1340 wrote to memory of 3652	1340	cmd.exe	131
PID 1340 wrote to memory of 3652	1340	cmd.exe	131
PID 2492 wrote to memory of 6056	2492	cmd.exe	132
PID 2492 wrote to memory of 6056	2492	cmd.exe	132
PID 2492 wrote to memory of 6056	2492	cmd.exe	132
PID 2512 wrote to memory of 6036	2512	cmd.exe	137
PID 2512 wrote to memory of 6036	2512	cmd.exe	137
PID 2512 wrote to memory of 6036	2512	cmd.exe	137
PID 5204 wrote to memory of 4056	5204	cmd.exe	138
PID 5204 wrote to memory of 4056	5204	cmd.exe	138
PID 5204 wrote to memory of 4056	5204	cmd.exe	138

C:\Users\Admin\AppData\Local\Temp\solara.exe
"C:\Users\Admin\AppData\Local\Temp\solara.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5580
- C:\Users\Admin\AppData\Local\Temp\Umbral.exe
  "C:\Users\Admin\AppData\Local\Temp\Umbral.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Umbral.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5892
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3564
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:2356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2128
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2052
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:5944
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Server.exe" "Server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4080
- - C:\Users\Admin\AppData\Local\Temp\tmp5F3E.tmp.COM
    "C:\Users\Admin\AppData\Local\Temp\tmp5F3E.tmp.COM"
    3⤵
    PID:5568
  - - C:\Users\Admin\AppData\Local\Temp\MBR2.exe
      "C:\Users\Admin\AppData\Local\Temp\MBR2.exe"
      4⤵
      Drops file in System32 directory
      PID:6120
    - - C:\Windows\System32\MatrixMBR.exe
        
        "C:\Windows\System32\MatrixMBR.exe"
        5⤵
        
        PID:5456
      - C:\Users\Admin\AppData\Local\Temp\GDI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GDI.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1480
      - C:\Users\Admin\AppData\Local\Temp\MBR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MBR.exe"
        6⤵
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4416
  - - C:\Users\Admin\AppData\Local\Temp\TROLL5.exe
      "C:\Users\Admin\AppData\Local\Temp\TROLL5.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2400
  - - C:\Users\Admin\AppData\Local\Temp\TROLL2.exe
      "C:\Users\Admin\AppData\Local\Temp\TROLL2.exe"
      4⤵
      PID:4824
- C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe
  "C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe"
  2⤵
  - Executes dropped EXE
  PID:1824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:828
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:6128
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:3744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:5204
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:6036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:5040
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4536
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:5100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3664
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3488
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:752
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:5308
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:6068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4764
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2888
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2180
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4028
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:6004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3080
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:124
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3048
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:5876
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:5740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4472
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3832
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3256
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:5172
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:1428
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3460
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:6128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3140
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:780
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:5860
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:1908
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:484
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3596
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3124
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:5096
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:5832
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2736
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:5044
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:1088
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3796
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4076
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3536
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3732
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4204
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:1888
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  PID:1992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:5716
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:5568
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:5880
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2812
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3064
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3540
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3256
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3480
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:1512
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:536
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4724
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:5336
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4780
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3096
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  PID:404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2376
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3312
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:5700
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3208
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:776
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2240
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:5052
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4952
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  PID:2736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2348
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3660
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:5480
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:1948
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  PID:5328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4492
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4232
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:4776
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:1676
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  PID:1888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2812
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2548
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1172

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C8 0x00000000000004E0
1⤵
PID:1936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:2236
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Server.exe" ..
1⤵
PID:3352
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  C:\Users\Admin\AppData\Local\Temp\Server.exe ..
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3452

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Server.exe.log

Filesize
319B

MD5
71093f2f2d8fd9daf6bc4bb6a72a5b23

SHA1
7f614257050d90b24ca0f7862724f3d7a9df93fd

SHA256
5da30152f390d2e7e0a801e08502781427e0b499f1d40ae2a1ecf181ef35de8a

SHA512
39e729c10af152d3fa3e382e3976be09074370369805a76b9c0f3dc063c2ce5184e93c1043a81ab82573f768ec0fb6c480ca6848190752b9d2b002c3e319ffa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7332074ae2b01262736b6fbd9e100dac

SHA1
22f992165065107cc9417fa4117240d84414a13c

SHA256
baea84fda6c1f13090b8cbd91c920848946f10ce155ef31a1df4cd453ee7e4aa

SHA512
4ae6f0e012c31ac1fc2ff4a8877ce2b4667c45b6e651de798318a39a2b6fd39a6f72dffa8b0b89b7a045a27d724d195656faa25a9fec79b22f37ddebb5d22da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60a84ea8f3888e51bb0fe4856926a639

SHA1
43848b5a831f8fe7623694b36b17554b83770269

SHA256
5d219511d1091f4dc52ef6664815bcacf013c76b695bf2195aa439a6cc431504

SHA512
f6381deedc9612c96914173d948bd601192256c1b65a6b6be3c6664de84df64fb8740fa0205846e0380305bf5442e52991d134ff94b8edc899775befcc4a86ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
6490e5c0581c173062323b1c20cfd9ff

SHA1
1652893659f99b780fd9733243637eb7795f5212

SHA256
a552b6d7bebb1714f01a5f3d8b5493e1b369c93ee68c62256dfddcc7f3f4fe79

SHA512
fdb077b40b4371a74cb70ae74d28a4433399e5c4a69fe9a5652409a62c2435d3197da42808d5cb65e9b7ff35bc2e593ad70fa83581c7fd672d631b25f53d3c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\BootstrapperNew.exe

Filesize
3.4MB

MD5
07b2ed9af56f55a999156738b17848df

SHA1
960e507c0ef860080b573c4e11a76328c8831d08

SHA256
73427b83bd00a8745e5182d2cdb3727e654ae9af5e42befc45903027f6606597

SHA512
3a982d1130b41e6c01943eee7fa546c3da95360afdad03bff434b9211201c80f22bd8bf79d065180010bc0659ee1e71febbfd750320d95811ee26a54ee1b34c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GDI.exe

Filesize
11KB

MD5
c08ae6d9c6ecd7e13f827bf68767785f

SHA1
e71c2ec8d00c1e82b8b07baee0688b0a28604454

SHA256
e153def894c867923dd56a7025b7b0b7bd3ee37c801a5957201d39f999bb28bf

SHA512
c28bbe8abc66ad2433e5a3b93a4601b28225e86cb4bff077fd3224adfa63164bebfa3002a42b1cb4cb3c7ccad0208f8b143b8a17099bea04fcb964e667c7a1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBR.exe

Filesize
93KB

MD5
d2fc66cf781a2497fceb4041a93cc676

SHA1
480b1aa31b0b31fc0e0833afbba06533ab9a90ee

SHA256
acddde9514e3b9d5c40b3d1750af5f4187c99f8987b027d6da44fb6bcf79b3ca

SHA512
6c4cb42f786301be7614d4cb0b32601fea151351b0877e2371632435eb2c54bd4cd04d6b23bf4f49017ccaf679331162aac7329a1ed2409e3c2e02d0326e3487

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBR2.exe

Filesize
205KB

MD5
3dc0e225f886bae3b655cd9d738ed32f

SHA1
abda127fd477bd9d051cd57b16ac13f44030a9ae

SHA256
c22e2419f04fe03a92255a139ca8814697962e86d191a1d4171788fd0c903f68

SHA512
c8a6c0bfa96defde6f83d847583ff2ec065a43f80f9886259a2d1fe7df306ef6ed7aeed61b7dcf0bdc111fc67419eb66cf1ca44e831711dd4ea7d25ed9aed09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe

Filesize
32KB

MD5
c30d7d561c7cd145687cfec82a8dc436

SHA1
6cd3cc34b5074a8b25a1d1b605d56ed9b0bc4203

SHA256
d467702296dbb5c5f84db6ffa8373684b429997c0ea3f1e2c88365250239bf01

SHA512
f8f1c5aaca62a20dd9342491a9d82571c8c280807dd61c9bd91d035436651115fce371bed4cab19af325b4b956b36fcd4ec93cccb433229438047947078260c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TROLL2.exe

Filesize
105KB

MD5
52a2a5517deb1a06896891a35299ce20

SHA1
badcbdfef312bd71de997a7416ee20cee5d66af6

SHA256
dcdf5140bc51db27f3aec80ae9a66a57aad446a2522904d288770e8d8cde8cee

SHA512
7cb0de412c0508f5af522aeaf3731dda418f72f7cae8dd3f21b34d5cdbc08f9dea8699d59878610496c68d687227a0269739221490d70d03b8e4b84dfd29d5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TROLL5.exe

Filesize
712KB

MD5
542a4e400ff233b21a1a3c27751ac783

SHA1
000a67f00b0003531d65a6ed6f16488ae5dcd0fe

SHA256
79f00c7dab0891824136539fabd542c74e26cbed94b9add3f1aa7f793d653de6

SHA512
8335118ca0c268635d9495b331fb65800a32a0631f132cd34ce84ca3b523d0a9e23eee6d76539d0c81d86fda534da56c936914012d8bad35040b15cc8caaf645

Download Submit
C:\Users\Admin\AppData\Local\Temp\Umbral.exe

Filesize
229KB

MD5
dcd9253fa3b14afa8d8e636315517897

SHA1
37fcf6a0b4b67e99ad6b4e2c51f0fab9f0874052

SHA256
83fa6a1e67c9ecd7ec68e905c4474274340b96b718da2dbab29cc7fcc4c3e414

SHA512
6cdc1cb0795a2ce33c377141b643b969da1ac7b9708a348115cfe89522f605c99b2f8c3f5cbe08059af0fae1e1a44e9cf05728de7fc50aeb8a78d813e7d80758

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hnussx15.tli.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\MatrixMBR.exe

Filesize
250KB

MD5
24c441662c09b94e14a4096a8e59c316

SHA1
11576cad137bd8ed76efecd711c0390fe5c85292

SHA256
339fe94164952a8454e6ec5fc75e2c38baade2c14b231e47bf41989ffbb55ee4

SHA512
7f6ca1366733c5fb4925001c0846510732031a9e5f1b16291ff596187c20a88f41193389cedcb73e3928c318fc972be4f03e3cb71f1487c34642897ff9a2b590

Download Submit
memory/1480-253-0x0000000000D60000-0x0000000000D68000-memory.dmp

Filesize
32KB

Download
memory/1824-45-0x000001C57F9B0000-0x000001C57F9BE000-memory.dmp

Filesize
56KB

Download
memory/1824-44-0x000001C57F9F0000-0x000001C57FA28000-memory.dmp

Filesize
224KB

Download
memory/1824-50-0x000001C51EA70000-0x000001C51EA86000-memory.dmp

Filesize
88KB

Download
memory/1824-48-0x000001C51EA20000-0x000001C51EA46000-memory.dmp

Filesize
152KB

Download
memory/1824-52-0x000001C51EA10000-0x000001C51EA1A000-memory.dmp

Filesize
40KB

Download
memory/1824-53-0x000001C57F9C0000-0x000001C57F9C8000-memory.dmp

Filesize
32KB

Download
memory/1824-40-0x000001C57F290000-0x000001C57F600000-memory.dmp

Filesize
3.4MB

Download
memory/1824-49-0x000001C51EA60000-0x000001C51EA68000-memory.dmp

Filesize
32KB

Download
memory/1824-47-0x000001C51E300000-0x000001C51E30A000-memory.dmp

Filesize
40KB

Download
memory/1824-46-0x000001C51E910000-0x000001C51EA10000-memory.dmp

Filesize
1024KB

Download
memory/1824-51-0x000001C51EA50000-0x000001C51EA5A000-memory.dmp

Filesize
40KB

Download
memory/1824-42-0x000001C51A130000-0x000001C51A140000-memory.dmp

Filesize
64KB

Download
memory/1824-43-0x000001C57F8A0000-0x000001C57F8A8000-memory.dmp

Filesize
32KB

Download
memory/2304-62-0x000001FF29660000-0x000001FF29682000-memory.dmp

Filesize
136KB

Download
memory/2400-222-0x0000000005300000-0x0000000005392000-memory.dmp

Filesize
584KB

Download
memory/2400-221-0x00000000059E0000-0x0000000005F86000-memory.dmp

Filesize
5.6MB

Download
memory/2400-220-0x0000000000740000-0x00000000007F8000-memory.dmp

Filesize
736KB

Download
memory/2400-223-0x00000000052C0000-0x00000000052CA000-memory.dmp

Filesize
40KB

Download
memory/4824-236-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/5456-235-0x00000000008D0000-0x0000000000916000-memory.dmp

Filesize
280KB

Download
memory/5568-189-0x00000000009B0000-0x0000000000A9C000-memory.dmp

Filesize
944KB

Download
memory/5568-190-0x000000001B720000-0x000000001B804000-memory.dmp

Filesize
912KB

Download
memory/5580-1-0x00000000007B0000-0x0000000000A86000-memory.dmp

Filesize
2.8MB

Download
memory/5580-3-0x00007FFD83ED0000-0x00007FFD84992000-memory.dmp

Filesize
10.8MB

Download
memory/5580-41-0x00007FFD83ED0000-0x00007FFD84992000-memory.dmp

Filesize
10.8MB

Download
memory/5580-0-0x00007FFD83ED3000-0x00007FFD83ED5000-memory.dmp

Filesize
8KB

Download
memory/5880-77-0x0000021A73440000-0x0000021A734B6000-memory.dmp

Filesize
472KB

Download
memory/5880-128-0x00007FFD83ED0000-0x00007FFD84992000-memory.dmp

Filesize
10.8MB

Download
memory/5880-36-0x00007FFD83ED0000-0x00007FFD84992000-memory.dmp

Filesize
10.8MB

Download
memory/5880-111-0x0000021A73510000-0x0000021A73522000-memory.dmp

Filesize
72KB

Download
memory/5880-110-0x0000021A734E0000-0x0000021A734EA000-memory.dmp

Filesize
40KB

Download
memory/5880-23-0x0000021A70C80000-0x0000021A70CC0000-memory.dmp

Filesize
256KB

Download
memory/5880-79-0x0000021A733D0000-0x0000021A733EE000-memory.dmp

Filesize
120KB

Download
memory/5880-78-0x0000021A733F0000-0x0000021A73440000-memory.dmp

Filesize
320KB

Download
memory/5944-39-0x0000000000C80000-0x0000000000C90000-memory.dmp

Filesize
64KB

Download
memory/5944-132-0x0000000000C80000-0x0000000000C90000-memory.dmp

Filesize
64KB

Download
memory/6120-210-0x0000000000C20000-0x0000000000C5A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads